Splunk® Asset and Risk Intelligence

Investigate Assets and Assess Risk in Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Monitor asset activity in Splunk Asset and Risk Intelligence

With Splunk Asset and Risk Intelligence, you can monitor your network asset activity by doing the following:

Find asset detections using the first or last detection date

Search for network hosts, IP addresses, MAC addresses, users, software, or vulnerabilities by the date it was first or last discovered by Splunk Asset and Risk Intelligence. To find asset detections, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Activity from the main menu navigation bar, and then select First and last detections.
  2. From the drop-down list, select a detection type, such as User IDs.
  3. Select whether you want to search by first or last detection date.
  4. Select the time frame in which you want to search for asset detections. For example, within the past week.
  5. (Optional) Filter your results by entering a search in the Filter box. For example, to filter user IDs by those detected in Canada, enter CA in the filter box.

After you find asset detections using the first or last detection date, you can select from the results to open up the investigation page for a particular asset. See Investigate assets in Splunk Asset and Risk Intelligence.

Analyze geographic data for user IDs

With the User external locations dashboard, you can identify users that might be connected to anomalous locations. In the main menu navigation bar of Splunk Asset and Risk Intelligence, select Activity and then User external locations to open the dashboard for user ID geographical data. You can compare counts of user IDs by country, identify users discovered in multiple countries on the same day, and more.

Inspect asset history

Inspect the detection history for assets on your network using the network asset detection history timeline. To check the detection history for an asset, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Activity from the main menu navigation bar, and then select Network asset detection history.
  2. Using the drop-down list, select a time range. See Select time ranges to apply to your search in the Splunk Enterprise Search Manual.
  3. Enter a host name.
  4. Using the drop-down list, select a span of 1 day, 1 week, or 1 month.
  5. Select Submit.

After you submit your selected time range and host, you can find a table where each row provides the latest asset record at that particular time span along with a count of detections. This table is particularly useful in showing asset record changes over time.

Attribute IP addresses to an asset

Attribute IP addresses to network assets or users over any time range using the IP address to asset attribution dashboard. You can discover users and network assets associated with a given IP address at any point in time.

To attribute IP addresses to an asset, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Activity from the main menu navigation bar, and then select Asset attribution.
  2. Select IP address to asset attribution.
  3. Using the drop-down list, select a time range. See Select time ranges to apply to your search in the Splunk Enterprise Search Manual.
  4. Enter an IP address.
  5. (Optional) Specify the Zone if you're utilizing IP zones. See Add IP zones to the company subnet directory in the Administer Splunk Asset and Risk Intelligence manual.
  6. Enter a host name or user ID.
  7. Select Submit.

Attribute events to an asset

Identify user and network asset activity over a particular time frame by attributing network assets or users to any raw event in the Splunk platform that contains an IP address. Asset attribution is particularly useful for targeted investigations or situations when you might want to match up assets from a particular point in time. For example, you can take an event containing an IP address, such as a firewall log source, and attribute a user ID to it.

To attribute events and find matching assets, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Activity from the main menu navigation bar, and then select Asset attribution.
  2. Select Event to asset attribution insights.
  3. Using the drop-down list, select a time range. See Select time ranges to apply to your search in the Splunk Enterprise Search Manual.
  4. Select which source types to search.
  5. Enter an IP address, host name, or user ID.
  6. (Optional) Specify the Zone if you're utilizing IP zones. See Add IP zones to the company subnet directory in the Administer Splunk Asset and Risk Intelligence manual.
  7. (Optional) Add an Eventtype or tag. For example, you can add a Malware tag to a raw event that's a malware data source.
  8. Enter an IP field to match on. Sometimes the IP field is src, dest, dest_ip, src_ip or something else, so you might want to specify which field you are looking to match on in your raw data. For example, if your firewall source type has an IP address as the src field, then you might want to match on the src field.
  9. Select Submit. It might take a few seconds for the results to load.
  10. (Optional) Use the drop-down lists for Span and Split by to sort the resulting table.

The matched_host and matched_user columns are the values that Splunk Asset and Risk Intelligence attributes to each group of events.

After you configure your search for asset attribution, you can select any row in the table to further investigate the associated raw events. Or, you can select View all results to open all of the events in a Splunk search.

Manually attribute assets with a Splunk search

Use your own Splunk search to attribute a host and a user to the IP address of each event, at the time of each event. Using the Event to asset attribution search, you can add a search macro to your own search to manually attribute assets.

To manually attribute assets with a Splunk search, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Activity from the main menu navigation bar, and then select Asset attribution.
  2. Select Event to asset attribution search.
  3. Enter your Splunk search.
  4. Using the drop-down list, select a time range. See Select time ranges to apply to your search in the Splunk Enterprise Search Manual.
  5. Enter the IP field to match on, which is the field name, such as src_ip or dest_ip, of the event you want to find the user and host for.
  6. Select whether you want to see Only matching results or All Results. If you choose to see only the matching results, then you can see only the events attributed to a user or host.
  7. Select the search to open it in the Search page and run it.

After you run the search, you can find the match_user and matched_host fields for each event.

Review asset anomaly reports

Monitor your network asset activity by checking for anomalous behavior. Splunk Asset and Risk Intelligence includes anomaly reports that identify associated assets and can help you determine which asset activity might be suspicious. To see anomaly reports, select Activity from the main menu navigation bar and then select Anomalous activity.

To learn more about each report, see the following table:

Report Description When to use
Redetected dormant assets Identifies dormant assets, or users that have been recently redetected after an inactive period. This report calculates the number of inactive days in between detections over the selected time range. To identify dormant assets and users that have been redetected and investigate for suspicious or unauthorized activity.
Short lived assets Identifies assets or users with short-lived activity over the selected time range. This report calculates the number of active days in between the first and last time detected. To reduce false positives, this report excludes new assets or users first detected in the past few days. To identify assets and users that have only been active for a few days over the past few months and investigate for rogue ones.
Multiple association assets Identifies assets or users that have multiple associated users or assets. To investigate for shared credentials, anomalous activity, or compromised credentials.
Newly associated assets Identifies assets or users that have been newly associated with existing assets or users. To investigate for unauthorized activity or compromised credentials.
Last modified on 05 August, 2024
Field reference for Splunk Asset and Risk Intelligence   Assess risk using metrics in Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters