Splunk® Asset and Risk Intelligence

Administer Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Splunk Asset and Risk Intelligence onboarding guide for admins

As an admin user with the ari_admin role, you can begin setting up Splunk Asset and Risk Intelligence for users after you finish installing the application. The following table provides an overview of each task and its associated documentation link:

Step number Setup task Description Documentation
1 Set up directories Splunk Asset and Risk Intelligence includes 2 internal data sources for enrichment: a company subnet directory and a company user directory. Populate these directories to help locate assets on internal networks and provide context on user IDs. Set up directories for Splunk Asset and Risk Intelligence
2 Set up data sources Splunk Asset and Risk Intelligence includes known, compatible data sources that can pull data from specific events. You can select from these data sources, or add your own custom data sources. Set up data sources for Splunk Asset and Risk Intelligence
3 Add custom fields Add custom fields by populating the custom data inventory with the field values for each asset. Add a custom field in Splunk Asset and Risk Intelligence
4 Turn on or turn off discovery searches Turn on Splunk Asset and Risk Intelligence discovery searches to start discovering assets. Turn on or turn off discovery searches in Splunk Asset and Risk Intelligence
5 Add metrics Select which metrics to report on based on the data sources you selected. You can add known metrics included with Splunk Asset and Risk Intelligence, or you can create custom metrics. Create and manage metrics in Splunk Asset and Risk Intelligence
6 Add asset enrichment rules Use Splunk Asset and Risk Intelligence default enrichment rules to improve asset information such as missing field values. You can also create custom enrichment rules. Manage enrichment rules in Splunk Asset and Risk Intelligence
7 Activate integration with Splunk Enterprise Security Activate integration with Splunk Enterprise Security to enrich notable events with Splunk Asset and Risk Intelligence asset context. Activate integration with Splunk Enterprise Security in Splunk Asset and Risk Intelligence

See also

Get started with Splunk Asset and Risk Intelligence Echo in the Install and Manage Splunk Asset and Risk Intelligence Echo manual

Get started with the Splunk Add-on for Asset and Risk Intelligence in the Install and Manage Splunk Add-on for Asset and Risk Intelligence manual

Last modified on 05 August, 2024
  Set up directories for Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters