You can monitor, export, and share audit data in Splunk Asset and Risk Intelligence from several available audit reports. You might want to review audit reports, for example, before and after you upgrade the Splunk Asset and Risk Intelligence app. To access audit data, select Admin and then Audit.
The following table outlines the available audit reports and what you can do with each one:
Audit report | Description |
---|---|
Configuration audit | The Configuration audit page reports on local configurations, which include changes that override the original configuration, and additional configurations, which include added changes that don't override the original configuration. The result column displays either a value of different or identical, which describes how the item compares to the original configuration. To find a particular configuration change, you can filter by type, file, and more. |
Configuration healthcheck | You can use the Configuration healthcheck page to monitor for errors with configured metrics and data sources. You can also monitor current knowledge objects, such as default user accounts, and compare them against the expected knowledge objects. |
Sharing audit | Some objects, such as dashboards or saved searches, in Splunk Asset and Risk Intelligence are shared only within the app, while others are shared globally with other apps. You can review the sharing status of objects on the Sharing audit page, and you can filter objects by type, such as lookups or macros. |
Operational logs | On the Operational logs page, you can view configuration changes, app sharing changes, and report downloads completed by users. You can also filter the logs by user. |
License usage | The License usage page reports on license usage based on the limit set on the Configurations settings page. You can set the license limit for this dashboard by selecting Admin then Configuration settings and then editing the Licence asset usage limit in the Default configurations section. |
Export inventory data
You can download any of the following Splunk Asset and Risk Intelligence inventories as a CSV or JSON file:
- Network
- IP
- User
- MAC
- Software
- Vulnerability
- Splunk Enterprise Security assets
- Splunk Enterprise Security identities
To export inventory data, complete the following steps:
- Select Admin then Audit and then Data export.
- Using the drop-down list, select the inventory you want to download. For example, Network asset inventory.
- Select Download.
- Enter a filename.
- Select CSV or JSON for the Output format.
- Select Download.
Monitor the operational health of Splunk Asset and Risk Intelligence
As an admin, you can monitor Splunk Asset and Risk Intelligence operations by auditing the operational health dashboard. To view the dashboard, select Admin and then Operational health.
The operational health dashboard includes information on data source compliance, internal lookup health, processing search times, KV store details, and more. You can use this data to report on the health of Splunk Asset and Risk Intelligence. For example, you might find that the processing time for a search is particularly high. A high processing time might indicate a high search load on the Splunk search head.
Create and manage cybersecurity frameworks in Splunk Asset and Risk Intelligence | Activate integration with Splunk Enterprise Security in Splunk Asset and Risk Intelligence |
This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2
Feedback submitted, thanks!