The Dark Web Matrix • Room 2

Asset & Identity Framework

For a SIEM to be effective, it needs context. The **Asset and Identity** framework merges HR databases (identities) and CMDBs (assets) into Splunk.

When an event fires, ES uses lookups to enrich the event: translating `10.0.0.5` to `web-server-prod` and `jsmith` to `John Smith (VP Finance)`.

This context allows for dynamic urgency rating. An attack on a VP's laptop is higher urgency than an attack on a guest WiFi device.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Drag items to their correct zone (or tap item then tap zone on mobile)

10.0.0.5 (web-server-01)

jsmith (John Smith)

bwayne (Bruce Wayne)

00:1A:2B:3C:4D:5E (printer)

Asset

Identity