Skip to content

Splunk Add-on for Admon Enrichment (SA-admon) ES Configuration

Once the admon data has been onboarded and the SA-admon KV Stores populated with dynamic active directory data, the following steps will guide the integration of the SA-admon lookups with the Splunk Enterprise Security Assets & Identities framework.

Adding the KV Store Lookups to ES Assets & Identities

⋅⋅⋅ ES > Configure > Data Enrichment > Asset & Identity Management

Identity Fields

Fields present in the identity fields section will be added to the raw logs as part of the A&I enrichment.

⋅⋅⋅ Identity Fields > Add New Field

Identity Fields

Ensure all the additional fields have been included:

  • description (tag)
  • domain (tag)
  • dn
  • title
  • servicePrincipalName (multivalue)
  • userPrincipalName
  • sAMAccountName
  • objectSid
  • downLevelDomainName

Identity Lookups

⋅⋅⋅ Identity Lookups > New > New Configuration

Identity Lookups

  • Source: admon_identities_def
  • Select Convention: Email
  • Custom Conventions:
    • downLevelDomainName()
    • objectSid()
    • userPrincipalName()

New Identity Configuration

Custom conventions will be added to the identity field when the A&I merge occurs, these fields will then be used to match on a user when one of the values of the identity field is present in either the user or src_user field. Note the sAMAccountName was already added to the identity field within the SPL which populates the KV Store, so it was not added here. Further reading on how to configure A&I can be found here.

Troubleshooting TIP: If you are unable to add the custom conventions, the fields will need to be configured within the Identity Fields section of A&I Configuration before they can be added as a custom convention.

Asset Fields

Fields present in the asset fields section will be added to the raw logs as part of the A&I enrichment.

⋅⋅⋅ Asset Fields > Add New Field

Asset Fields

Ensure all the additional fields have been included:

  • operatingSystem (tag)
  • operatingSystemVersion
  • description (tag)
  • location (tag, mv)

Assets Lookup

⋅⋅⋅ Identity Lookups > New > New Configuration

Asset Lookups

  • Source: admon_assets_def

New Asset Configuration

Each of the key fields listed will be merged together into the asset field during the A&I merge, which is why we did not need to add it to our lookup. The key fields will also be used to merge entries within all the asset lookups which share the common value. When the value of the asset field matches a value in one of the fields src,dest, dvc: A&I will enrich the raw event. Further reading on how to configure A&I can be found here.