TheAsset and Identityframework within Splunk Enterprise Security (ES) is designed to add enriched context and correlation to the raw data fields by mapping logs to known assets (such as devices, servers, endpoints) and identities (users and accounts). This framework enhances the meaning of raw event data by associating events with relevant organizational entities, which helps in prioritization, detection, and investigation workflows.
TheAsset and Identityframework automatically tags and correlates data points with asset categories and user identities, improving detection fidelity and enabling targeted risk scoring.
Adaptive Responseis a mechanism for triggering automated actions, not a contextual framework.
Threat Intelligenceframework integrates external intelligence data but does not inherently add context to raw data fields.
Riskframework calculates risk scores based on multiple factors but builds upon context enriched by Asset and Identity.
TheSplunk Enterprise Security User Guidestates that the Asset and Identity framework is critical for making raw event data actionable through contextual enrichment and is foundational to the ES correlation searches and dashboards.
[Reference:, Splunk Enterprise Security User Guide, Chapter 3: Frameworks Overview, Splunk Cybersecurity Defense Analyst Study Guide, Chapter 5: Data Enrichment and Context, Splunk Docs: Asset and Identity Framework, , ]
Submit