Skip to content

SA-AzureResources: Technical Guide and Documentation

Populate a KV Store with asset information collected from Azure using the app Splunk Add-on for Microsoft Cloud Services. This supporting add-on contains out of the box searches and KV Store lookups for integrating with the Splunk Enterprise Security Assets and Identities ES Framework.

High-Level Configuration Guide

  • Splunk Add-on for Microsoft Cloud Services will collect the Azure Resource information on a scheduled interval
  • Update, edit and schedule the saved search within this app & populate the KV Stores
  • Once the KV Stores are populated add them to Assets & Identities (A&I)

Installation Guide

SA-AzureResources (SA-AzureResources) Installation

Where to Install SA-AzureResources?

  • ES Search Head

Pre-Requisite Configuration

  • Step 1: Configure an Azure app registration and configure the account within Microsoft add-on for Cloud Services following this documentation
  • Step 2: Add Azure Resource Inputs for the following resource types:
  • Virtual Machines
  • Network Interfaces
  • Public Ips

SA-AzureResources Configuration

  • Step 1: Update the macro sa_azure_assets to include the applicable index
  • Step 2: Update the saved search Update Azure Resources - KV Store to include custom categories and prioritisation
  • Step 3: Enable the saved search Update Azure Resources - KV Store so it continues to populate the KV Store with up-to-date information

SA-AzureResources (SA-AzureResources) ES Configuration

Once the Azure Resource data has been onboarded and the SA-AzureResources KV Stores populated with dynamic active directory data, the following steps will guide the integration of the SA-AzureResources KV Store lookup with the Splunk Enterprise Security Assets & Identities framework.

Adding the KV Store Lookups to ES Assets & Identities

⋅⋅⋅ ES > Configure > Data Enrichment > Asset & Identity Management

Asset Fields

Fields present in the asset fields section will be added to the raw logs as part of the A&I enrichment.

⋅⋅⋅ Asset Fields > Add New Field

Asset Fields

Ensure all the additional fields have been included:

  • operatingSystem (tag)
  • operatingSystemVersion
  • location (tag, mv)

Asset Lookups

⋅⋅⋅ Asset Lookups > New > New Configuration

Asset Lookups

  • Source: azure_assets

New Identity Configuration

Each of the key fields listed will be merged together into the asset field during the A&I merge, which is why we did not need to add it to our lookup. The key fields will also be used to merge entries within all the asset lookups which share the common value. When the value of the asset field matches a value in one of the fields src,dest, dvc: A&I will enrich the raw event. Further reading on how to configure A&I can be found here.

Ended: Installation Guide

SA-AzureResources (SA-AzureResources) Troubleshooting Guide

⋅⋅ ES > Configure > Data Enrichment > Asset & Identity Management > Search Preview

Firstly, run through the preview searches to look for issues within the merged data. This step is especially important when merging multiple different lookup sources. The preview searches can be copied from the search preview tab within A&I.

Search Preview

Merging Issues

Merging is returning more results than expected

  • Check the fields are named correctly

Merging is occurring on unintentional field values, like an unknown MAC address

  • Add an exclusion for the unknown value

Search preview looks fine however the lookup does not

  • Your changes have worked, reset the collections

Identify merging errors

  • index=_internal source=*entity*.log

Raw logs not being enriched

Ensure A&I Lookups are enabled

⋅⋅⋅ ES > Configure > Data Enrichment > Asset & Identity Management > Correlation Setup

Correlation Setup

Lookup may contain incorrect values in the listed fields

  • Asset Lookups: ip, mac, nt_host, dns
  • Identity Lookup: identity (ensure the values are all being merged to the identity field from desired source fields, i.e. email, sAMAccountName, userPrincipalName, downLevelDomainName)

Raw events may not have correctly named fields which match a value in the asset / identity field

  • Asset Fields: src, dest, dvc
  • Identity: user, src_user
  • Note the field names all need to be named exactly as above

Overlapping Naming Conventions and IP Addressing Schemes