Populate Splunk ES Asset and Identity (A&I) lookups with entity discovery data
Overview
Entity discovery in Exposure Analytics can automatically populate the Asset and Identity lookups in Splunk Enterprise Security. This helps ensure findings, detections, and related workflows in Splunk ES are enriched with accurate, current context.
Once Entity discovery is configured and actively discovering assets and users, this functionality is enabled by default.
Using Entity discovery to populate Asset and Identity (A&I) lookups helps:
-
Add timely asset and user context to findings and detections
-
Improve the accuracy of enrichment in Splunk ES
-
Support other Enterprise Security capabilities that depend on A&I data
Understand the Difference Between Entity Discovery and A&I Lookups
Although both contain asset and identity information, Entity discovery and A&I lookups are different in their approach.
Entity discovery in Exposure Analytics is designed to identify assets and users that are actively present on the network. It continuously updates inventories and tracks relationships between entities over time.
Asset and Identity lookups in the A&I framework may include manually maintained or older data sources. As a result, they can contain assets or identities that are no longer active, records that have not been updated recently and stale or inaccurate context.
Typically, only active assets and users discovered by Entity discovery are populated into the A&I lookups. This approach:
-
Keeps lookup sizes manageable
-
Prioritizes relevant, active entities
-
Improves enrichment for findings and detections, which typically involve active assets and users
Supported Population Modes
You can populate the A&I lookups in one of three ways.
1. Entity discovery only
Assets and users discovered by Entity discovery are written to the A&I lookups on a scheduled basis that you define.
In this mode:
-
No additional asset or identity lookups are added manually to the A&I framework
-
Entity discovery views can be used for filtered asset and user searches
-
The Entity analysis view provides full attribution functionality
This is the recommended configuration. In this mode, Entity discovery acts as the superset of entity data, and a relevant subset is used to populate the A&I lookups.
2. A&I lookups only
Asset and identity data is maintained manually in the A&I framework and entity discovery is not configured.
In this mode:
-
Entity discovery views are not available
-
The Entity analysis view provides limited functionality based only on A&I lookup data
3. Entity discovery and additional A&I lookups
In this hybrid model, Entity discovery populates the A&I lookups while additional manually maintained A&I lookups are also included.
This can be useful if:
-
Some assets cannot be discovered by Entity discovery
-
You need to maintain supplemental records outside Exposure Analytics
However, this mode may also merge current and accurate entity discovery data with stale or inaccurate A&I lookup data.
Recommended mode for upgrades
If you are upgrading to a new version of Splunk Enterprise Security and plan to use Entity discovery in Exposure Analytics, the recommended goal should be to move to Entity discovery only mode.
If you are transitioning from A&I lookups only mode to Entity discovery only:
-
Do not simply reuse existing A&I lookups as Entity discovery sources without review
-
If you do use them as static Entity discovery sources, configure them as Passive sources
When moving from using A&I lookups only to using Entity discovery only mode, it is not advised to take the existing A&I lookups and simply use these as sources for entity discovery. However, if they are used as static entity discovery sources, configure them as Passive sources if they do not contain any sort of time field to indicate network activity. Setting the source to passive will ensure that they are not seen as active assets or users.
Configuring Entity discovery to populate the A&I lookups
By default population of the asset and identity lookups is turned on by default. Once entity discovery within Exposure analytics is configured and asset and users are being discovered, the assets and users discovered within the past 30 days will be populated into the asset and identity lookups, every 15 mins by default.
It is possible to select what data is populated into the A&I lookups and also the frequency that this occurs.
To configure the entity discovery data that is used to populate the lookups, perform the following steps:
- Navigate to Configure -> All configurations
- Select Assets and Identities from the Data section
- Click on the Global settings tab
- From the panel named Turn on entity discovery population, toggle the Assets and Identities to on
- Click on the Update entity discovery population dropdown and select either Assets or Identities
- A new Update entity discovery population modal will appear
- Population schedule – how often the lookup is populated with new entity discovery data
- Last seen – how far back the assets or users were last seen or discovered on the network
- Maximum populated assets/identities – the maximum number of rows populated into the lookup
- Enter in any logic to filter what is populated into the lookup
- Click on Preview button to preview the expected data. The number of results will also be displayed
- Click Save to save the new filter
Once configured and populating A&I, the following lookups are created and added to the asset and identity lookups respectively:
-
entity_discovery_assets
-
entity_discovery_identities
These lookups are then merged with any other asset or identity lookups to create the main A&I lookups. By default, the Entity discovery-populated lookups are assigned a higher rank so their data takes precedence over older or less reliable lookup sources.
Map additional Entity discovery fields to A&I lookups
Exposure Analytics contains predefined and additional entity fields beyond that of the Asset and Identity lookups. If needed, you can map additional Entity discovery fields into the asset or identity lookups.
- Navigate to Configure -> All configurations
- Select Assets and Identities from the Data section
- Select either Asset fields or Identity fields tab depending on which lookup you are adding entity discovery fields to
- Click on the Add new field button
- Complete the field information as required
- From the Entity discovery fields drop down, select the field from Entity discovery that should map to this field
- Click Save
The newly mapped field will now be included in the next scheduled population.
You can validate the field is being populated by going to the Global settings tab, then clicking on Update entity discovery population drop down on the Turn on entity discovery population panel. Once loaded, click to preview the results.
Disabling Entity discovery population of A&I lookups
To disable the entity discovery population of the Asset and Identity lookups, follow these steps:
- Navigate to Configure -> All configurations
- Select Assets and Identities from the Data section
- Click on the Global settings tab
- From the panel named Turn on entity discovery population, toggle the Assets and Identities to off
- This will remove the lookups from the Asset and Identity lookups tables