Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security 8.x documentation.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Add asset and identity data to Splunk Enterprise Security

Splunk Enterprise Security uses an asset and identity system to correlate asset and identity information with events to enrich and provide context to your data. This system takes information from external data sources to populate lookups, which Enterprise Security correlates with events at search time.

You have choices for registering asset and identity data in ES:

  • Manually register asset and identity data in Asset and Identity Manager
  • Use LDAP to register data in Asset and Identity Manager
  • Use cloud service provider data to register data in Asset and Identity Manager

Manually register asset and identity data in Asset and Identity Manager

Do the following to manually add asset and identity data to ES to take advantage of asset and identity correlation:

  1. Collect and extract asset and identity data in Splunk Enterprise Security.
  2. Format the asset or identity list as a lookup in Splunk Enterprise Security.
  3. Configure a new asset or identity list in Splunk Enterprise Security.
  4. Manage assets and identities in Splunk Enterprise Security.
  5. Verify that your asset or identity data was added to Splunk Enterprise Security.

Use LDAP to register data in Asset and Identity Manager

Do the following to use LDAP to register asset and identity data in ES to take advantage of asset and identity correlation.

  1. Collect and extract asset and identity data in Splunk Enterprise Security.
  2. Create an asset lookup from your current LDAP data in Splunk Enterprise Security.
  3. Create an identity lookup from your current LDAP data in Splunk Enterprise Security.
  4. Verify that your asset or identity data was added to Splunk Enterprise Security.

Use your cloud service provider to register data in Asset and Identity Manager

Do the following to use your cloud service provider to register asset and identity data in ES to take advantage of asset and identity correlation.

  1. Create an asset lookup from your current cloud service provider data in Splunk Enterprise Security.
  2. Create an identity lookup from your current cloud service provider data in Splunk Enterprise Security.
  3. Verify that your asset or identity data was added to Splunk Enterprise Security.

See also

Lookups that store merged asset and identity data

Asset and identity fields after processing in Splunk Enterprise Security

How Splunk Enterprise Security processes and merges asset and identity data

Last modified on 22 November, 2021
Configure adaptive response actions for a correlation search in Splunk Enterprise Security   Manage asset and identity upon upgrade

This documentation applies to the following versions of Splunk® Enterprise Security: 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters