Splunk® Asset and Risk Intelligence

Administer Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Set up directories for Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence includes 2 internal data sources for enrichment: a company subnet directory and a company user directory. Populate these directories to locate assets on internal networks and provide context on user IDs.

Populate the company subnet directory

You can incorporate location data from your company into Splunk Asset and Risk Intelligence if you have a subnet listing. Populating a company subnet directory is optional, but you might want to use one to identify asset locations.

To populate the company subnet directory, complete the following steps:

  1. Select Admin then Data enrichment and then Company subnet directory.
  2. Update the subnet listing by uploading a CSV file or by entering a Splunk search. Follow the steps for your preferred method:
Method Steps
Upload a CSV file
  1. Select the upload icon ( upload ). The CSV file you upload must contain the required subnet listing fields. See Required subnet listing fields.
  2. Using the drop-down list, select whether you want to Merge or Overwrite any existing data.
  3. Select Upload.

The maximum upload size limit is 5mb. Upload larger files or files containing fields with different names using the Splunk lookup functionality.

Enter a Splunk search
  1. Select the search icon ( search ).
  2. Enter your search using the Search Processing Language (SPL). The search must return the required subnet listing fields. See Required subnet listing fields. For example, the end of a search looks like the following:

    | table subnet, location_id, city, state, country, region, provider, type, vlan, description, zone

  3. Select Merge or Overwrite for the Search mode. You can choose to overwrite any existing subnets with the search, or you can merge the search with existing subnets, including entries that have already been manually added.
  4. (Optional) If you want to run the search immediately, select Run search. Selecting this option runs the search before the designated cron schedule.
  5. (Optional) Preview your search results by selecting Preview search.
  6. Select Save.

After you populate the company subnet directory, you can manually add entries by selecting the add icon ( add ), and you can edit, clone, or remove entries using the actions icons.

Required subnet listing fields

The subnet listing must contain the following fields:

Field Value
subnet Subnet and mask. For example, 10.10.10.10/24.
zone Subnet IP zone of the entry.
location_id Any location ID used by the business.
description Description of the subnet entry.
provider Name of a provider. For example, AWS.
city City name for the entry.
state 2-digit U.S. state or Canadian province. For example, "ON".
country 2-digit country code. For example, "US".
region Region. For example, "AMER" or "EMEA".
type Subnet type of the entry.
vlan Subnet virtual LAN of the entry.

Some fields can have null values, but the fields must be included in the lookup table header. Don't change null values to "unknown" or something similar.

Add IP zones to the company subnet directory

With IP zones, you can differentiate network areas for the same IP address. For example, if a company acquires another company, you might want to specify a zone for each subnet entry.

To use IP zones, you must identify an IP zone for each entry in the company subnet directory and also for each data source you add to Splunk Asset and Risk Intelligence.

By default, each subnet entry has a zone value of default, and each data source has an ip_zone value of default. If you don't want to use IP zones, you don't need to edit these values.

To add a new IP zone in the company subnet directory, complete the following steps:

  1. Select Admin then Data enrichment and then Company subnet directory.
  2. Select the add icon (+) to add a subnet entry with the new IP zone to your company subnet directory.
  3. Enter a new name for the IP zone.
  4. Select Add.
  5. Select the add icon (+) to add additional subnet entries with the new IP zone.

    You can't edit the IP zone for existing subnet entries.

After you add IP zones to your company subnet directory, make sure to also identify IP zones for each data source you add. See Data source field mapping reference.

Populate the company user directory

You must populate the company user directory to store asset context such as user IDs and email addresses.

To populate the company user directory, complete the following steps:

  1. Select Admin then Data enrichment and then Company user directory.
  2. Update the user listing by uploading a CSV file or by entering a Splunk search. Follow the steps for your preferred method:
Method Steps
Upload a CSV file
  1. Select the upload icon ( upload ). The CSV file you upload must contain the required user listing fields. See Required subnet listing fields.
  2. Using the drop-down list, select whether you want to Merge or Overwrite any existing data.
  3. Select Upload.

The maximum upload size limit is 5mb. Upload larger files or files containing fields with different names using the Splunk lookup functionality.

Enter a Splunk search
  1. Select the search icon ( search ).
  2. Enter your search using the Search Processing Language (SPL). The search must return the required user listing fields. See Required subnet listing fields. For example, the end of a search looks like the following:

    | table user_id, user_first, user_last, user_email, user_business, user_bunit, user_category, user_title user_location_id, user_city, user_state, user_country, user_start_date, user_end_date, user_priority, user_first_created, user_last_updated

  3. Select Merge or Overwrite for the Search mode. You can choose to overwrite any existing subnets with the search, or you can merge the search with existing subnets, including entries that have already been manually added.
  4. (Optional) If you want to run the search immediately, select Run search. Selecting this option runs the search before the designated cron schedule.
  5. (Optional) Preview your search results by selecting Preview search.
  6. Select Save.

After you populate the company user directory, you can manually add entries by selecting the add icon ( add ), and you can edit, clone, or remove entries using the actions icons.

Required user listing fields

The user directory listing must contain the following fields:

Field Value
user_id The username for the listing.
user_first First name of the user.
user_last Last name of the user.
user_category Category of the user. For example, "contractor" or "employee".
user_email Email address of the user.
user_title The job title of the user.
user_business Business of the user.
user_bunit Business unit of the user.
user_city City where the user is based.
user_state 2-digit U.S. state or Canadian province where the user is based. For example, "ON".
user_country 2-digit country code where the user is based. For example, "US".
user_location_id Location ID used by the business to identify a company location.
user_priority The priority of the user. For example, an executive might be "high" priority.
user_start_date The date the user started at the company.
user_end_date The date the user left the company.

Some fields can have null values, but the fields must be included in the lookup table header. Don't change null values to "unknown" or something similar.

Last modified on 06 August, 2024
Splunk Asset and Risk Intelligence onboarding guide for admins   Manage enrichment rules in Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters