Splunk® App for PCI Compliance

User Manual

Download manual as PDF

Download topic as PDF

Asset and Identity Correlation

The Splunk App for PCI Compliance compares indexed events with asset and identity data in the asset and identity lists to provide data enrichment and context. See Configure assets and Configure identities in the Installation and Configuration Manual.

The comparison process uses automatic lookups. See Make your lookup automatic in the Knowledge Manager Manual.

Asset and identity correlation enriches events with asset and identity data at search time.

  • Asset correlation compares events that contain data in any of the src, dest, or dvc fields against the merged asset lists for matching IP address, MAC address, DNS name, or Windows NetBIOS names.
  • Identity correlation compares events that contain data in any of the user or src_user fields against the merged identity lists for a matching user or session.
  • The Splunk App for PCI Compliance adds the matching output fields to the event. For example, correlation on the asset src field results in additional fields such as src_is_expected and src_should_timesync.

Asset and identity correlation allows you to determine whether multiple events can relate to the same asset or identity. You can also perform actions on the identity and asset fields added to events to open additional searches or dashboards scoped to the specific asset or identity. For example, open the Asset Investigator dashboard on a src field.

Asset and identity correlation uses several potential match points to establish asset and identity correlations:

  • A dashboard view: A flashtimeline looking at indexed raw events or the Asset Center dashboard.
  • A point in time reference: A summary or lookup generation that pulls in identity or asset information for later use.
  • An alert generation: An email or a script or a report. Notable events do not match in the alert generation category.
  • Correlation searches: These searches also match on point-in-time data.

Note: Write searches that look for "individuals matching criteria", and not "emails and account names like this" so that these matches will work correctly.

How asset and identity correlation functions over time

Asset and identity correlation is valuable over time provided that you write searches that refer to asset and identity fields, rather than field values and you keep asset and identity lists updated. This example shows you why this is important.

Month one: In the first month, SERVER42 is at address 192.168.1.1 and is owned by Tom Pynchon, whose email is tpynchon@yoyodyne.com and phone number is 510-555-1212.

Views, dashboards, and searches in the Splunk App for PCI Compliance use this data. Summaries run, some notable events are generated, and some alerts are sent, all using this information.

Month Owner IP address hostname email phone number
1 Tom Pynchon 192.168.1.1 SERVER42 tpynchon@yoyodyne.com 510-555-1212

In month one, two correlation searches are run by the Yoyodyne security admin:

  • A custom correlation search looking for "tpynchon@yoyodyne.com". This works fine in month one.
  • A custom correlation search looking for "(user_is_privileged="true" OR user_priority="critical" OR user_priority="high")". This also works fine in month one.

Month two: In the second month, Yoyodyne is assimilated by Wintermute. Because Wintermute is very efficient, the lookup tables (asset lists and identity lists, and so on) are updated immediately. Now SERVER42 is at address 172.16.42.42, Tom is the owner, but his email is now tpurhaus@wintermute.net, his phone is 888-123-4567.

Dashboards, views, and searches update to use the new information everywhere. Alerts also use the new information, unless they are using old summary or lookup data.

Month Owner IP address hostname email phone number
1 Tom Pynchon 192.168.1.1 SERVER42 tpynchon@yoyodyne.com 510-555-1212
2 Tom Pynchon 172.16.42.42 SERVER42 tpurhaus@wintermute.net 888-123-4567

In month two the two correlation searches are run again by the Yoyodyne security admin:

  • The custom correlation search looking for "tpynchon@yoyodyne.com" fails to generate a notable event when Tom emails his friend Bill with some secret files.
  • The custom correlation search looking for "(user_is_privileged="true" OR user_priority="critical" OR user_priority="high")" generates a notable event when Tom emails his friend Bill with some secret files.

Month three: In month three, Tom leaves Wintermute to go work with Bill. His role administering SERVER42 is taken over by Jane Doe, whose email address is jdoe6@wintermute.net and phone number is 888-123-9876.

In month three, the two correlation searches are run again by the Yoyodyne security admin:

  • The custom correlation search looking for "tpynchon@yoyodyne.com" still does not work.
  • The custom correlation search looking for "(user_is_privileged="true" OR user_priority="critical" OR user_priority="high")" still works.

In this example, correlation searches continue to work correctly if the ownership relationship for SERVER42 is updated in the asset list.

Month Owner IP address hostname email phone number
1 Tom Pynchon 192.168.1.1 SERVER42 tpynchon@yoyodyne.com 510-555-1212
2 Tom Pynchon 172.16.42.42 SERVER42 tpurhaus@wintermute.net 888-123-4567
3 Jane Doe 172.16.42.42 SERVER42 jdoe6@wintermute.net 888-123-9876

Looking at the same incident for SERVER42 over the three month period would show three different phone numbers, always displaying the current number. Keeping asset and identity lists accurate and up-to-date is necessary for asset and identity correlation to function properly.

PREVIOUS
Manage and customize investigation statuses in Splunk Enterprise
  NEXT
Search View Matrix

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.1.3, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters