Splunk® Asset and Risk Intelligence

Investigate Assets and Assess Risk in Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Field reference for Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence includes fields that you can use for discovery filters, investigations, enrichment rules, and metrics. Splunk Asset and Risk Intelligence includes the following types of fields:

  • Network asset fields
  • IP address fields
  • User identity fields
  • MAC address fields
  • Vulnerability fields
  • Software fields

Network asset fields

Field Description
asset_class The class of the asset. For example, "desktop" or "phone".
asset_type The type of asset. For example, "server" or "workstation".
bunit The business unit.
business The business name.
category The category of the asset. For example, "domain controller".
city The city location of the asset.
classification The asset classification value.
country The country location of the asset.
cpu_cores The number of CPU cores.
cpu_count The number of CPUs.
cpu_mhz The CPU megahertz value.
criticality The criticality value of the asset. For example, "high" or "medium".
dns The fully qualified domain name (FQDN) of the asset.
fde_encrypted A value of either 0 or 1 to designate full disk encryption.
firstdetect The time the asset was first detected.
ip The IP address of the asset.
ip_translated The translated IP address of the asset. For example, an external ip of VPN asset.
ip_zone The IP zone address of the asset. If IP zones are not in use, the value is "default".
lastdetect The time the asset was last detected.
lastdetect_prev The time the asset was last detected previously.
lat The latitude of the asset.
location_id An identifying location code.
lon The longitude of the asset.
mac The last discovered MAC address of the asset.
mem The amount of RAM.
nt_host The hostname of the discovered asset.
os The operating system.
os_version The version of the operating system.
os_platform The platform of the operating system.
os_major The major version of the operating system.
os_minor The minor version of the operating system.
os_build The build of the operating system.
os_rev The revision of the operating system.
product The product name of the asset. For example, "Latitude".
product_version The product version of the asset. For example, "10".
provider The asset provider. For example, "Amazon" or "Google".
sensitivity The sensitivity value of the asset.
serial The serial number of the asset.
state The state or region location of the asset.
status The status of the asset. For example, "decommissioned" or "active".
user_id The last discovered user of the asset.
vendor The vendor of the asset. For example, "Dell".

IP address fields

Field Description
business The business name.
firstdetect The time the IP address was first detected.
ip The discovered IP address.
ip_city The city location of the IP subnet.
ip_classification The IP subnet classification.
ip_country The country location of the IP subnet.
ip_criticality The criticality of the IP subnet.
ip_description The description of the IP subnet.
ip_region The region location of the IP subnet.
ip_sensitivity The sensitivity value of the IP subnet.
ip_state The state location of the IP subnet.
ip_translated The translated IP address. For example, an external IP address of a VPN asset.
ip_type The type of IP subnet.
ip_zone The IP zone address of the asset associated with the IP address. If IP zones are not in use, the value is "default".
lastdetect The time the IP address was last detected.
lastdetect_prev The time the IP address was last detected previously.
lat The latitude of the IP address.
location_id An identifying location code.
lon The longitude of the IP address.
mac The MAC address of the IP address.
nt_host The hostname of the IP address.
process A value indicating records being processed.
user_id The user of the IP address.

User identity fields

Field Description
business The business name.
domain The corporate directory domain name.
firstdetect The time the user ID was first detected.
ip The IP address of the user.
ip_translated The translated IP address. For example, an external IP address of a VPN asset.
ip_zone The IP zone address of the asset associated with the user. If IP zones are not in use, the value is "default".
lastdetect The time the user ID was last detected.
lastdetect_prev The time the user ID was last detected previously.
lat The latitude location of the user.
lon The longitude location of the user.
mac The MAC address of the user.
nt_host The hostname of the user.
process A value indicating records being processed.
user_bunit The matching corporate directory business unit.
user_business The matching corporate directory business name.
user_category The matching corporate directory user category.
user_city The matching corporate directory city.
user_country The matching corporate directory country.
user_email The matching corporate directory email address.
user_end_date The matching end date for the user from the corporate directory.
user_first The matching first name from the corporate directory.
user_id The discovered user ID.
user_last The matching last name of the user from the corporate directory.
user_location_id The matching location code from the corporate directory.
user_priority The matching priority from the corporate directory.
user_region The matching region from the corporate directory.
user_start_date The matching start date from the corporate directory.
user_state The matching state from the corporate directory.
user_title The matching title from the corporate directory.

MAC address fields

Field Description
business The business name.
firstdetect The time the MAC address was first detected.
ip The IP address of the MAC address.
ip_zone The IP zone address of the asset associated with the MAC address. If IP zones are not in use, the value is "default".
lastdetect The time the MAC address was last detected.
lastdetect_prev The time the MAC address was last detected previously.
lat The latitude location of the MAC address.
location_id An identifying location code of the MAC address.
lon The longitude location of the MAC address.
mac The discovered MAC address.
mac_city The city location of the MAC address.
mac_country The country location of the MAC address.
mac_product The product name of the MAC address. For example, "Latitude".
mac_region The region location of the MAC address.
mac_state The state location of the MAC address.
mac_vendor The vendor of the MAC address.
nt_host The hostname of the MAC address.
user_id The user of the MAC address.

Vulnerability fields

Field Description
agent_uuid The unique ID for the agent responsible for detecting the vulnerability.
asset_uuid The unique ID of the asset associated with the vulnerability.
business The business name.
category The category of the asset. For example, "Domain Controller".
cert A value that corresponds to an identifier in the vulnerability database provided by the US Computer Emergency Readiness Team.
cve A value that corresponds to an identifier provided in the Common Vulnerabilities and Exposures index.
cvss A numeric indicator of the common vulnerability scoring system.
firstdetect The time the vulnerability was firs detected.
lastdetect The time the vulnerability was last detected.
msft A value that corresponds to a Microsoft Security Advisory number.
mskb A value that corresponds to a Microsoft Knowledge Base article number.
nt_host The hostname of the asset associated with the detected vulnerability.
os The operating system of the asset associated with the detected vulnerability.
plugin_id The ID of the vulnerability plugin used to detect the vulnerability.
port The port used by the detected vulnerability.
product The name of the software product. For example, "Skype".
protocol The OSI layer 3 network protocol of the traffic observed. This value uses a lower case syntax. For example, "ip", "appletalk", or "ipx".
scan_type The type of security scan performed.
scan_uuid The unique ID for the specific scan done.
service The application service that the vulnerability was detected on.
severity The severity of the vulnerability detection event. Specific values are required. Use the vendor_severity field for the vendor's own human readable strings, such as "Good" or "Bad". This field is a string. Use the severity_id field for numeric data types.
severity_id The numeric or vendor-specific severity indicator corresponding to the event severity.
signature The name of the vulnerability detected on the host, such as HPSBMU02785 SSRT100526 rev.2 - HP LoadRunner Running on Windows, Remote Execution of Arbitrary Code, or Denial of Service (DoS). This field is a string. Use the signature_id field for numeric indicators.
signature_id The unique identifier or event code of the event signature.
state The matching state from the corporate directory.
url The URL involved in the discovered vulnerability.
vendor The vendor of the asset associated with the vulnerability. For example, "Dell".
xref A cross-reference identifier associated with the vulnerability. In most cases, the xref field contains both the short name of the cross-referenced database and the unique identifier used in the external database.

Software fields

Field Description
business The business name.
firstdetect The time the software was first detected.
lastdetect The time the software was last detected.
nt_host The hostname of the asset with the detected software.
product The name of the software product. For example, "Skype".
vendor The vendor of the software product. For example, "Microsoft".
version The version of the software.
Last modified on 05 August, 2024
Customize your asset investigation in Splunk Asset and Risk Intelligence   Monitor asset activity in Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters