Exposure Analytics set up guide for admins in Splunk Enterprise Security
As a Splunk Enterprise Security admin, you can set up exposure analytics to automatically detect data sources and enrich findings with contextual data, which allows you to continuously discover assets and users across your environment. Exposure analytics empowers security analysts to prioritize and focus investigations, report on security control deficiencies, and proactively reduce the attack surface.
To begin, select Configure and then Exposure analytics in Splunk Enterprise Security. The first time you access the exposure analytics settings, you'll need to select Start set up to begin. The following table provides an overview of each setup task and its associated documentation link for getting started.
| Step number | Setup task | Description | Documentation |
|---|---|---|---|
| 1 | (Recommended) Set up company subnet directory | Populate a company subnet directory to help locate assets on enrichment lookups. | Populate the company subnet directory |
| 2 | (Required) Configure entity discovery sources | Automatically detect data sources for discovery and pull data from specific events. You can select from predefined, compatible data sources, or add your own additional sources. | Configuring entity discovery sources for Exposure Analytics |
| 3 | (Optional) Add additional inventory fields | Manage your inventories by adding your own additional inventory fields. | Adding an additional field |
| 4 | (Optional) Add or modify enrichment rules | Use default enrichment rules to improve asset information such as missing field values. You can also create new enrichment rules. | Create an enrichment rule |