Asset and Identity correlation
Splunk App for Enterprise Security can use asset and identity tables to correlate observed events (such as notable events) to specific identities and assets, for improved event detection and enriched investigations. The correlation of identity or asset records always happens at search time, meaning that whatever is true at the time of the search is reflected in the results.
Asset and identity correlation uses several potential match points to establish asset and identity correlations:
- A dashboard view: A flash time line looking at indexed raw events or the Asset Center dashboard.
- A point in time reference: A summary or lookup generation that pulls in identity or asset information for later use.
- An alert generation: An email or a script or a report
- Note: Notable events do not match in the alert generation category.
- Correlation searches: These searches also match on point-in-time data.
- Note: Write searches that look for "individuals matching criteria", and not "emails and account names like this" so that these matches will work correctly.
How assets and identities function over time
The following is an example of how this asset and identity correlation might work over time:
Month one: In the first month, SERVER42 is at address 192.168.1.1 and is owned by Tom Pynchon, whose email is tpynchon@yoyodyne.com and phone number is 510-555-1212.
Views, dashboards, and searches in the Splunk App for Enterprise Security use this data. Summaries run, some notable events are generated, and some alerts are sent, all using this information.
Month | Owner | IP address | hostname | phone number | |
---|---|---|---|---|---|
1 | Tom Pynchon | 192.168.1.1 | SERVER42 | tpynchon@yoyodyne.com | 510-555-1212 |
In month one, two correlation searches are run by the Yoyodyne security admin:
- A custom rule looking for "tpynchon@yoyodyne.com". This works fine in month 1.
- A custom rule looking for "(user_is_privileged="true" OR user_priority="critical" OR user_priority="high")". This also works fine in month 1.
Month two: In the second month, Yoyodyne is assimilated by Wintermute. Because Wintermute is very efficient, the lookup tables (asset lists and identity lists, and so on) are updated immediately. Now SERVER42 is at address 172.16.42.42, Tom is the owner, but his email is now tpurhaus@wintermute.net, his phone is 888-123-4567.
Dashboards, views, and searches update to use the new information everywhere. Alerts will also use the new information, unless they are using old summary or lookup data.
Month | Owner | IP address | hostname | phone number | |
---|---|---|---|---|---|
1 | Tom Pynchon | 192.168.1.1 | SERVER42 | tpynchon@yoyodyne.com | 510-555-1212 |
2 | Tom Pynchon | 172.16.42.42 | SERVER42 | tpurhaus@wintermute.net | 888-123-4567 |
In month 2 the two correlation searches are run again by the Yoyodyne security admin:
- The custom rule looking for "tpynchon@yoyodyne.com" fails to work when Tom emails his friend Bill with some secret files.
- The custom rule looking for "(user_is_privileged="true" OR user_priority="critical" OR user_priority="high")" works just fine when Tom emails his friend Bill with some secret files.
Month three: In month three, Tom leaves Wintermute to go work with Bill. His role administering SERVER42 is taken over by Jane Doe, who's email address is jdoe6@wintermute.net and phone number is 888-123-9876.
In month 3, the two correlation searches are run again by the Yoyodyne security admin:
- The custom rule looking for "tpynchon@yoyodyne.com" still doesn't work.
- The custom rule looking for "(user_is_privileged="true" OR user_priority="critical" OR user_priority="high")" will still work.
In this example, correlation searches will continue to work correctly if the ownership relationship for SERVER42 is updated.
Month | Owner | IP address | hostname | phone number | |
---|---|---|---|---|---|
1 | Tom Pynchon | 192.168.1.1 | SERVER42 | tpynchon@yoyodyne.com | 510-555-1212 |
2 | Tom Pynchon | 172.16.42.42 | SERVER42 | tpurhaus@wintermute.net | 888-123-4567 |
3 | Jane Doe | 172.16.42.42 | SERVER42 | jdoe6@wintermute.net | 888-123-9876 |
Looking at the same incident for SERVER42 over the three month period would show three different phone numbers, always displaying the current number. Keeping asset and identity lists accurate and up-to-date is necessary for asset and identity correlation to function properly.
Advanced Filter | Asset management |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3
Feedback submitted, thanks!