SA-EntraID (SA-EntraID) ES Configuration¶

Once the Entra ID user data has been onboarded and the SA-EntraID KV Stores populated with dynamic active directory data, the following steps will guide the integration of the SA-EntraID lookups with the Splunk Enterprise Security Assets & Identities framework.

Adding the KV Store Lookups to ES Assets & Identities¶

⋅⋅⋅ ES > Configure > Data Enrichment > Asset & Identity Management

Identity Fields¶

Fields present in the identity fields section will be added to the raw logs as part of the A&I enrichment.

⋅⋅⋅ Identity Fields > Add New Field

Ensure all the additional fields have been included:

• dn
• domain (tag)
• downLevelDomainName
• id
• objectSid
• sAMAccountName
• title
• userPrincipalName

Identity Lookups¶

⋅⋅⋅ Identity Lookups > New > New Configuration

• Source: entra_id_identities
• Select Convention: Email
• Custom Conventions:
• downLevelDomainName()
• id()
• objectSid()
• sAMAccountName()
• userPrincipalName()

Custom conventions will be added to the identity field when the A&I merge occurs, these fields will then be used to match on a user when one of the values of the identity field is present in either the user or src_user field. Further reading on how to configure A&I can be found here.
Troubleshooting TIP: If you are unable to add the custom conventions, the fields will need to be configured within the Identity Fields section of A&I Configuration before they can be added as a custom convention.