Asset and Identity correlation
To effectively detect security intrusions, an organization must be able to correlate events in log data with specific assets and identities that may be responsible for, or affected by the intrusion. Splunk Enterprise Security compares indexed events with the data in the asset and identity correlation system to provide data enrichment and context.
Asset correlation
An asset represents any device or system in the environment that generates data. Asset correlation allows indexed events to be matched against a defined list of assets. When a match occurs, the original indexed event gains new fields through association with the asset, enriching the event with information on the asset's priority, location, or other details.
Performing asset correlation with Enterprise Security provides:
- Categorization: allows information about assets to be added to events.
- Prioritization: allows an urgency to be computed based on the assigned priority of an asset.
- Normalization: assists in determining whether multiple events can relate to the same device.
How assets are identified
Enterprise Security performs an asset correlation whenever an event returned by a search contains data in any one of the src
, dest
, host
, orig_host
, or dvc
fields.
- The data in the field is evaluated against the merged asset lists for a match as an IP address, a MAC address, a DNS name, or a Windows NetBIOS name.
- Only one asset or identity match will be returned. Furthermore, for assets, a single IP address match is always preferred over a CIDR subnet match. Overlap between asset or identity entries in any of the key fields will result in indeterministic matching behavior.
- The fields in the asset list are added to the indexed event as additional fields.
- The asset fields provide "Event actions," allowing a user to open additional searches or dashboards scoped to the specific asset.
Adding assets to Enterprise Security
Collection and addition of asset information to Enterprise Security supports correlation searches, search tasks, and other features attempting to correlate indexed events with known network devices.
In a highly regulated network environment, one database or repository might be the only source of information for both assets and identities. However, it is more common to find them spread among many unique repositories, hosted on different technologies, and maintained by several departments. For a list of suggested asset sources, see "Collection methods for assets and identities" in this manual.
After you collect asset information, format the resulting list of assets according to the guidance in the "Asset lookup fields" topic in this manual. Once formatted, the list should be placed in $SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups
. To configure the list for collection and processing, see Identity Management in this manual.
Asset lookup fields
The fields allowed in an asset list are set by Enterprise Security and cannot be changed. Unsupported and nonstandard fields will be discarded. The first line of any asset file is a column header, and must list all of the asset fields.
Field | Description | Example |
---|---|---|
ip | A single IP address or range | 2.0.0.0/8, 1.2.3.4, 192.168.15.9-192.169.15.27 |
mac | A MAC address | 00:25:bc:42:f4:60 |
nt_host | A Windows machine name | ACME-0005 |
dns | A DNS name | acme-0005.corp1.acmetech.org |
owner | The user or department associated with the device | f.prefect@acmetech.org, DevOps |
priority | The priority assigned to the device for calculating the Urgency field for notable events. An "unknown" priority reduces the assigned Urgency by default. For more information, see "Notable Event Urgency assignment" in this manual. | unknown, low, medium, high or critical. |
lat | The latitude of the asset | 41.040855 |
long | The longitude of the asset | 28.986183 |
city | The city in which the asset is located | Chicago |
country | The country in which the asset is located | USA |
bunit | The business unit of the asset | EMEA, NorCal |
category | A pipe-delimited list of logical classifications for an asset. See "Categories" in this manual. | server | web_farm | cloud |
pci_domain | The assigned PCI domain of an asset. | |
is_expected | Indicates whether events from this asset should always be expected. If set to true, an alert will be triggered when this asset stops reporting events. | "true", or blank to indicate "false" |
should_timesync | Indicates whether this asset must be monitored for time-sync events. It set to true, an alert will be triggered if this asset does not report any time-sync events from the past 24 hours. | "true", or blank to indicate "false" |
should_update | Indicates whether this asset must be monitored for system update events. | "true", or blank to indicate "false" |
requires_av | Indicates whether this asset must have anti-virus software installed. | "true", or blank to indicate "false" |
Identity correlation
An identity represents a user, credential, or a role used to grant access to a device or system. Identity correlation allows indexed events to be matched against a defined list of users or system accounts. When a match occurs, the original indexed event gains new fields through association with an identity, enriching the event with information on the identity's priority, role, or the functional area to which it belongs.
Performing identity correlation with Enterprise Security provides:
- Categorization: allows information about an individual or account to be added to events.
- Prioritization: allows an urgency to be computed based on the assigned priority of an individual or account.
- Normalization: assists in determining whether multiple events can relate to the same individual or account.
How identities are identified
Enterprise Security automatically performs an identity correlation whenever an event contains data in either the user
, or src_user
fields.
- The data in the field is evaluated against the merged lists of identities for a user or session match.
- After the first match is found, any additional matches are ignored.
- The fields in the identity list are added to the event as additional fields.
- The added identity fields provide "field actions," allowing a user to open additional searches or dashboards scoped to the specific identity.
Adding identities to Enterprise Security
Collection and addition of identity information to Enterprise Security supports correlation searches, search tasks, and other features attempting to correlate indexed events with users or accounts.
In a highly regulated network environment, one database or repository might be the only source of information for both assets and identities. However, it is more common to find them spread among many unique repositories, hosted on different technologies, and maintained by several departments. For a list of suggested identities sources, see "Collection methods for assets and identities" in this manual.
After you collect information on identities, format the resulting list according to the guidance in the "Identity lookup fields" topic in this manual. Once formatted, the list should be placed in $SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups
. To configure the list for collection and processing, see the topic "Identity Management" in this manual.
Identity lookup fields
An identity lookup has predefined fields. Not all fields are required. The identity list fields are pre-defined. If a file contains a field or entry that is not supported or standardized, then the field and contents are discarded. The first line of any identity file is a column header, and must list all of the fields.
identity,prefix,nick,first,last,suffix,email,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDate,work_city,work_country,work_lat,work_long
Field | Description | Example |
---|---|---|
identity | A pipe-delimited list of username strings representing the identity. Required. For more information on conditional matching for this field, see "Manage Identity matching using identityLookup.conf" in this topic. | VanHelsing | a.vanhelsing | abraham.vanhelsing | a.vanhelsing@acmetech.org | abraham.vanhelsing@acmetech.org |
prefix | Prefix of the identity. | M.D., Ph.D |
nick | Nickname of an identity. | Van Helsing |
first | First name of an identity. | Abraham |
last | Last name of an identity. | Van Helsing |
suffix | Suffix of the identity. | |
Email address of an identity. | a.vanhelsing@acmetech.org | |
phone | A telephone number of an identity. | 123-456-7890 |
phone2 | A secondary telephone number of an identity. | 012-345-6789 |
managedBy | A username representing the manager of an identity. | phb@acmetech.org |
priority | The assigned priority of an identity. | unknown, low, medium, high or critical. |
bunit | A group or department classification for identities. | Field Reps, EMEA, APAC |
category | A pipe-delimited list of logical classifications for identities. See "Categories" in this manual. | Privileged | Officer | CISO |
watchlist | Marks the identity for activity monitoring. | Accepted values: "true" or empty. See "User Activity Monitoring" in this manual. |
startDate | The start or hire date of an identity. | Formats: %m/%d/%Y %H:%M, %m/%d/%y %H:%M, %s |
endDate | The end or termination date of an identity. | Formats: %m/%d/%Y %H:%M, %m/%d/%y %H:%M, %s |
work_city | The primary work site City for an identity. | |
work_country | The primary work site Country for an identity. | |
work_lat | The latitude of primary work site City in DD with compass direction. | 37.78N |
work_long | The longitude of primary work site City in DD with compass direction. | 122.41W |
Manage Identity matching using identityLookup.conf
Using the identityLookup.conf
, you can configure additional options for the identity list matching, such as allowing partial matches and setting a preference for order when matches are performed.
The Identity field is capable of storing multiple pipe-delimited strings for use while matching. When importing data from a source such as LDAP, an identity record is created from the login name and email address fields. Those fields can be used for conditional matching, and rearranged into other unique combinations to allow identity matching by changing the settings in identityLookup.conf
. The additional results are stored in the Identity field of the identities_expanded
lookup.
For a description of the options, review the SA-IdentityManagement/README/identityLookup.conf.spec
For an example, see the SA-IdentityManagement/README/identityLookup.conf.example
User Activity Monitoring | Asset and Identity management |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6
Feedback submitted, thanks!