Reviewing entity details in Splunk Enterprise Security

Splunk Enterprise Security gives you a structured path from an initial finding to a complete picture of the entity, including its record, associations, risk posture, and network activity. With entity details, you can make a faster, more informed triage decision.

By reviewing entity details, you can identify assets and users using an approach that processes events from your existing data source events. This is most relevant to SOC analysts responding to active alerts, solutions engineers validating security tool coverage, and IT operations staff investigating asset behavior flagged by the SecOps team.

To see entity details, select Mission Control. Then, in the queue you're working in, locate a finding to triage. Select the Entity for that finding.

The entity details dialog box shows entity field values from the Asset & Identity (A&I) lookups. If you've configured exposure analytics, then the A&I lookups are populated by exposure analytics. Exposure analytics generates accurate, comprehensive inventories of assets, users, and their interrelationships. The resulting asset intelligence can be used to regularly update legacy A&I lookups within Splunk Enterprise Security.

If you've set up exposure analytics, you can drill down into the Entity analysis view for more details, where you can see entity discovery field values if the entity in question has been discovered.

For more details on ERS, see Entity risk scoring.

For more details on entity discovery fields, see Entity discovery field reference.