Splunk® Asset and Risk Intelligence

Administer Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Create and manage metrics in Splunk Asset and Risk Intelligence

Security metrics in Splunk Asset and Risk Intelligence are quantifiable measurements that you can use to review the status of assets. Metrics are based on the data sources you add to Splunk Asset and Risk Intelligence, and they can help you identify security control gaps and track the remediation process.

Splunk Asset and Risk Intelligence includes a number of common security metrics called known metrics. You can also create your own custom metrics.

Add a known metric

To add a known metric, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Risk and then Metric framework management.
  2. Select Add metric and then Add known metric.
  3. Select a metric from the list of known metrics.
  4. Select Add.
  5. After Splunk Asset and Risk Intelligence successfully configures your metric, select Close.

After you add a metric, you might need to edit the metric logic. Some known metrics don't require additional configuration, but some require editing the metric logic. See Edit metric logic.

After you add and configure the metric, you can find it in the drop-down list by selecting Risk in the main menu navigation bar.

Create a custom metric

To create a custom metric, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Risk and then Metric framework management.
  2. Select Add metric and then Add custom metric.
  3. Enter a name for the metric.
  4. Using the drop-down list, select a Risk level.
  5. Enter a Metric snapshot schedule using cron format. The metric snapshot schedule is the frequency for generating a summary of metric compliance.
  6. Select the metric type, either Network asset or User identity, that you want to use for the metric.
  7. (Optional) Select a Cybersecurity framework mapping.
  8. (Optional) Using the toggle switches, select where to display the metric in Splunk Asset and Risk Intelligence. You can add it to the home page, and then you can decide where to place it on the home page amongst other metrics. You can also add the metric to the health check panel on the relevant investigation page.
  9. Enter a Matrix dashboard label. This is the label used for the metric visualization on the Metrics matrix page.
  10. (Optional) Add additional labels and descriptions. You can enter short labels and longer descriptions to include with your metric. For example, for the Metric opportunity description, a helpful description might be, "All workstations discovered on the network within the last 15 days."
  11. Select Add.
  12. After Splunk Asset and Risk Intelligence successfully configures your metric, select Close.

After you create a custom metric, you must edit the metric logic. See Edit metric logic.

After you add and configure a custom metric, you can find it in the drop-down list by selecting Risk in the main menu navigation bar.

Edit metric settings

You can edit the default settings of a known metric, or you can modify the settings you created for a custom metric.

To edit a metric, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Risk and then Metric framework management.
  2. Locate the metric you want to edit in the metrics table, and then select the settings icon ( settings ).
  3. Make your modifications. To save the metric, you must enter a value for the following fields:
    • Metric name
    • Metric snapshot schedule
    • Matrix dashboard label
  4. (Optional) To generate a metric compliance summary, select Generate metric snapshot.
  5. Select Update.

Edit metric logic

Metric logic powers metrics, and the metric logic determines the following:

  • The assets or identities in scope for the metric
  • The criteria that determines whether an asset is non-compliant

To edit the logic for a metric, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Risk and then Metric framework management.
  2. Locate the metric you want to edit the logic for in the metrics table, and then select the search icon ( search ).
  3. In the Opportunities section of the Edit metric logic dialog window, you can modify the following fields:
    • Data sources: Select which data sources to use for this metric. Metrics often use last detected information from one or more data sources.
    • Asset types: Select which asset types are in scope for this metric. For example, if you want to create a metric only for workstation assets, select Workstation.

      This field applies only to network asset metrics.

    • Last discovered: Identify the time range of discovered assets to include in the metric.
    • Fields: Identify the fields from the asset record to use in the metric.
    • Additional search filter: Narrow down the scope of the metric even further. For example, if you want to limit the metric to report on only Windows laptops, enter os=Windows* asset_class=Laptop.
  4. In the Defects section of the Edit metric logic dialog window, you can modify the following fields:
    • Defect logic: The defect logic uses an if() or case() eval statement with the available field values to determine whether an asset is a defect or not. The lastdetect_source field represents the last detection time for the selected data source. For example, you can enter a logic to identify a missing last detected date, like defect = if(lastdetect_source="","1","0"), to see if Splunk Asset and Risk Intelligence has ever detected the asset in this data source or not. The defect value must be either 1 or 0.
    • Defect reason: If there are multiple reasons why an asset might be a defect, you can enter an if() or case() eval statement. For example, defect_reason = if(lastdetect_source="","No logging agent detected","No recent agent detection"). If there is only one reason, you can enter the defect reason in quotes. For example, "Not in asset management solution".
  5. (Optional) Select Preview to see the logic results in the table. In the defect column, "1" indicates that the asset is a defect, and "0" indicates that the asset is not a defect.
  6. Select Update.

Edit a metric alert

After you create a custom metric or add a known metric, you can turn on an alert for the metric and set an alert schedule. To edit a metric alert, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Risk and then Metric framework management.
  2. In the Metrics table, locate the metric you want to edit.
  3. Select the more icon ( more ) in the actions column.
  4. Select Edit alert.
  5. Select the toggle switch to turn on the metric alert.
  6. Enter an alert schedule.
  7. (Optional) Select the Send email toggle switch to turn on email notifications for the alert. Then, enter one or more email addresses.
  8. Select Update.
Last modified on 30 October, 2024
Add and manage asset types in Splunk Asset and Risk Intelligence   Add metric exceptions in Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters