Splunk® Asset and Risk Intelligence

Administer Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Review internal enrichment data in Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence uses data from a number of databases to enrich the assets that you discover and investigate. To review your internal enrichment data, select Admin and then Data enrichment in Splunk Asset and Risk Intelligence. Then, select the type of data listing you want to view. For example, a Geolocation listing.

You can review the following types of internal enrichment data listings:

Data listing Description
Geolocation The geolocation database contains all of the major cities and countries in the world. You can use the longitude and latitude coordinates from the geolocation database on map visualizations throughout Splunk Asset and Risk Intelligence.
MAC vendor Splunk Asset and Risk Intelligence contains a list of known MAC address vendors taken from the Wireshark Manufacturer Database. You can review and search for MAC addresses on the MAC vendor listing page.
Default accounts Default accounts are user accounts automatically bundled with software applications. You can identify the number of users considered to be default users by navigating to Discovery and then Default account insights. You can review the users that Splunk Asset and Risk Intelligence assigns as default on the Default accounts listing page.
User agent Splunk Asset and Risk Intelligence contains a lookup of known user agents that can help to enrich or populate certain asset fields. You can review the known user agents on the User agent listing page.
Notes Splunk Asset and Risk Intelligence users can add notes to assets and identities while investigating them. You can view all of the notes added to assets and identities on the Notes listing page.
Custom data You can add custom fields to Splunk Asset and Risk Intelligence inventories, and you can review all of the added custom fields on the Custom data listing page.

You can also add a custom location in the geolocation listing, a custom account in the default accounts listing, and a legacy operating system to the Operating system insights page using the Splunk App for Lookup File Editing. See Edit a lookup file in the Splunk App for Lookup File Editing in the Splunk App for Lookup File Editing User Guide. Make sure to add the city, state, region, latitude, and longitude using the 2-digit naming convention for countries and regions.

Last modified on 05 August, 2024
Manage enrichment rules in Splunk Asset and Risk Intelligence   Set up data sources for Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters