Splunk Enterprise Security

Whats the best way to verify Identity and Asset framework is properly setup in ES ?

damode
Motivator
0 Karma

Jhunter
Explorer

Another (slightly crude) way is on your fields side bar for sourcetypes that have asset/identity fields (such as user) extracted, you should see the user_ fields with each user header (example: user_email, user_nick, user_first). 

0 Karma

Jhunter
Explorer

For assets I believe these are the src_ fields that match the asset header such as

src_should_update

src_is_expected

0 Karma

nickhills
Ultra Champion

The easiest way to confirm that you have identities and assets being collected and presented correctly is with the following two searches.

 

 

|`identities`
and
|`assets`

 

 

If those commands produce complete & well formatted output, then it should be working. 

If my comment helps, please give it a thumbs up!

lkutch_splunk
Splunk Employee
Splunk Employee

I agree with nickhillscpl & it's one of the options listed in the doc: 

https://docs.splunk.com/Documentation/ES/6.4.0/Admin/Verifyassetandidentitydata

0 Karma
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...

Enterprise Security Content Update (ESCU) | New Releases

In March, the Splunk Threat Research Team had 2 releases of security content via the Enterprise Security ...