Splunk® Asset and Risk Intelligence

Investigate Assets and Assess Risk in Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Assess risk using metrics in Splunk Asset and Risk Intelligence

Assess asset risk by configuring metrics in Splunk Asset and Risk Intelligence and measuring compliance against your security controls. You can set up metrics such as Asset Management and Vulnerability Scanning. Start analyzing risk metrics for assets by doing the following:

Use the metrics posture and metrics matrices to review asset compliance

Splunk Asset and Risk Intelligence includes three metric overview dashboards: the Metrics posture, the Asset metrics matrix, and the Identity metric matrix. With these dashboards, you can monitor metric compliance for all the assets and identities in your network.

With the metrics posture, you can review asset compliance by metric. For example, you can find the compliance rate of all assets and the count of defects for the Malware Protection - Workstation metric. With the metrics matrices, you can review metric compliance by asset or identity. For example, you can determine which metrics a particular asset is compliant with.

To create and manage metrics, see Create and manage metrics in Splunk Asset and Risk Intelligence in the Administer Splunk Asset and Risk Intelligence manual.

Review the asset and identity metrics matrices

Find a report of assets or identities with the status of each metric defined for your organization. To review the asset and identity metrics matrices, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Risk then Metrics.
  2. Select either Asset metric matrix or Identity metric matrix.
  3. Select a row in the report to go to the asset or identity investigation page pre-populated with the chosen asset or identity.

Create a filter for the metrics posture or metrics matrices

You can filter the metrics posture and metrics matrices by particular fields such as asset types, metrics, and frameworks. Then you can save that filter and return to the same view at a later time. To create a filter for the metrics posture or metrics matrices, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Risk from the main menu navigation bar.
  2. Select Metrics and then either Metrics posture, Asset metrics matrix or Identity metrics matrix.
  3. Select Show filters.
  4. Enter a name for your filter.
  5. Select a time period for Discovered.
  6. (Optional) Select the App check box if you want to share the filter with other app users.
  7. For the metrics posture, configure your filter by entering particular frameworks, categories, controls, or metrics. For example, to see asset compliance data for only the Asset Management - Workstation metric, select Asset Management - Workstation for Metrics.
  8. For the metrics matrices, configure your filter by entering a particular host, asset type, or metric. For example, to see compliance data for only workstation assets, select Workstations for Asset types.
  9. Select Search to see the results.
  10. Select Save as new filter.
  11. (Optional) To erase your configured filter, select Reset filter.

After you save a filter, you return to that filtered view by selecting it from the report drop-down list.

Review metric dashboards

Splunk Asset and Risk Intelligence admins can add metrics so that users can monitor for asset defects and opportunities in each metric dashboard. Defects include all noncompliant assets within that metric's time range. Opportunities include all discovered assets within that metric's scope.

You can review metric dashboards by selecting Risk and then Metrics. For example, if an admin added the Malware Protection - Workstation metric, you can find the count of asset defects, search for a particular defect asset, and monitor the asset compliance rate over time for that particular metric.

Add and manage metric exceptions

Exclude particular assets from a metric calculation by adding a metric exception. When you add a metric exception, any assets that are in scope for the metric, but also meet your exception criteria, are excluded in the metric calculation. However, you can still see the omitted assets listed in the metric dashboard.

Adding a metric exception is helpful when there are assets that are typically compliant with the metric, but there is an exceptional reason why those assets are not compliant. For example, if there are servers running a legacy operating system, you might want to exclude them from your metric calculation because Splunk Asset and Risk Intelligence labels those servers as defects.

To add a metric exception, see Add metric exceptions in the Splunk Asset and Risk Intelligence Admin Manual.

Last modified on 28 February, 2025
Monitor asset activity in Splunk Asset and Risk Intelligence   Review framework dashboards and risk scoring insights in Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters