Splunk® Enterprise Security

Administer Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

How Splunk Enterprise Security processes and merges asset and identity data

Splunk Enterprise Security takes the asset and identity data that you add as lookups and generates combined lookup files. Splunk Enterprise Security uses the generated lookup files to correlate asset and identity data with events using automatic lookups. The following steps describe this process at a high level.

  1. You collect asset and identity data from data sources using an add-on and a custom search or manually with a CSV file. See Collect and extract asset and identity data.
  2. You configure any settings in the identity lookup configuration setup. See Define identity formats on the identity configuration page.
  3. The Splunk Enterprise Security identity manager modular input updates settings in the transforms.conf stanza identity_lookup_expanded.
  4. You format the data as a lookup, using a search or manually with a CSV file. See Format the asset or identity list as a lookup.
  5. You configure the list as a lookup table, definition, and input. See Configure a new asset or identity list.
  6. The Splunk Enterprise Security identity manager modular input detects two things:
    • Changed content in the identity_manager://<input_name>.
    • Changes to stanzas in the input.
  7. The Splunk Enterprise Security identity manager modular input updates the macros used to identify the input sources based on the currently enabled stanzas in inputs.conf. For example, the `generate_identities` macro dynamically updates based on the conventions specified on the Identity Lookup Configuration page.
  8. The Splunk Enterprise Security identity manager modular input dispatches lookup generating saved searches if it identifies changes that require the asset and identity lists to be merged.
  9. The lookup generating saved searches merge all configured and enabled asset and identity lists.
    • The primary saved searches concatenate the lookup tables referenced by the identity manager input, generate new fields, and output the concatenated asset and identity lists into target lookup table files.
    • Secondary saved searches generate lookup tables for asset categories, identity categories, and asset PCI domains (in the Splunk App for PCI Compliance).
  10. You verify that the data looks as expected. See Verify that your asset or identity data was added to Splunk Enterprise Security.

The merging of identity and asset lookups does not validate or de-duplicate input. Errors from the identity manager modular input are logged in identity_manager.log. This log does not show data errors.

Last modified on 27 November, 2019
Configure asset and identity correlation in Splunk Enterprise Security   Lookups that store merged asset and identity data in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters