Splunk® Enterprise Security

Administer Splunk Enterprise Security

Add asset and identity data to Splunk Enterprise Security

Splunk Enterprise Security uses an asset and identity system to correlate asset and identity information with events to enrich and provide context to your data. This system takes information from external data sources to populate lookups, which Enterprise Security correlates with events at search time.

You have choices for registering asset and identity data in ES:

  • Manually register asset and identity data in Asset and Identity Manager
  • Use LDAP to register data in Asset and Identity Manager
  • Use cloud service provider data to register data in Asset and Identity Manager

Manually register asset and identity data in Asset and Identity Manager

Do the following to manually add asset and identity data to ES to take advantage of asset and identity correlation:

  1. Collect and extract asset and identity data in Splunk Enterprise Security.
  2. Format the asset or identity list as a lookup in Splunk Enterprise Security.
  3. Configure a new asset or identity list in Splunk Enterprise Security.
  4. Manage assets and identities in Splunk Enterprise Security.
  5. Verify that your asset or identity data was added to Splunk Enterprise Security.

Use LDAP to register data in Asset and Identity Manager

Do the following to use LDAP to register asset and identity data in ES to take advantage of asset and identity correlation.

  1. Collect and extract asset and identity data in Splunk Enterprise Security.
  2. Create an asset lookup from your current LDAP data in Splunk Enterprise Security.
  3. Create an identity lookup from your current LDAP data in Splunk Enterprise Security.
  4. Verify that your asset or identity data was added to Splunk Enterprise Security.

Use your cloud service provider to register data in Asset and Identity Manager

Do the following to use your cloud service provider to register asset and identity data in ES to take advantage of asset and identity correlation.

  1. Create an asset lookup from your current cloud service provider data in Splunk Enterprise Security.
  2. Create an identity lookup from your current cloud service provider data in Splunk Enterprise Security.
  3. Verify that your asset or identity data was added to Splunk Enterprise Security.

See also

Lookups that store merged asset and identity data

Asset and identity fields after processing in Splunk Enterprise Security

How Splunk Enterprise Security processes and merges asset and identity data

Last modified on 19 January, 2022
Configure adaptive response actions for a correlation search in Splunk Enterprise Security   Manage asset and identity upon upgrade

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters