Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Manage assets and identities in Splunk Enterprise Security

Use the Asset and Identity Management page to enrich and manage asset and identity data using lookups. The Asset and Identity Management interface replaces the previously separate menus for Identity Management, Identity Correlation, and Identity Lookup Configuration. You need to have the edit_modinput_identity_manager capability to use it. See Configure users and roles in the Installation and Upgrade Manual.

When the identity manager runs, it processes all of the asset and identity input configurations that have changed. If the source has been updated, the identity manager dispatches the SPL created by a custom-built search.

The SPL search uses a custom search command that handles the merging and updating of new data to existing data. The custom search command merges data based on key fields and policies that you define here.

Assets and identities that need to be deleted are updated in the KV store with a _delete flag set to True so that the delete operation can persist and be completed at a later time.

The custom search command returns the merged data, which is updated or inserted to the KV store using outputlookup append=T. The identity manager checks and processes rows that are marked for deletion.

If you have customized the menu bar in Splunk Enterprise Security, the Asset and Identity Management navigation and page do not display. See Restore the default navigation to restore them.

Prerequisites

Perform the following prerequisite tasks before starting any of the tasks listed in the table:

  1. Collect and extract asset and identity data in Splunk Enterprise Security.
  2. Format the asset or identity list as a lookup in Splunk Enterprise Security.
  3. Configure a new asset or identity list in Splunk Enterprise Security.

Asset and identity management tasks

Complete the following tasks to manage configuration settings for assets and identities. These tasks do not need to be performed in any particular order.

Task Description Documentation
Configure asset lookup configuration The asset lookup configuration settings create the policy that updates the inputs.conf file to point to a lookup and update your assets. You can change settings such as the following:
  • Add an asset input stanza for the lookup source
  • Rank the order for merging assets
  • Disable or enable asset lookups
  • Modify asset lookups
  • Manually add static asset data
  • Disable the demo asset lookups
Manage asset lookup configuration policies in
Configure asset field settings Configure asset field settings for lookup matching. You can change settings such as the following:
  • Add or edit an asset field
  • Enable case-sensitive matching for asset fields
  • Revise multivalue field limits for assets
Manage asset field settings in
Create identity lookup configuration Create an identity lookup configuration policy to update and enrich your identities. You can change settings such as the following:
  • Add an identity input stanza for the lookup source
  • Rank the order for merging identities
  • Modify identity lookups
Manage identity lookup configuration policies in
Configure identity field settings Configure identity settings for lookup matching. You can change settings such as the following:
  • Add or edit an identity field
  • Enable case-sensitive matching for identity fields
  • Revise multivalue field limits for identities
Manage identity field settings in
Configure Correlation setup When asset and identity correlation is enabled, compares indexed events with asset and identity data in the asset and identity lists to provide data enrichment and context. You can change settings such as the following:
  • Disable correlation for all sourcetypes
  • Enable correlation selectively by sourcetype
  • Enable correlation for all sourcetypes
  • Correlation and entity zones
Manage correlation setup in
Search preview You can test the asset and identity merge process if you want to confirm that the data produced by the merge process is expected and accurate. You can test the following:
  • asset_lookup_by_str
  • asset_lookup_by_cidr
  • identity_lookup_expanded
Use the search preview to test the merge of asset and identity data in
Configure global settings Configure the global settings of the identity manager modular input to revise the way the identity manager works by default.
Last modified on 22 November, 2021
PREVIOUS
Create an identity lookup from your cloud service provider data in Splunk Enterprise Security
  NEXT
Manage asset lookup configuration policies in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters