Configure asset and identity correlation in Splunk Enterprise Security
After you Add asset and identity data to Splunk Enterprise Security, configure asset and identity correlation in Splunk Enterprise Security.
About asset and identity correlation in Splunk Enterprise Security
To effectively detect security intrusions, an organization must be able to correlate events in log data with specific assets and identities that may be responsible for, or affected by the intrusion. Splunk Enterprise Security compares indexed events with asset and identity data in the asset and identity lists to provide data enrichment and context. The comparison process uses automatic lookups. You can find information about automatic lookups in the Splunk platform documentation.
- For Splunk Enterprise, see Make your lookup automatic in the Splunk Enterprise Knowledge Manager Manual.
- For Splunk Cloud, see Make your lookup automatic in the Splunk Cloud Knowledge Manager Manual.
Asset and identity correlation enriches events with asset and identity data at search time.
- Asset correlation compares events that contain data in any of the
src
,dest
, ordvc
fields against the merged asset lists for matching IP address, MAC address, DNS name, or Windows NetBIOS names. Asset correlation no longer occurs automatically against thehost
ororig_host
fields. - Identity correlation compares events that contain data in any of the
user
orsrc_user
fields against the merged identity lists for a matching user or session. - Enterprise Security adds the matching output fields to the event. For example, correlation on the asset
src
field results in additional fields such assrc_is_expected
andsrc_should_timesync
.
Asset and identity correlation allows you to determine whether multiple events can relate to the same asset or identity. You can also perform actions on the identity and asset fields added to events to open additional searches or dashboards scoped to the specific asset or identity. For example, open the Asset Investigator dashboard on a src
field.
Configure asset and identity correlation
Choose whether to enable or disable asset and identity correlation. You can restrict correlation to occur only for select sourcetypes.
- From the Splunk ES menu bar, select Configure > Data Enrichment > Identity Correlation.
- Select Enable correlation or Disable correlation or Enable selectively by sourcetype.
- If you choose Enable selectively by sourcetype, type a sourcetype and select the check box for asset and/or identity.
Note: Disabling asset and identity correlation completely prevents events from being enriched with asset and identity data from the asset and identity lookups. This may prevent correlation searches, dashboards, and other functionality from working as expected. Consult with Splunk Professional Services or Splunk Support before disabling asset and identity correlation.
Add asset and identity data to Splunk Enterprise Security | How Splunk Enterprise Security processes and merges asset and identity data |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0 Cloud only
Feedback submitted, thanks!