Asset and Identity framework in Splunk ES

The Asset and Identity framework performs asset and identity correlation for fields that might be present in an event set returned by a search. The Asset and Identity framework relies on lookups and configurations managed by the Enterprise Security administrator.

This framework is one of five frameworks in Splunk Enterprise Security with which you can integrate. See Building Integrations for Splunk Enterprise Security for an introduction to the frameworks.

The diagram presents an overview of the Asset and Identity framework, with the possible integration points highlighted.

This diagram shows how admins, analysts, and developers can interact with the asset and identity framework. A set of add-ons collect asset and identity data from external systems and produce lookup tables. An identity manager script dispatches saved searches based on source data and configurations made by admins. Saved searches create canonical lookup tables which supply data to dashboards and searches. Security analysts use asset and identity data across multiple dashboards and ad hoc searches. Security admins perform configuration that affects the framework at two key stages: 1. The admin identifies source lookups to the identity manager script using inputs.conf. 2. The admin customizes identity conventions, lookup definitions, and source types for asset and identity correlations, affecting the way asset and identity information is understood by the identity manager script and in Splunk searches. Developers can integrate with the asset and identity framework by creating an add-on to collect asset and identity information from a custom source or service and formatting the results as a lookup table.

Terminology for the Asset and Identity framework

An asset is a networked system in a customer organization. The Asset and Identity framework identifies assets using the following key fields.

Field Description
ip An IP address.
dns A domain name.
nt_host A NetBIOS name.
mac A MAC or machine address.

An identity is a set of names that belong to or identify an individual user or user account. The Asset and Identity framework identifies identities by a single key field.

Field Description
identity A valid representation of an identity.

Integrate with the Asset and Identity framework

There is only one integration point available for the Asset and Identity framework. Developers can create custom data collection add-ons to extract and prepare data for ingestion by Splunk Enterprise Security.

Review the preexisting collection methods to determine whether your data source is already accounted for. See Collect and extract asset and identity data in Splunk Enterprise Security for a list of preexisting collection methods for a variety of standard data sources.

If the existing add-ons do not cover your use case, create a new add-on to extract the asset and identity data from the source system. Output the asset and identity data as one or more lookup files. See Format an asset or identity list as a lookup in Splunk Enterprise Security for the headers and fields expected for asset data and identity data.