Skip to content

SA-AzureResources (SA-AzureResources) ES Configuration

Once the Azure Resource data has been onboarded and the SA-AzureResources KV Stores populated with dynamic active directory data, the following steps will guide the integration of the SA-AzureResources KV Store lookup with the Splunk Enterprise Security Assets & Identities framework.

Adding the KV Store Lookups to ES Assets & Identities

⋅⋅⋅ ES > Configure > Data Enrichment > Asset & Identity Management

Asset Fields

Fields present in the asset fields section will be added to the raw logs as part of the A&I enrichment.

⋅⋅⋅ Asset Fields > Add New Field

Asset Fields

Ensure all the additional fields have been included:

  • operatingSystem (tag)
  • operatingSystemVersion
  • location (tag, mv)

Asset Lookups

⋅⋅⋅ Asset Lookups > New > New Configuration

Asset Lookups

  • Source: azure_assets

New Identity Configuration

Each of the key fields listed will be merged together into the asset field during the A&I merge, which is why we did not need to add it to our lookup. The key fields will also be used to merge entries within all the asset lookups which share the common value. When the value of the asset field matches a value in one of the fields src,dest, dvc: A&I will enrich the raw event. Further reading on how to configure A&I can be found here.