Add asset and identity data to Splunk Enterprise Security
Splunk Enterprise Security uses an asset and identity system to correlate asset and identity information with events to enrich and provide context to your data. This system takes information from external data sources to populate lookups, which Enterprise Security correlates with events at search time.
Use the Asset and Identity Management page to enrich and manage asset and identity data using lookups. Ensure you have the edit_modinput_identity_manager capability assigned to your user role to access this feature. See Configure users and roles in the Installation and Upgrade Manual.
When the identity manager runs, it processes all of the asset and identity input configuration.
The SPL search uses a custom search command that handles the merging and updating of new data to existing data. The custom search command merges data based on key fields and policies that you define here.
Assets and identities that need to be deleted are updated in the KV store with a _delete flag set to True so that the delete operation can persist and be completed at a later time.
The custom search command returns the merged data, which is updated or inserted to the KV store using outputlookup append=T. The identity manager checks and processes rows that are marked for deletion.
You have choices for registering asset and identity data in ES:
- Manually register asset and identity data in Asset and Identity Manager
- Use LDAP to register data in Asset and Identity Manager
- Use cloud service provider data to register data in Asset and Identity Manager
Manually register asset and identity data in Asset and Identity Manager
Do the following to manually add asset and identity data to ES to take advantage of asset and identity correlation:
- Collect and extract asset and identity data in Splunk Enterprise Security.
- Format an asset or identity list as a lookup in Splunk Enterprise Security.
- Configure a new asset or identity list in Splunk Enterprise Security.
- Verify that your asset or identity data was added to Splunk Enterprise Security.
Use LDAP to register data in Asset and Identity Manager
Do the following to use LDAP to register asset and identity data in ES to take advantage of asset and identity correlation.
- Collect and extract asset and identity data in Splunk Enterprise Security.
- Create an asset lookup from your current LDAP data in Splunk Enterprise Security.
- Create an identity lookup from your current LDAP data in Splunk Enterprise Security.
- Verify that your asset or identity data was added to Splunk Enterprise Security.
Use your cloud service provider to register data in Asset and Identity Manager
Do the following to use your cloud service provider to register asset and identity data in ES to take advantage of asset and identity correlation.
- Create an asset lookup from your current cloud service provider data in Splunk Enterprise Security.
- Create an identity lookup from your current cloud service provider data in Splunk Enterprise Security.
- Verify that your asset or identity data was added to Splunk Enterprise Security.
See also
| Data model reference for dashboards in Splunk Enterprise Security | Extract asset and identity data in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Download manual
Feedback submitted, thanks!