Splunk® Asset and Risk Intelligence

Investigate Assets and Assess Risk in Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Scenario: Alex discovers an asset and investigates it in Splunk Asset and Risk Intelligence

The following scenario features Buttercup Games, a fictitious game company.

Alex is a security operations center (SOC) analyst at Buttercup Games. Buttercup Games is about to release new artificial intelligence gaming software to complement one of its popular online games. In order to protect the new technology, Alex wants to monitor the workstation laptops used by company executives to make sure there's no threat to the company data surrounding the release.

Using Splunk Asset and Risk Intelligence, Alex does the following:

  • Filters discovered network assets for laptops used by executives
  • Investigates a particular asset to find associated users and their identity information
  • Checks the asset's compliance with a metric to see if the executive laptop has full disk encryption

Filter discovered network assets

To filter discovered network assets, Alex follows these steps:

  1. Alex selects Discovery and then Network asset discovery to find the assets discovered on the network.
  2. Alex creates a new filter and names it Executive laptops.
  3. Using Field filtering, Alex enters the following logic for the filter:
    1. asset_class = laptop
    2. user_title = executive

      In this scenario, Buttercup Games uses the word "executive" in its employee titles, which allows Alex to filter fields by a user title that includes "executive".

  4. Alex selects Save as new filter and then Search to see the filtered results.

Investigate an asset

To investigate an asset, Alex follows these steps:

  1. From the Asset details table on the Network asset discovery page, Alex selects an asset to investigate.
  2. On the Network asset investigation page, Alex finds asset details such as data sources used to discover the asset, the geographic location of discovery, and associated user IDs.
  3. Alex notices that there are several user IDs associated with the asset. They select a user ID to open the User identity investigation.
  4. Alex reviews the identity information to monitor the detection activity and compare the geographic location with other associated users.

Check compliance with a metric

To check an asset's compliance with a metric, Alex follows these steps:

  1. On the Network asset investigation page for the executive laptop, Alex reviews the Health check panel. The health check provides a Compliant or Noncompliant status for metrics added to Splunk Asset and Risk Intelligence by an administrator.
  2. Alex finds that the asset is noncompliant with the Full disk encryption metric.

Summary

In this scenario, while monitoring asset activity for suspicious behavior, Alex discovered an asset and then investigated it in Splunk Asset and Risk Intelligence. They filtered the discovered network assets by laptops used by executives, investigated a particular asset to find associated identity information, and then checked the asset's compliance with a known metric added by an administrator.

Learn more

To learn more about discovering and investigating assets in Splunk Asset Risk Intelligence, see the following documentation:

Last modified on 06 August, 2024
Splunk Asset and Risk Intelligence scenario library  

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters