Attribute events to an asset

Identify user and network asset activity over a particular time frame by attributing network assets or users to any raw event in the Splunk platform that contains an IP address. Asset attribution is particularly useful for targeted investigations or situations when you might want to match up assets from a particular point in time. For example, you can take an event containing an IP address, such as a firewall log source, and attribute a user ID to it.

To attribute events and find matching assets, complete the following steps:

  1. In Exposure Analytics, select Investigation from the main menu navigation bar, and then select Asset attribution.
  2. Select Event to asset attribution insights.
  3. Using the drop-down list, select a time range. See Select time ranges to apply to your search in the Splunk Enterprise Search Manual.
  4. Select which source types to search.
  5. Enter an IP address, host name, or user ID.
  6. (Optional) Specify the Zone if you're utilizing IP zones. See Add IP zones to the company subnet directory in the Administer Splunk Asset and Risk Intelligence manual.
  7. (Optional) Add an Eventtype or tag. For example, you can add a Malware tag to a raw event that's a malware data source.
  8. Enter an IP field to match on. Sometimes the IP field is src, dest, dest_ip, src_ip or something else, so you might want to specify which field you are looking to match on in your raw data. For example, if your firewall source type has an IP address as the src field, then you might want to match on the src field.
  9. Select Submit. It might take a few seconds for the results to load.
  10. (Optional) Use the drop-down lists for Span and Split by to sort the resulting table.
Note: The matched_host and matched_user columns are the values that Exposure Analytics attributes to each group of events.

After you configure your search for asset attribution, you can select any row in the table to further investigate the associated raw events. Or, you can select View all results to open all of the events in a Splunk search.

Manually attribute assets with a Splunk search

Use your own Splunk search to attribute a host and a user to the IP address of each event, at the time of each event. Using the Event to asset attribution search, you can add a search macro to your own search to manually attribute assets.

To manually attribute assets with a Splunk search, complete the following steps:

  1. In Exposure Analytics, select Investigation from the main menu navigation bar, and then select Asset attribution.
  2. Select Event to asset attribution search.
  3. Enter your Splunk search.
  4. Using the drop-down list, select a time range. See Select time ranges to apply to your search in the Splunk Enterprise Search Manual.
  5. Enter the IP field to match on, which is the field name, such as src_ip or dest_ip, of the event you want to find the user and host for.
  6. Select whether you want to see Only matching results or All Results. If you choose to see only the matching results, then you can see only the events attributed to a user or host.
  7. Select the search to open it in the Search page and run it.

After you run the search, you can find the match_user and matched_host fields for each event.