Data collected by the Splunk Add-on for Exposure Analytics
The Splunk Add-on for Exposure Analytics collects asset-relevant information using scripted inputs. The inputs run at different frequencies. For example, the add-on collects network data more frequently than system data because system data changes less frequently.
| Type | Description | Entity discovery source fields | Sourcetype |
|---|---|---|---|
| System | Includes system information from assets. The fields collected depend on the operating system. | nt_host, os, os_version, os_build, os_vendor, os_configuration, os_build_type, os_install_date, windows_directory, system_directory, system_boot_time, boot_device, registered_user, virtual_mem, processor, cpu_cores, cpu_mhz, domain, mem, system_type, available_memory, available_virtual_memory, serial, vendor, bios_version, product, model_identifier, chip, system_firmware_version, os_loader_version, hardware_uuid, provisioning_udid, kernel_version, boot_volume, boot_mode, secure_virtual_memory, system_integrity_protection, time_since_boot | ea:ta:asset |
| Network | Includes network information from assets including IP addresses and MAC addresses | mac, ip, ip_translated | ea:ta:asset |
| User | Includes information about the last user associated with the asset | user_id, account_active, last_logon, session | ea:ta:asset |
| Encryption | Includes encryption data from Windows (BitLocker) and Mac (Filevault) | bitLocker_version, encryption_method, volume_label, volume_letter, volume_type, drive_type, size, protection_status, conversion_status, fde_encrypted=1, fde_version, activation_lock_status | ea:ta:asset |