From Static A&I to Continuous Entity Discovery Using Exposure Analytics in Splunk ES

Asset and identity context is one of the most important inputs to effective security operations. It shapes how teams investigate findings, understand user and system relationships, and determine which entities require attention.

But in many environments, that context still depends on static records, manual updates, or disconnected sources that do not reflect what entities are active across the environment. As systems change and users move, traditional asset and identity approaches can become increasingly difficult to trust.

That is where continuous entity discovery in Exposure Analytics helps.

Exposure Analytics in Splunk Enterprise Security is designed to help organizations move from static asset and identity records to a more continuous discovery model built from the data already flowing through Splunk. By configuring the right mix of discovery sources, combining live and scheduled data, and using source prioritization to resolve conflicting values, organizations can build a stronger and more current entity foundation inside Splunk ES.

Start With the Right Discovery Source Mix

A strong entity picture does not come from any single source. Different systems cover different parts of the network environment, and each may contribute different context. This is why varied entity discovery configuration is foundational in Exposure Analytics.

An effective entity discovery source mix often includes events from CMDB data, endpoint security telemetry, DHCP, VPN, vulnerability data, and operating system security logs. Together, these sources help build a fuller and more reliable view of assets and users.

CMDB data can provide inventory enrichment. Endpoint security sources can establish system presence and visibility into deployed security tooling. DHCP and VPN data help connect real-time users, systems, and IP addresses over time. Vulnerability sources contribute another layer of system understanding, while operating system security log data can strengthen both host and user-level visibility.

No single source tells the whole story. The value comes from combining and correlating them to build a more complete entity record.

Streaming and Scheduled Sources Work Together

Not every source contributes in the same way, and that is an important part of our entity discovery design.

Some sources are most valuable as real-time or streaming inputs because they reflect active system or user behavior. DHCP, VPN, and endpoint security telemetry are good examples. These sources help establish which systems are active, how users are connecting, and how IP addresses, hosts, and users relate at a given point in time.

Other sources are better suited to scheduled or batched ingestion because they provide broader reference context or inventory data that changes less frequently. CMDB data and vulnerability scanner data are common examples. These sources help enrich the entity record with asset, platform, and coverage context that strengthens the overall picture.

Exposure Analytics supports this mixed-source model. That matters because a current entity picture depends on both types of input: live activity signals that reflect what is happening now, and structured context sources that help explain what those systems and users are. In practice, the strongest entity discovery foundation comes from combining both.

Effective discovery does not come from choosing between streaming and scheduled sources. It comes from using both in the right combination.

A Single Source of Truth From Multiple Sources of Record

Exposure analytics leverages a patented discovery process that correlates events from multiple entity discovery sources, along with leveraging complex logic and enrichment to continuously build inventories of assets. Additionally, a full discovery history allows for accurate attribution of assets and users to security events at any point in time.

When these sources are correlated, it is common for them to describe the same asset or user differently. One source may have the most current IP address. Another may have an old IP address, but reliable ownership information. A third may provide asset metadata or stronger correlation identifiers. The discovery processing leverages prioritization and enrichment logic to address conflicts and ensure the most accurate entity record.

From Manual A&I Population To Continuous Entity Discovery

One of the most practical outcomes of entity discovery within Exposure analytics is that it replaces the need to manually maintain lookups of assets and identities in Splunk Enterprise Security. These manually maintained A&I lookups may include stale or inaccurate records, such as assets and identities that are no longer active.

Once entity discovery is configured and actively discovering assets and users, this data is used to populate the A&I lookups automatically, to ensure that findings, detections, and related workflows are enriched with accurate context.

Typically, only active assets and users discovered by entity discovery are populated into the A&I lookups. This keeps the lookups more focused on current entities and improves enrichment for findings and detections, which usually involve active systems and users.

Why This Foundation Matters

Continuous entity discovery is the foundation for how organizations improve context across both operations and investigations.

For operational security teams, continuous discovery means better visibility into what exists in the environment and where security control coverage may be incomplete. For SOC teams, it means accurate finding enrichment, stronger attribution, and less time spent reconstructing relationships across disconnected records.

The quality of those outcomes depends on the quality of the discovery foundation. That is why entity discovery source mix and the balance between real-time and scheduled inputs matter so much.

When those pieces are in place, organizations are in a much better position to move from fragmented, static A&I records toward a more complete and continuously updated entity model in Splunk ES.

Getting Started

Exposure analytics is simple to get started using the data you already have coming into Splunk. Predefined entity discovery sources matched to your data can be added in just a few clicks or easily add your own additional sources.

Want to learn more? Review the documentation, take the product tour, or contact Splunk to learn how Exposure Analytics can help improve entity visibility, enrichment, and investigation context across Splunk ES.