Entity discovery field reference
Exposure Analytics includes discovery fields that you can use for discovery filters, investigations, and enrichment rules. Splunk Enterprise Security includes two related but distinct sets of entity fields: entity discovery fields and Asset & Identity (A&I) fields. Understanding the relationship between them is important when interpreting entity data across the product.
Exposure Analytics includes the following types of entity discovery fields:
- Asset fields
- IP address fields
- User fields
- MAC address fields
Entity discovery fields
Entity discovery fields represent a superset of entity data and are currently viewable only in the Entity discovery and Entity analysis views.
Asset & Identity (A&I) fields
A&I fields are a subset of entity discovery fields. Each A&I lookup has its own defined set of fields, and these are what appear throughout the rest of Splunk ES. For example, when an entity is linked to a finding in the analyst queue.
The Entity discovery data populates the A&I lookups, but the two field sets are distinct. Just because a field exists in Entity discovery, does not mean it will be available in an A&I lookup.
How they appear together in entity analysis
When looking at the Entity analysis view, what you see depends on whether the entity has been discovered. If the entity has been discovered by exposure analytics, then all entity discovery fields are displayed. If the entity has not been discovered, but exists in A&I, then only the A&I fields are displayed.