Splunk® Asset and Risk Intelligence

Administer Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Create and manage cybersecurity frameworks in Splunk Asset and Risk Intelligence

Cybersecurity frameworks provide standardized guidelines for addressing risk. Splunk Asset and Risk Intelligence includes a number of common security frameworks, such as NIST and HIPAA, called known frameworks. You can also create your own custom frameworks.

By adding frameworks to Splunk Asset and Risk Intelligence, you can provision metrics that map to the framework controls, and then use them to identify security control gaps and track the remediation process.

You don't need to add a framework to add a metric.

Every active framework has an associated dashboard that you can filter based on category, control, or metric. The dashboard includes all the metrics provisioned for that framework. After you add and activate a framework, you can find it by selecting Risk and then Frameworks in the main menu navigation bar.

Available known frameworks

The following table describes the known frameworks available in Splunk Asset and Risk Intelligence:

Framework Description
NIST CSFv2 Based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risks. It's widely used by public and private organizations of all sectors and sizes around the world.
ISO/IEC 27001:2022 Provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining, and continually improving an information security management system.
HIPAA Establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form.
PCI v4 Provides a baseline of technical and operational requirements designed to protect account data.

Add a known framework

To add a known framework, complete the following steps:

  1. Select Admin then Risk management and then Metric and framework management.
  2. In the Cybersecurity frameworks table, select Add framework and then Add known framework.
  3. Select a framework from the drop-down list of templates.
  4. (Optional) Edit the framework name and ID.
  5. (Optional) You can map metrics as you add the framework or after you add the framework. Select the check boxes to map metrics to framework controls. Metrics with Map metric have already been added to Splunk Asset and Risk Intelligence, and metrics with Create metric have not.
  6. Select Add.

    If you selected to create metrics, it might take some time for the system to create these metrics.

  7. Locate the framework you added in the Cybersecurity frameworks table, and then activate it by selecting the settings icon ( settings ) and turning the toggle switch to Active. You must activate the framework in order to view the framework dashboard and metric mappings.

Add a custom framework

Create a custom framework with your own categories and controls, and then map metrics to each control.

To add a custom framework, complete the following steps:

  1. Select Admin then Risk management and then Metric and framework management.
  2. In the Cybersecurity frameworks table, select Add framework and then Add custom framework.
  3. Enter a name and ID for the framework.
  4. (Optional) Enter a framework description.
  5. Activate the framework by turning the toggle switch to Active. You must activate the framework in order to map metrics to the controls of the framework.
  6. Select Add.
  7. Locate the framework you added in the Cybersecurity frameworks table, and then select the settings icon ( settings ) to add categories.
    1. Select Add category.
    2. Enter a name and ID for the category.
    3. (Optional) Enter a description for the category.
    4. Select Add.
    5. (Optional) In the Categories section, select the settings icon ( settings ) to edit a category and the remove icon ( remove ) to delete one.
    6. Select Update.
  8. Locate the framework you added in the Cybersecurity frameworks table, and then select the preferences icon ( preferences ) to add controls and their associated metrics.
    1. Select Add control.
    2. Using the drop-down list, select a category to add the control to.
    3. Enter a control ID.
    4. (Optional) Enter a description for the control.
    5. Using the drop-down list, select metrics to map to the control.

      You can also select controls to map a particular metric. See Create and manage metrics in Splunk Asset and Risk Intelligence.

    6. Select Add.

Edit or delete a framework

To edit or delete a framework, complete the following steps:

  1. Select Admin then Risk management and then Metric and framework management.
  2. Locate the framework you added in the Cybersecurity frameworks table, and then select the settings icon ( settings ) to edit it. Make sure to select Update to save your changes.
  3. Locate the framework you added in the Cybersecurity frameworks table, and then select the remove icon ( remove ) to delete it.
Last modified on 10 December, 2024
Create and manage risk scoring rules in Splunk Asset and Risk Intelligence   Monitor, export, and share audit data in Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters