Add asset and identity data to Splunk Enterprise Security
Splunk Enterprise Security uses an asset and identity system to correlate asset and identity information with events to enrich and provide context to your data. This system takes information from external data sources to populate lookups, which Enterprise Security correlates with events at search time.
You have choices for registering asset and identity data in ES:
- Manually register asset and identity data in Asset and Identity Manager
- Use LDAP to register data in Asset and Identity Manager
- Use cloud service provider data to register data in Asset and Identity Manager
Manually register asset and identity data in Asset and Identity Manager
Do the following to manually add asset and identity data to ES to take advantage of asset and identity correlation:
- Collect and extract asset and identity data in Splunk Enterprise Security.
- Format the asset or identity list as a lookup in Splunk Enterprise Security.
- Configure a new asset or identity list in Splunk Enterprise Security.
- Manage assets and identities in Splunk Enterprise Security.
- Verify that your asset or identity data was added to Splunk Enterprise Security.
Use LDAP to register data in Asset and Identity Manager
Do the following to use LDAP to register asset and identity data in ES to take advantage of asset and identity correlation.
- Collect and extract asset and identity data in Splunk Enterprise Security.
- Create an asset lookup from your current LDAP data in Splunk Enterprise Security.
- Create an identity lookup from your current LDAP data in Splunk Enterprise Security.
- Verify that your asset or identity data was added to Splunk Enterprise Security.
Use your cloud service provider to register data in Asset and Identity Manager
Do the following to use your cloud service provider to register asset and identity data in ES to take advantage of asset and identity correlation.