Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Asset and Identity correlation

Splunk App for Enterprise Security can use asset and identity tables to correlate observed events (such as notable events) to specific identities and assets, for improved event detection and enriched investigations. The correlation of identity or asset records always happens at search time, meaning that whatever is true at the time of the search is reflected in the results.

Asset and identity correlation uses several potential match points to establish asset and identity correlations:

  • A dashboard view: A flash time line looking at indexed raw events or the Asset Center dashboard.
  • A point in time reference: A summary or lookup generation that pulls in identity or asset information for later use.
  • An alert generation: An email or a script or a report
Note: Notable events do not match in the alert generation category.
  • Correlation searches: These searches also match on point-in-time data.
Note: Write searches that look for "individuals matching criteria", and not "emails and account names like this" so that these matches will work correctly.

How assets and identities function over time

The following is an example of how this asset and identity correlation might work over time:

Month one: In the first month, SERVER42 is at address 192.168.1.1 and is owned by Tom Pynchon, whose email is tpynchon@yoyodyne.com and phone number is 510-555-1212.

Views, dashboards, and searches in the Splunk App for Enterprise Security use this data. Summaries run, some notable events are generated, and some alerts are sent, all using this information.

Month Owner IP address hostname email phone number
1 Tom Pynchon 192.168.1.1 SERVER42 tpynchon@yoyodyne.com 510-555-1212

In month one, two correlation searches are run by the Yoyodyne security admin:

  • A custom rule looking for "tpynchon@yoyodyne.com". This works fine in month 1.
  • A custom rule looking for "(user_is_privileged="true" OR user_priority="critical" OR user_priority="high")". This also works fine in month 1.

Month two: In the second month, Yoyodyne is assimilated by Wintermute. Because Wintermute is very efficient, the lookup tables (asset lists and identity lists, and so on) are updated immediately. Now SERVER42 is at address 172.16.42.42, Tom is the owner, but his email is now tpurhaus@wintermute.net, his phone is 888-123-4567.

Dashboards, views, and searches update to use the new information everywhere. Alerts will also use the new information, unless they are using old summary or lookup data.

Month Owner IP address hostname email phone number
1 Tom Pynchon 192.168.1.1 SERVER42 tpynchon@yoyodyne.com 510-555-1212
2 Tom Pynchon 172.16.42.42 SERVER42 tpurhaus@wintermute.net 888-123-4567

In month 2 the two correlation searches are run again by the Yoyodyne security admin:

  • The custom rule looking for "tpynchon@yoyodyne.com" fails to work when Tom emails his friend Bill with some secret files.
  • The custom rule looking for "(user_is_privileged="true" OR user_priority="critical" OR user_priority="high")" works just fine when Tom emails his friend Bill with some secret files.

Month three: In month three, Tom leaves Wintermute to go work with Bill. His role administering SERVER42 is taken over by Jane Doe, who's email address is jdoe6@wintermute.net and phone number is 888-123-9876.

In month 3, the two correlation searches are run again by the Yoyodyne security admin:

  • The custom rule looking for "tpynchon@yoyodyne.com" still doesn't work.
  • The custom rule looking for "(user_is_privileged="true" OR user_priority="critical" OR user_priority="high")" will still work.

In this example, correlation searches will continue to work correctly if the ownership relationship for SERVER42 is updated.

Month Owner IP address hostname email phone number
1 Tom Pynchon 192.168.1.1 SERVER42 tpynchon@yoyodyne.com 510-555-1212
2 Tom Pynchon 172.16.42.42 SERVER42 tpurhaus@wintermute.net 888-123-4567
3 Jane Doe 172.16.42.42 SERVER42 jdoe6@wintermute.net 888-123-9876

Looking at the same incident for SERVER42 over the three month period would show three different phone numbers, always displaying the current number. Keeping asset and identity lists accurate and up-to-date is necessary for asset and identity correlation to function properly.

PREVIOUS
Advanced Filter
  NEXT
Asset management

This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters