Scenario: Alex discovers an asset and investigates it in Splunk Asset and Risk Intelligence

The following scenario features Buttercup Games, a fictitious game company.

Alex is a security operations center (SOC) analyst at Buttercup Games. Buttercup Games is about to release new artificial intelligence gaming software to complement one of its popular online games. In order to protect the new technology, Alex wants to monitor the workstation laptops used by company executives to make sure there's no threat to the company data surrounding the release.

Using Splunk Asset and Risk Intelligence, Alex does the following:

• Filters discovered network assets for laptops used by executives
• Investigates a particular asset to find associated users and their identity information
• Checks the asset's compliance with a metric to see if the executive laptop has full disk encryption

Filter discovered network assets

To filter discovered network assets, Alex follows these steps:

1. Alex selects Discovery and then Network asset discovery to find the assets discovered on the network.
2. Alex creates a new filter and names it Executive laptops.
3. Using Field filtering, Alex enters the following logic for the filter:
   1. asset_class = laptop
   2. user_title = executive

      In this scenario, Buttercup Games uses the word "executive" in its employee titles, which allows Alex to filter fields by a user title that includes "executive".

4. Alex selects Save as new filter and then Search to see the filtered results.

Investigate an asset

To investigate an asset, Alex follows these steps:

1. From the Asset details table on the Network asset discovery page, Alex selects an asset to investigate.
2. On the Network asset investigation page, Alex finds asset details such as data sources used to discover the asset, the geographic location of discovery, and associated user IDs.
3. Alex notices that there are several user IDs associated with the asset. They select a user ID to open the User identity investigation.
4. Alex reviews the identity information to monitor the detection activity and compare the geographic location with other associated users.

Check compliance with a metric

To check an asset's compliance with a metric, Alex follows these steps:

1. On the Network asset investigation page for the executive laptop, Alex reviews the Health check panel. The health check provides a Compliant or Noncompliant status for metrics added to Splunk Asset and Risk Intelligence by an administrator.
2. Alex finds that the asset is noncompliant with the Full disk encryption metric.

Summary

In this scenario, while monitoring asset activity for suspicious behavior, Alex discovered an asset and then investigated it in Splunk Asset and Risk Intelligence. They filtered the discovered network assets by laptops used by executives, investigated a particular asset to find associated identity information, and then checked the asset's compliance with a known metric added by an administrator.

Learn more

To learn more about discovering and investigating assets in Splunk Asset Risk Intelligence, see the following documentation:

• Filter your discovery reports
• Investigate a network asset, user identity, IP address, or MAC address