Splunk® Enterprise Security

Administer Splunk Enterprise Security

Splunk Enterprise Security (ES) versions 6.0.0, 6.0.1, and 6.3.0 are no longer available for download from Splunkbase as of April 15, 2021. Please upgrade to the latest version of Splunk Enterprise Security to avoid any potential issues with Assets and Identity management.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Configure asset and identity correlation in Splunk Enterprise Security

After you add your asset and identity data to Splunk Enterprise Security, configure asset and identity correlation in Splunk Enterprise Security.

Prerequisite

Verify that your asset and identity data was added to Splunk Enterprise Security

Steps

  1. Choose whether to turn on asset and identity correlation, turn it off, or restrict correlation to occur only for select source types. If in doubt, keep asset and identity correlation turned on. See How asset and identity correlation works for more information about how the correlation enriches events at search time.
  2. From the Splunk ES menu bar, select Configure > Data Enrichment > Asset and Identity Management > Correlation Setup.
  3. Deactivate / Turn off for all sourcetypes is selected by default. You can change this to Activate / Turn on for all sourcetypes or Activate / Turn on selectively by sourcetype.
  4. If you choose Activate / Turn on selectively by sourcetype, type a source type and select the check box for asset and/or identity.
  5. Click Save.

Correlation is turned off by default when deployed from a search head deployer. Disabling asset and identity correlation completely prevents events from being enriched with asset and identity data from the asset and identity lookups. This might prevent correlation searches, dashboards, and other functionality from working as expected. Consult with Splunk Professional Services or Splunk Support before disabling asset and identity correlation.

How asset and identity correlation works

To effectively detect security intrusions, an organization must be able to correlate events in log data with specific assets and identities that may be responsible for, or affected by the intrusion. When asset and identity correlation is turned on, Splunk Enterprise Security compares indexed events with asset and identity data in the asset and identity lists to provide data enrichment and context. The comparison process uses automatic lookups. You can find information about automatic lookups in the Splunk platform documentation.

Asset and identity correlation enriches events with asset and identity data at search time.

  • Asset correlation compares events that contain data in any of the src, dest, or dvc fields against the merged asset lists for matching IP address, MAC address, DNS name, or Windows NetBIOS names. Asset correlation no longer occurs automatically against the host or orig_host fields.
  • Identity correlation compares events that contain data in any of the user or src_user fields against the merged identity lists for a matching user or session.
  • Enterprise Security adds the matching output fields to the event. For example, correlation on the asset src field results in additional fields such as src_is_expected and src_should_timesync.

Asset and identity correlation allows you to determine whether multiple events can relate to the same asset or identity. You can also perform actions on the identity and asset fields added to events to open additional searches or dashboards scoped to the specific asset or identity. For example, open the Asset Investigator dashboard on a src field.

Last modified on 11 August, 2023
Verify that your asset and identity data was added to Splunk Enterprise Security   How Splunk Enterprise Security processes and merges asset and identity data

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2, 7.0.0, 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters