Entity discovery source categories
Exposure Analytics can use any source containing asset-relevant data. You can group these sources into different categories as described in the following table:
| Source category | Description | Examples |
|---|---|---|
| Endpoint agent | Agents that are typically installed on workstation, mobile, and server endpoints. These might include antivirus, data leakage, or server management agents. |
|
| Scanning data | Data that is obtained from network scanners and discovery tools. These might include asset or vulnerability scanners. |
|
| Endpoint event data | Data that is generated within endpoint log events that might contain relevant asset data. |
|
| Network event data | Data that is generated within network log events that might contain relevant asset data. |
|
| Database | Asset-related data that is held in structured database tables or stores. |
|
| Cloud | Asset data from cloud providers. |
|
| Splunk Add-on for Asset and Risk Intelligence | An app deployed to your Splunk forwarders that gathers asset-relevant events for added enrichment and context. | n/a |
When you set up a source in Exposure Analytics, the source becomes assigned to an inventory. Exposure Analytics can only assign a source to an inventory if the source contains the key field for that inventory. As a result, when you identify a suitable source, you might want to choose a source that contains at least 2 of the key fields. The key fields for each inventory are as follows:
| Key field | Inventory |
|---|---|
| nt_host | Asset |
| ip | IP |
| user_id | User |
| mac | MAC |
| nt_host, product | Software |
| nt_host, signature or cve | Vulnerability |
| user_id, application | Cloud application |