Asset Merge¶
It is possible that some of your devices share a common key field (dns, ip, mac, nt_host) that is causing an erroneous merge of your assets. There are a few ways to overcome this:
Problem Scenario¶
Consider you have the following assets:
| Host | dns | ip | mac | nt_host |
|---|---|---|---|---|
| host1 | host1.local | 10.0.34.9 | 77:61:f5:cb:33:a7 | host1 |
| host2 | host2.local | 10.0.34.9 | a5:e7:5c:39:77:d1 | host2 |
Since these two systems share the same IP they will be merged into a single asset by default.
Default merge¶
| Asset | dns | ip | mac | nt_host |
|---|---|---|---|---|
| host1 host2 host1.local 10.0.34.9 77:61:f5:cb:33:a7 a5:e7:5c:39:77:d1 | host1.local host2.local | 10.0.34.9 | 77:61:f5:cb:33:a7 a5:e7:5c:39:77:d1 | host1 host2 |
Expected behavior¶
see next section to accomplish this expected behavior
| Asset | dns | ip | mac | nt_host |
|---|---|---|---|---|
| host1 host1.local 10.0.34.9 77:61:f5:cb:33:a7 | host1.local | 10.0.34.9 | 77:61:f5:cb:33:a7 | host1 |
| host2 host2.local 10.0.34.9 a5:e7:5c:39:77:d1 | host2.local | 10.0.34.9 | a5:e7:5c:39:77:d1 | host2 |
Solutions¶
Disable Asset Merging¶
If Crowdstrike is your only data source for assets, you can disable asset merge in the global settings.
This is not recommended if you have more than one asset list configured (see next section)
- In Enterprise Security navigate to Configure > Data Enrichment > Asset and Identity Management > Global Settings.
- Toggle off "Assets" under
Enable Merge for Assets or Identities.
Changes should reflect the next time the Asset database builds (usually 5-10 minutes).
*For more information, see Splunk Docs.
Update Asset Key Fields¶
If you have more than one asset list configured you can look at disabling the common key field to prevent the default merging behavior.
In most cases, the IP field will be field that needs to disabled as the key field.
- (In Enterprise Security) Navigate to Configure > Data Enrichment > Asset and Identity Management.
- Select the "Asset Fields" Tab.
- Select the
ipfield (or the field you want to disable) and "uncheck" it from being a Key.
Changes should reflect the next time the Asset database builds (usually 5-10 minutes).