Splunk® Enterprise Security

Use Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Asset and Identity correlation

To effectively detect security intrusions, an organization must be able to correlate events in log data with specific assets and identities that may be responsible for, or affected by the intrusion. Splunk Enterprise Security compares indexed events with the data in the asset and identity correlation system to provide data enrichment and context.

Asset correlation

An asset represents any device or system in the environment that generates data. Asset correlation allows indexed events to be matched against a defined list of assets. When a match occurs, the original indexed event gains new fields through association with the asset, enriching the event with information on the asset's priority, location, or other details.

Performing asset correlation with Enterprise Security provides:

  • Categorization: allows information about assets to be added to events.
  • Prioritization: allows an urgency to be computed based on the assigned priority of an asset.
  • Normalization: assists in determining whether multiple events can relate to the same device.

How assets are identified

Enterprise Security performs an asset correlation whenever an event returned by a search contains data in any one of the src, dest, host, orig_host, or dvc fields.

  1. The data in the field is evaluated against the merged asset lists for a match as an IP address, a MAC address, a DNS name, or a Windows NetBIOS name.
  2. Only one asset or identity match will be returned. Furthermore, for assets, a single IP address match is always preferred over a CIDR subnet match. Overlap between asset or identity entries in any of the key fields will result in indeterministic matching behavior.
  3. The fields in the asset list are added to the indexed event as additional fields.
  4. The asset fields provide "Event actions," allowing a user to open additional searches or dashboards scoped to the specific asset.

Adding assets to Enterprise Security

Collection and addition of asset information to Enterprise Security supports correlation searches, search tasks, and other features attempting to correlate indexed events with known network devices.

In a highly regulated network environment, one database or repository might be the only source of information for both assets and identities. However, it is more common to find them spread among many unique repositories, hosted on different technologies, and maintained by several departments. For a list of suggested asset sources, see "Collection methods for assets and identities" in this manual.

After you collect asset information, format the resulting list of assets according to the guidance in the "Asset lookup fields" topic in this manual. Once formatted, the list should be placed in $SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups. To configure the list for collection and processing, see Identity Management in this manual.

Asset lookup fields

The fields allowed in an asset list are set by Enterprise Security and cannot be changed. Unsupported and nonstandard fields will be discarded. The first line of any asset file is a column header, and must list all of the asset fields.

ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av


Field Description Example
ip A single IP address or range 2.0.0.0/8, 1.2.3.4, 192.168.15.9-192.169.15.27
mac A MAC address 00:25:bc:42:f4:60
nt_host A Windows machine name ACME-0005
dns A DNS name acme-0005.corp1.acmetech.org
owner The user or department associated with the device f.prefect@acmetech.org, DevOps
priority The priority assigned to the device for calculating the Urgency field for notable events. An "unknown" priority reduces the assigned Urgency by default. For more information, see "Notable Event Urgency assignment" in this manual. unknown, low, medium, high or critical.
lat The latitude of the asset 41.040855
long The longitude of the asset 28.986183
city The city in which the asset is located Chicago
country The country in which the asset is located USA
bunit The business unit of the asset EMEA, NorCal
category A pipe-delimited list of logical classifications for an asset. See "Categories" in this manual. server | web_farm | cloud
pci_domain The assigned PCI domain of an asset.
is_expected Indicates whether events from this asset should always be expected. If set to true, an alert will be triggered when this asset stops reporting events. "true", or blank to indicate "false"
should_timesync Indicates whether this asset must be monitored for time-sync events. It set to true, an alert will be triggered if this asset does not report any time-sync events from the past 24 hours. "true", or blank to indicate "false"
should_update Indicates whether this asset must be monitored for system update events. "true", or blank to indicate "false"
requires_av Indicates whether this asset must have anti-virus software installed. "true", or blank to indicate "false"

Identity correlation

An identity represents a user, credential, or a role used to grant access to a device or system. Identity correlation allows indexed events to be matched against a defined list of users or system accounts. When a match occurs, the original indexed event gains new fields through association with an identity, enriching the event with information on the identity's priority, role, or the functional area to which it belongs.

Performing identity correlation with Enterprise Security provides:

  • Categorization: allows information about an individual or account to be added to events.
  • Prioritization: allows an urgency to be computed based on the assigned priority of an individual or account.
  • Normalization: assists in determining whether multiple events can relate to the same individual or account.

How identities are identified

Enterprise Security automatically performs an identity correlation whenever an event contains data in either the user, or src_user fields.

  1. The data in the field is evaluated against the merged lists of identities for a user or session match.
  2. After the first match is found, any additional matches are ignored.
  3. The fields in the identity list are added to the event as additional fields.
  4. The added identity fields provide "field actions," allowing a user to open additional searches or dashboards scoped to the specific identity.

Adding identities to Enterprise Security

Collection and addition of identity information to Enterprise Security supports correlation searches, search tasks, and other features attempting to correlate indexed events with users or accounts.

In a highly regulated network environment, one database or repository might be the only source of information for both assets and identities. However, it is more common to find them spread among many unique repositories, hosted on different technologies, and maintained by several departments. For a list of suggested identities sources, see "Collection methods for assets and identities" in this manual.

After you collect information on identities, format the resulting list according to the guidance in the "Identity lookup fields" topic in this manual. Once formatted, the list should be placed in $SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups. To configure the list for collection and processing, see the topic "Identity Management" in this manual.

Identity lookup fields

An identity lookup has predefined fields. Not all fields are required. The identity list fields are pre-defined. If a file contains a field or entry that is not supported or standardized, then the field and contents are discarded. The first line of any identity file is a column header, and must list all of the fields. 

identity,prefix,nick,first,last,suffix,email,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDate,work_city,work_country,work_lat,work_long
Field Description Example
identity A pipe-delimited list of username strings representing the identity. Required. For more information on conditional matching for this field, see "Manage Identity matching using identityLookup.conf" in this topic. VanHelsing | a.vanhelsing | abraham.vanhelsing | a.vanhelsing@acmetech.org | abraham.vanhelsing@acmetech.org
prefix Prefix of the identity. M.D., Ph.D
nick Nickname of an identity. Van Helsing
first First name of an identity. Abraham
last Last name of an identity. Van Helsing
suffix Suffix of the identity.
email Email address of an identity. a.vanhelsing@acmetech.org
phone A telephone number of an identity. 123-456-7890
phone2 A secondary telephone number of an identity. 012-345-6789
managedBy A username representing the manager of an identity. phb@acmetech.org
priority The assigned priority of an identity. unknown, low, medium, high or critical.
bunit A group or department classification for identities. Field Reps, EMEA, APAC
category A pipe-delimited list of logical classifications for identities. See "Categories" in this manual. Privileged | Officer | CISO
watchlist Marks the identity for activity monitoring. Accepted values: "true" or empty. See "User Activity Monitoring" in this manual.
startDate The start or hire date of an identity. Formats: %m/%d/%Y %H:%M, %m/%d/%y %H:%M, %s
endDate The end or termination date of an identity. Formats: %m/%d/%Y %H:%M, %m/%d/%y %H:%M, %s
work_city The primary work site City for an identity.
work_country The primary work site Country for an identity.
work_lat The latitude of primary work site City in DD with compass direction. 37.78N
work_long The longitude of primary work site City in DD with compass direction. 122.41W

Manage Identity matching using identityLookup.conf

Using the identityLookup.conf, you can configure additional options for the identity list matching, such as allowing partial matches and setting a preference for order when matches are performed.

The Identity field is capable of storing multiple pipe-delimited strings for use while matching. When importing data from a source such as LDAP, an identity record is created from the login name and email address fields. Those fields can be used for conditional matching, and rearranged into other unique combinations to allow identity matching by changing the settings in identityLookup.conf. The additional results are stored in the Identity field of the identities_expanded lookup.

For a description of the options, review the SA-IdentityManagement/README/identityLookup.conf.spec
For an example, see the SA-IdentityManagement/README/identityLookup.conf.example

Last modified on 28 June, 2017
User Activity Monitoring   Asset and Identity management

This documentation applies to the following versions of Splunk® Enterprise Security: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters