Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Idenities auto lookup in Splunk enterprise security

vikashumble
Explorer
a week ago

Hello All,

I have a question which I am not able to find an answer for. Hence looking for ideas, suggestions etc from fellow community members.

We use Splunk enterprise security in our organization and I am trying to build correlation search for generating a finding (or intermediate finding) in Mission Control based on Microsoft defender incidents. I am sure that you would know, Microsoft defender incident is a combination of different alerts and it can include multiple entities. I have a search which gives me all the details but I am struggling to auto populate the identities data from Splunk identities lookup. Sample data below.

My question are:

  1. how can I enrich the data for identities in the incident with Splunk ES identities data.
  2. Is it not the right way to create this search? My objective is to have a finding in Splunk ES if defender generates any incident. 
  3. Assuming this works somehow, how can I create the drill down searches so that it gives soc the ability to see supporting data (such as signin logs for a user (say user1)) as this is a multi value field.
  4. Should I use Defender alerts (as opposed to incident) to create a intermediate finding and then let Splunk run the Risk based rules to trigger if an finding based on this? alerts can have the multi entities (users, Ips, devices etc) as well so might end up with similar issues again. 
  5. Any other suggestions which others would have implemented?
incidentIdincidentUriincidentNamealertId(s)alerts_countcategorycreatedTimeidentitiesidentities_countserviceSource(s)
123456https://security.microsoft.com/incidents/123456?tid=XXXXXXXEmail reported by user as malware or phish involving multiple users1a2b3c4d1InitialAccess2025-05-08T09:43:20.95Z

ip1

user1

user2

user3

mailbox1

6MicrosoftDefenderForOffice

 

Thanks

 

  

Labels (2)
0 Karma
Reply

vikashumble
Explorer
a week ago

Hello @livehybrid ,

Thanks for your response.

Below are the answers to your questions.

Have you got yourAssets and Identities lookups configured in ES?

--> Yes we have configured it and it is working as expected for single value fields which contains assets and/or identities. It just dont work properly (or may be this is the intended behavior) for field which contains assets and/or identities as multivalue fields.

Regarding how to actually implement Defender alerts, this really depends on your use-cases and what you are wanting to achieve. Do you want an incident for every alert in Defender, or based on thresholds etc? 

--> I want to have defender incident in Splunk as a finding. And as you know, defender incident is a collection of alerts and hence it contains a collection of identities and assets in a single field. I just want to know how can I enrich these multi-value assets and identities fields (coming from defender) using Splunk ES identities lookup. 

Have you looked into the Splunk Enterprise Security Content Update app or Splunk Security Essentials? These contain a bunch of detections which you might be able to leverage. Defender Alerts are specifically listed as a datasource: https://research.splunk.com/sources/91738e9e-d112-41c9-b91b-e5868d8993d7/

--> I am not looking for search as I already have it and this one you mentioned is targetting advanced hunting data. I get the data from standard Microsoft security addon which you can hook into defender api to fetch defender incidents. I am specifically looking for ideas and suggestions on how multivalue identity field works in Splunk ES.

 

Hope this answers the questions you were having. 🙂

 

Thanks

0 Karma
Reply

livehybrid
Super Champion
a week ago

Hi @vikashumble 

Have you got yourAssets and Identities lookups configured in ES?

Ensure you have enabled Assets and Identities automatic enrichment for the relevant sourcetypes (or all sourcetypes) - See https://docs.splunk.com/Documentation/ES/8.0.2/Admin/ManageAssetIdentityToEnrichNotables#:~:text=Sel...

 See https://docs.splunk.com/Documentation/ES/8.0.40/Admin/ManageIdentityLookupConfigPolicy for more info on how to add/manage identity lookups

Regarding how to actually implement Defender alerts, this really depends on your use-cases and what you are wanting to achieve. Do you want an incident for every alert in Defender, or based on thresholds etc? 

Have you looked into the Splunk Enterprise Security Content Update app or Splunk Security Essentials? These contain a bunch of detections which you might be able to leverage. Defender Alerts are specifically listed as a datasource: https://research.splunk.com/sources/91738e9e-d112-41c9-b91b-e5868d8993d7/

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
OSZAR »