Entity zones in Exposure Analytics
Overview
Exposure Analytics can discover entities by zone, including assets, IP addresses, MAC addresses, and users. Zone-based discovery is particularly useful in environments with overlapping networks, where the same identifiers may appear in different zones.
Before Entity Zone can be used in Exposure Analytics, zones must first be configured and defined in the Global Settings tab of Asset and Identity Management. See Turn on entity zones for assets and identities in Splunk Enterprise Security .
Entity Zone Discovery
For entity zones to be discovered and recorded in entity inventories, the cim_entity_zone field must be populated in the entity discovery sources with a valid predefined zone.
When discovering assets, MAC addresses, and users, the zone is captured and recorded alongside the other fields in the entity record. For example, when discovering users by user_id, the associated cim_entity_zone, ip, mac, and nt_host values are captured from the entity discovery sources and recorded in the inventory.
When discovering IP addresses, the zone is used together with the IP address as a unique key in the inventory. This allows the same IP address to be discovered and recorded in multiple zones, which supports overlapping IP ranges. For example, when discovering IP addresses by ip, the associated cim_entity_zone is combined with the ip value to create the unique inventory key.
Subnet Directory Enrichment
The Subnet directory under Inventory enrichment can be used to define subnets together with a cim_entity_zone value. This enables enrichment of inventory data by both subnet and zone, which is useful when the same subnet exists in multiple zones.
In this scenario, the same subnet can be added to the directory multiple times, once for each zone. The cim_entity_zone field in the subnet directory specifies the applicable zone for each entry.
If no cim_entity_zone is specified for a subnet directory entry (that is, the field is left null), that entry is used only to enrich inventory data where cim_entity_zone is also null.
During entity discovery processing, the IP address and zone are matched against the subnet directory. Entries with both a matching subnet and matching cim_entity_zone are used to enrich the discovered data. For example, the last seen IP address and cim_entity_zone may be used to look up a subnet and return asset-related location information during asset discovery processing.
Asset and Identity (A&I) lookup population
When populating the A&I lookups, the most recently discovered cim_entity_zone value attributed to the user or asset is included.
If the cim_entity_zone field is null, the default zone name defined in the Asset and Identity Management zone configuration is used instead.
Removing legacy cim_entity_zone field values from inventories
If there is a need to remove an existing cim_entity_zone value from the asset, user or MAC inventory, a Field aging rule can be configured under Inventory management for the cim_entity_zone field.
This allows previously populated zone values to be cleared from inventory records when required.