Discovery processing searches in Exposure Analytics
Note: Do not edit the processing searches for exposure analytics in Splunk Enterprise Security.
There are several searches that run regularly to add, update, or remove data from Exposure Analytics. As an admin, you can turn on or turn off the searches listed in the following table:
| Type of discovery search | Description | Default run frequency |
|---|---|---|
| Association searches | Tracks the first and last time combinations of discovered assets and users. If you turn off association searches, you can't access data on associations between assets and users, such as an IP address. | 15 minutes |
| Entity discovery searches | Retrieves and tracks asset and user data. You can turn on or turn off the search for each processing type, such as Assets or IP addresses. | 5 min |
| Recently detected sourcetypes | Searches your environment for recently seen sourcetypes that match any of the predefined data sources. This helps filter the list of predefined sources to only the sources that have been discovered by Exposure Analytics. | 6 hours |