Add asset and identity data to Splunk Enterprise Security
Splunk Enterprise Security uses an asset and identity system to correlate asset and identity information with events to enrich and provide context to your data. This system takes information from external data sources to populate lookups, which Enterprise Security correlates with events at search time.
You have choices for registering asset and identity data in ES:
- Manually register asset and identity data in Asset and Identity Manager
- Use LDAP to register data in Asset and Identity Manager
- Use cloud service provider data to register data in Asset and Identity Manager
Manually register asset and identity data in Asset and Identity Manager
Do the following to manually add asset and identity data to ES to take advantage of asset and identity correlation:
Use LDAP to register data in Asset and Identity Manager
Do the following to use LDAP to register asset and identity data in ES to take advantage of asset and identity correlation.
Use your cloud service provider to register data in Asset and Identity Manager
Do the following to use your cloud service provider to register asset and identity data in ES to take advantage of asset and identity correlation.
See also
Lookups that store merged asset and identity data
Asset and identity fields after processing in Splunk Enterprise Security
How Splunk Enterprise Security processes and merges asset and identity data
Configure adaptive response actions for a correlation search in Splunk Enterprise Security | Manage asset and identity upon upgrade |
This documentation applies to the following versions of Splunk® Enterprise Security: 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2
Feedback submitted, thanks!