Configure asset and identity data for UEBA in Splunk Enterprise Security
UEBA uses the Asset and Identity Framework in Splunk Enterprise Security to link intermediate findings to the correct user or asset and to enrich the intermediate findings with attributes of that user or asset. Asset and identity data powers entity lists, enriches intermediate findings with context, and ensures that risk scores are calculated for the right entities.
-
Ensure that your Asset and Identity Framework is set up and populated with accurate data. You can collect this information from internal sources or through integrations like the Splunk Supporting Add-on for Active Directory. See Collect and extract asset and identity data in Splunk Enterprise Security.
-
Verify that at least one identity source is configured and turned on in the Asset and Identity Management page. See Manage identity lookup configuration policies in Splunk Enterprise Security.
The following fields from the Asset and Identity framework are used to normalize risk objects, support peer grouping, and provide relevant contextual information on the UEBA and entity pages.
- first, last
- identity
- managedBy
- bunit
- StartDate
- EndDate
- Category
- asset
- asset_tag
- bunit
- category
- city
- country
- dns
- ip
- Mac
- nt_host
- owner
- pci_domain
- priority