Splunk® Asset and Risk Intelligence

Investigate Assets and Assess Risk in Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Assess risk using metrics in Splunk Asset and Risk Intelligence

Assess asset risk by configuring metrics in Splunk Asset and Risk Intelligence and measuring compliance against your security controls. You can set up metrics such as Asset Management and Vulnerability Scanning. Start analyzing risk metrics for assets by doing the following:

Use the metric posture and metric matrix to review asset compliance

Splunk Asset and Risk Intelligence includes two metric overview dashboards, the Metrics posture and the Metrics matrix, so that you can monitor metric compliance for all the assets in your network.

With the metrics posture, you can review asset compliance by metric. For example, you can find the compliance rate of all assets and the count of defects for the Malware Protection - Workstation metric. With the metrics matrix, you can review metric compliance by asset. For example, you can determine which metrics a particular asset is compliant with.

To create and manage metrics, see Create and manage metrics in Splunk Asset and Risk Intelligence in the Administer Splunk Asset and Risk Intelligence manual.

Create a filter for the metrics posture or metrics matrix

You can filter the metrics posture and metrics matrix by particular fields such as asset types, metrics, and frameworks. Then you can save that filter and return to the same view at a later time. To create a filter for the metrics posture or metric matrix, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Risk from the main menu navigation bar.
  2. Select Metrics and then either Metrics posture or Metrics matrix.
  3. Select Show filters.
  4. Enter a name for your filter.
  5. (Optional) Select the Make public check box if you want to make the filter available to other users.
  6. For the metrics posture, configure your filter by entering particular frameworks, categories, controls, or metrics. For example, to see asset compliance data for only the Asset Management - Workstation metric, select Asset Management - Workstation for Metrics.
  7. For the metrics matrix, configure your filter by entering a particular host, asset type, or metric. For example, to see compliance data for only workstation assets, select Workstations for Asset types.
  8. Select Search to see the results.
  9. Select Save as new filter.
  10. (Optional) To erase your configured filter, select Reset filter.

After you save a filter, you return to that filtered view by selecting it from the report drop-down list.

Review metric dashboards

Splunk Asset and Risk Intelligence admins can add metrics so that users can monitor for asset defects and opportunities in each metric dashboard. Defects include all noncompliant assets within that metric's time range. Opportunities include all discovered assets within that metric's scope.

You can review metric dashboards by selecting Risk and then Metrics. For example, if an admin added the Malware Protection - Workstation metric, you can find the count of asset defects, search for a particular defect asset, and monitor the asset compliance rate over time for that particular metric.

Add and manage metric exceptions

Exclude particular assets from a metric calculation by adding a metric exception. When you add a metric exception, any assets that are in scope for the metric, but also meet your exception criteria, are excluded in the metric calculation. However, you can still see the omitted assets listed in the metric dashboard.

Adding a metric exception is helpful when there are assets that are typically compliant with the metric, but there is an exceptional reason why those assets are not compliant. For example, if there are servers running a legacy operating system, you might want to exclude them from your metric calculation because Splunk Asset and Risk Intelligence labels those servers as defects.

To filter the scope of your metric, such as filtering out workstations, rather than adding an exception, see Edit metric settings in the Administer Splunk Asset and Risk Intelligence manual.

Add a metric exception

There are two ways you can add a metric exception:

  • Manually enter assets to exclude from a metric on the Metric exceptions page
  • Select particular assets to exclude from a metric dashboard

To add a metric exception on the Metric exceptions page, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Risk and then Metric exceptions.
  2. Select Add exception.
  3. Using the drop-down list, select the Metric that you want to add an exception for.
  4. Enter the Exception value. For example, if you select NT Host for the field, enter the hostname for the exception value.
  5. (Optional) Enter a reason for adding the exception.
  6. Select Add.

After you add an exception, you can find it in the Exception listing table. You can filter and search for particular exceptions by reason and by value.

To add a metric exception from a particular metric dashboard, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Risk and then Metrics.
  2. Select the metric you want to add exceptions to.
  3. In the Metric details table, select the check boxes for the assets you want to exclude.
  4. Select Exceptions and then Add selected exceptions.

Manage metric exceptions

To manage metric exceptions, see the following table:

Action Steps
Edit an exception reason
  1. Select the settings icon ( settings ).
  2. Make your changes. You can only edit the reason for the metric exception.
  3. Select Update.
Delete an exception
  1. Select the remove icon ( remove ).
  2. Select Delete.
Download exception results
  1. Select the download icon ( download ) on the Exception table.
  2. Enter a name for the file.
  3. Select an output format.
  4. Select Download.
Last modified on 05 August, 2024
Monitor asset activity in Splunk Asset and Risk Intelligence   Review framework dashboards and risk scoring insights in Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters