Skip to content

SA-EntraID: Technical Guide and Documentation

Populate a KV Store with Entra ID identities collected from the beta Graph API endpoint using the app TA-MS-AAD. This supporting add-on contains out of the box searches and KV Store lookups for integrating with the Assets and Identities ES Framework.

High-Level Configuration Guide

  • TA-MS-AAD will log all Entra ID user objects on a scheduled interval
  • Update, edit and schedule the saved search within this app & populate the KV Stores
  • Once the KV Stores are populated add them to Assets & Identities (A&I)

Installation Guide

SA-EntraID (SA-EntraID) Installation

Where to Install SA-EntraID?

  • ES Search Head

Pre-Requisite Configuration

  • Step 1: Configure an Azure app registration and configure the account within Microsoft Azure TA-MS-AAD - following this documentation
  • Step 2: Add a user input using the beta endpoint to collect the majority of AD attributes
  • Step 3: Add a second user input using the V1 endpoint, and add the filter $expand=manager($select=userPrincipalName)
  • Step 4: Add a third user input using the V1 endpoint, and add the filter $expand=memberOf($select=displayName)

SA-EntraID Configuration

  • Step 1: Update the macro sa_entra_id_identities to include the applicable index
  • Step 2: Update the saved search Update Entra ID Identities - KV Store to include custom categories and prioritisation
  • Step 3: Enable the saved search Update Entra ID Identities - KV Store so it continues to populate the KV Store with up-to-date information

SA-EntraID (SA-EntraID) ES Configuration

Once the Entra ID user data has been onboarded and the SA-EntraID KV Stores populated with dynamic active directory data, the following steps will guide the integration of the SA-EntraID lookups with the Splunk Enterprise Security Assets & Identities framework.

Adding the KV Store Lookups to ES Assets & Identities

⋅⋅⋅ ES > Configure > Data Enrichment > Asset & Identity Management

Identity Fields

Fields present in the identity fields section will be added to the raw logs as part of the A&I enrichment.

⋅⋅⋅ Identity Fields > Add New Field

Identity Fields

Ensure all the additional fields have been included:

  • dn
  • domain (tag)
  • downLevelDomainName
  • id
  • objectSid
  • sAMAccountName
  • title
  • userPrincipalName

Identity Lookups

⋅⋅⋅ Identity Lookups > New > New Configuration

Identity Lookups

  • Source: entra_id_identities
  • Select Convention: Email
  • Custom Conventions:
  • downLevelDomainName()
  • id()
  • objectSid()
  • sAMAccountName()
  • userPrincipalName()

New Identity Configuration

Custom conventions will be added to the identity field when the A&I merge occurs, these fields will then be used to match on a user when one of the values of the identity field is present in either the user or src_user field. Further reading on how to configure A&I can be found here.
Troubleshooting TIP: If you are unable to add the custom conventions, the fields will need to be configured within the Identity Fields section of A&I Configuration before they can be added as a custom convention.

Ended: Installation Guide

SA-EntraID (SA-EntraID) Troubleshooting Guide

⋅⋅ ES > Configure > Data Enrichment > Asset & Identity Management > Search Preview

Firstly, run through the preview searches to look for issues within the merged data. This step is especially important when merging multiple different lookup sources. The preview searches can be copied from the search preview tab within A&I.

Search Preview

Merging Issues

Merging is returning more results than expected

  • Check the fields are named correctly

Merging is occurring on unintentional field values, like an unknown MAC address

  • Add an exclusion for the unknown value

Search preview looks fine however the lookup does not

  • Your changes have worked, reset the collections

Identify merging errors

  • index=_internal source=*entity*.log

Raw logs not being enriched

Ensure A&I Lookups are enabled

⋅⋅⋅ ES > Configure > Data Enrichment > Asset & Identity Management > Correlation Setup

Correlation Setup

Lookup may contain incorrect values in the listed fields

  • Asset Lookups: ip, mac, nt_host, dns
  • Identity Lookup: identity (ensure the values are all being merged to the identity field from desired source fields, i.e. email, sAMAccountName, userPrincipalName, downLevelDomainName)

Raw events may not have correctly named fields which match a value in the asset / identity field

  • Asset Fields: src, dest, dvc
  • Identity: user, src_user
  • Note the field names all need to be named exactly as above

Overlapping Naming Conventions and IP Addressing Schemes