Manage assets and identities in Splunk Enterprise Security
Use the Asset and Identity Management page to enrich and manage asset and identity data using lookups. The Asset and Identity Management interface replaces the previously separate menus for Identity Management, Identity Correlation, and Identity Lookup Configuration. You need to have the edit_modinput_identity_manager capability to use it. See Configure users and roles in the Installation and Upgrade Manual.
When the identity manager runs, it processes all of the asset and identity input configurations that have changed. If the source has been updated, the identity manager dispatches the SPL created by a custom-built search.
The SPL search uses a custom search command that handles the merging and updating of new data to existing data. The custom search command merges data based on key fields and policies that you define here.
Assets and identities that need to be deleted are updated in the KV store with a
_delete flag set to
True so that the delete operation can persist and be completed at a later time.
The custom search command returns the merged data, which is updated or inserted to the KV store using
outputlookup append=T. The identity manager checks and processes rows that are marked for deletion.
If you have customized the menu bar in Splunk Enterprise Security, the Asset and Identity Management navigation and page do not display. See Restore the default navigation to restore them.
Perform the following prerequisite tasks before starting any of the tasks listed in the table:
- Collect and extract asset and identity data in Splunk Enterprise Security.
- Format the asset or identity list as a lookup in Splunk Enterprise Security.
- Configure a new asset or identity list in Splunk Enterprise Security.
Asset and identity management tasks
Complete the following tasks to manage configuration settings for assets and identities. These tasks do not need to be performed in any particular order.
|Configure asset lookup configuration
|The asset lookup configuration settings create the policy that updates the inputs.conf file to point to a lookup and update your assets. You can change settings such as the following:
|Manage asset lookup configuration policies in
|Configure asset field settings
|Configure asset field settings for lookup matching. You can change settings such as the following:
|Manage asset field settings in
|Create identity lookup configuration
|Create an identity lookup configuration policy to update and enrich your identities. You can change settings such as the following:
|Manage identity lookup configuration policies in
|Configure identity field settings
|Configure identity settings for lookup matching. You can change settings such as the following:
|Manage identity field settings in
|Configure Correlation setup
|When asset and identity correlation is turned on, compares indexed events with asset and identity data in the asset and identity lists to provide data enrichment and context. You can change settings such as the following:
|Manage correlation setup in
|You can test the asset and identity merge process if you want to confirm that the data produced by the merge process is expected and accurate. You can test the following:
|Use the search preview to test the merge of asset and identity data in
|Configure global settings
|Configure the global settings of the identity manager modular input to revise the way the identity manager works by default.
Create an identity lookup from your cloud service provider data in Splunk Enterprise Security
Manage asset lookup configuration policies in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0