Asset and Identity Correlation
The Splunk App for PCI Compliance compares indexed events with asset and identity data in the asset and identity lists to provide data enrichment and context. See Configure assets and Configure identities in the Installation and Configuration Manual.
The comparison process uses automatic lookups. See Make your lookup automatic in the Knowledge Manager Manual.
Asset and identity correlation enriches events with asset and identity data at search time.
- Asset correlation compares events that contain data in any of the
src
,dest
, ordvc
fields against the merged asset lists for matching IP address, MAC address, DNS name, or Windows NetBIOS names. - Identity correlation compares events that contain data in any of the
user
orsrc_user
fields against the merged identity lists for a matching user or session. - The Splunk App for PCI Compliance adds the matching output fields to the event. For example, correlation on the asset
src
field results in additional fields such assrc_is_expected
andsrc_should_timesync
.
Asset and identity correlation allows you to determine whether multiple events can relate to the same asset or identity. You can also perform actions on the identity and asset fields added to events to open additional searches or dashboards scoped to the specific asset or identity. For example, open the Asset Investigator dashboard on a src
field.
Asset and identity correlation uses several potential match points to establish asset and identity correlations:
- A dashboard view: A flashtimeline looking at indexed raw events or the Asset Center dashboard.
- A point in time reference: A summary or lookup generation that pulls in identity or asset information for later use.
- An alert generation: An email or a script or a report. Notable events do not match in the alert generation category.
- Correlation searches: These searches also match on point-in-time data.
Note: Write searches that look for "individuals matching criteria", and not "emails and account names like this" so that these matches will work correctly.
How asset and identity correlation functions over time
Asset and identity correlation is valuable over time provided that you write searches that refer to asset and identity fields, rather than field values and you keep asset and identity lists updated. This example shows you why this is important.
Month one: In the first month, SERVER42 is at address 192.168.1.1 and is owned by Tom Pynchon, whose email is tpynchon@yoyodyne.com and phone number is 510-555-1212.
Views, dashboards, and searches in the Splunk App for PCI Compliance use this data. Summaries run, some notable events are generated, and some alerts are sent, all using this information.
Month | Owner | IP address | hostname | phone number | |
---|---|---|---|---|---|
1 | Tom Pynchon | 192.168.1.1 | SERVER42 | tpynchon@yoyodyne.com | 510-555-1212 |
In month one, two correlation searches are run by the Yoyodyne security admin:
- A custom correlation search looking for "tpynchon@yoyodyne.com". This works fine in month one.
- A custom correlation search looking for "(user_is_privileged="true" OR user_priority="critical" OR user_priority="high")". This also works fine in month one.
Month two: In the second month, Yoyodyne is assimilated by Wintermute. Because Wintermute is very efficient, the lookup tables (asset lists and identity lists, and so on) are updated immediately. Now SERVER42 is at address 172.16.42.42, Tom is the owner, but his email is now tpurhaus@wintermute.net, his phone is 888-123-4567.
Dashboards, views, and searches update to use the new information everywhere. Alerts also use the new information, unless they are using old summary or lookup data.
Month | Owner | IP address | hostname | phone number | |
---|---|---|---|---|---|
1 | Tom Pynchon | 192.168.1.1 | SERVER42 | tpynchon@yoyodyne.com | 510-555-1212 |
2 | Tom Pynchon | 172.16.42.42 | SERVER42 | tpurhaus@wintermute.net | 888-123-4567 |
In month two the two correlation searches are run again by the Yoyodyne security admin:
- The custom correlation search looking for "tpynchon@yoyodyne.com" fails to generate a notable event when Tom emails his friend Bill with some secret files.
- The custom correlation search looking for "(user_is_privileged="true" OR user_priority="critical" OR user_priority="high")" generates a notable event when Tom emails his friend Bill with some secret files.
Month three: In month three, Tom leaves Wintermute to go work with Bill. His role administering SERVER42 is taken over by Jane Doe, whose email address is jdoe6@wintermute.net and phone number is 888-123-9876.
In month three, the two correlation searches are run again by the Yoyodyne security admin:
- The custom correlation search looking for "tpynchon@yoyodyne.com" still does not work.
- The custom correlation search looking for "(user_is_privileged="true" OR user_priority="critical" OR user_priority="high")" still works.
In this example, correlation searches continue to work correctly if the ownership relationship for SERVER42 is updated in the asset list.
Month | Owner | IP address | hostname | phone number | |
---|---|---|---|---|---|
1 | Tom Pynchon | 192.168.1.1 | SERVER42 | tpynchon@yoyodyne.com | 510-555-1212 |
2 | Tom Pynchon | 172.16.42.42 | SERVER42 | tpurhaus@wintermute.net | 888-123-4567 |
3 | Jane Doe | 172.16.42.42 | SERVER42 | jdoe6@wintermute.net | 888-123-9876 |
Looking at the same incident for SERVER42 over the three month period would show three different phone numbers, always displaying the current number. Keeping asset and identity lists accurate and up-to-date is necessary for asset and identity correlation to function properly.
Investigation Bar | Search View Matrix |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.1.3, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2
Feedback submitted, thanks!