Splunk® Asset and Risk Intelligence

Investigate Assets and Assess Risk in Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Investigate assets in Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence creates asset inventories by aggregating data from different sources such as log files, network devices, cloud services, workstations, servers, and databases. You can investigate any of the following items discovered by Splunk Asset and Risk Intelligence:

  • Network assets
  • User identities
  • IP addresses
  • MAC addresses
  • Software
  • Vulnerabilities
  • IP subnets

Investigate a network asset, user identity, IP address, or MAC address

To investigate a network asset, user identity, IP address, or MAC address, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Investigation from the main menu navigation bar.
  2. From the drop-down list, select what you want to investigate. For example, IP address investigation.
  3. Enter the name of the asset, identity, or address you want to investigate in the search box. For example, you can enter 20.20.20.20 for an IP address investigation.
  4. Select Submit.

After you enter an asset, identity, or address to investigate, you can explore the resulting visualizations and begin your investigation.

To find a description of each visualization, see the following table:

Visualization Description Asset type dashboard it shows up in
Health check Examine the health of assets based on known or custom metrics. To modify the health check metric, see Create and manage metrics in Splunk Asset and Risk Intelligence. Network asset
Record Find fields and values pertaining to the asset. You can also find the data source attributed to each field and value to identify where it came from. Field values with the Applied logic data source come from a processing and advanced logic calculation in Splunk Asset and Risk Intelligence, and field values with the Custom data source come from the custom fields added to a particular inventory.
  • Network asset
  • User identity
  • IP address
  • MAC address
Data sources Find details on data sources that have detected the asset, including when the source last detected the asset and how many days ago it was originally detected.
  • Network asset
  • User identity
  • IP address
  • MAC address
Geographic location Find the geographic location associated with the asset.
  • Network asset
  • User identity
  • IP address
  • MAC address
Discovered software Find all of the detected software and software details for the given asset. Network asset
Discovered vulnerability Find all of the detected vulnerabilities and vulnerability details for the given asset. Network asset
Detection activity Discover how active the asset has been within the specified time frame. The default time frame is the past 7 days.
  • Network asset
  • User identity
  • IP address
  • MAC address
Associated <asset> Identify relationships between assets over the past 30 days. Select the node icon ( node ) to open the attack surface explorer and visualize the relationship between your selected assets.
  • Network asset
  • User identity
  • IP address
  • MAC address

Visualize relationships between assets with attack surface explorer

You can visualize relationships between network assets, IP addresses, users, and MAC addresses over time using the attack surface explorer. There are two ways to use the attack surface explorer:

  • Manually enter the source, target, and source value on the Attack surface explorer page.
  • Open the attack surface explorer from an investigation page, such as User identity investigation.

To visualize relationships by manually entering the source, target, and source value on the Attack surface explorer page, complete the following steps:

  1. Select Investigation and then Attack surface explorer in Splunk Asset and Risk Intelligence.
  2. Select a timeframe and a source.
  3. Enter the value of the asset, identity, or address you want to compare.
  4. Select a target.
  5. Select the number of Relationship degrees you want to visualize in the relationship diagram. Relationship degrees determine the association level of the asset comparison. For example, 2 relationship degrees might show the users associated with an asset, while 3 relationship degrees might show the asset, the users, and then additional assets associated with each user.
  6. (Optional) Select the Link weights check box to visualize the weight of asset relationships in the relationship diagram. The link weight is an association percentage determined by the number of detections between assets. When you turn on link weights, the line, or link, between assets appears thicker when the relationship is stronger.
  7. Select Submit.
  8. (Optional) After you see the relationship diagram display, you can exclude particular values by selecting the values in the Exclude target values list. For example, if there's a particular IP address you don't want to use in the comparison, you can select it as an excluded target value.

To visualize relationships by opening the attack surface explorer from an investigation page, complete the following steps:

  1. Select Investigation in Splunk Asset and Risk Intelligence.
  2. Select an investigation page. For example, User identity investigation or Software investigation.
    Each investigation page includes associations. For example, if you're investigating user identities, there's a panel called Associated IP addresses.
  3. Select the node icon ( node ) for one of the association panels to open the attack surface explorer. Opening the attack surface explorer from an investigation pre-populates the source, target, and values.
  4. (Optional) Select the Link weights check box to visualize the weight of asset relationships in the relationship diagram. The link weight is an association percentage determined by the number of detections between assets. When you turn on link weights, the line, or link, between assets appears thicker when the relationship is stronger.
  5. Select Submit.
  6. (Optional) After you see the relationship diagram display, you can exclude particular values by selecting the values in the Exclude target values list. For example, if there's a particular IP address you don't want to use in the comparison, you can select it as an excluded target value.

Use filtered searches to investigate vulnerabilities and software

With Splunk Asset and Risk Intelligence, you can filter and discover vulnerabilities and software in your network. Filter software by vendor, product, or version, and filter vulnerabilities by vulnerability signature.

To filter and investigate vulnerabilities or software, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Investigation from the main menu navigation bar.
  2. From the drop-down list, select Vulnerability investigation or Software investigation.
  3. Enter filters to configure your search. For example, to filter your software investigation by Microsoft Office products, enter Microsoft as the vendor and Office as the product.
  4. Select Submit. In the resulting report, you can see totals for unique vulnerabilities and network assets within your filtered search.
  5. (Optional) Select a row in the filtered search table to open the investigation for that asset.

Investigate an IP address by examining its subnet data

If you want to investigate an IP address that Splunk Asset and Risk Intelligence has not detected, or does not have complete data on, you can investigate it by examining its subnet data. Enter an IP address to search for ipv4 or ipv6 IP addresses detected in the same subnet. You can also specify which fields to group the subnets by, such as the city or country.

To investigate an IP address using subnet data, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Investigation from the main menu navigation bar.
  2. From the drop-down list, select IP subnet investigation.
  3. Enter the IP address you want to investigate in the search box.
  4. Select the Subnet mask. For example, ipv4 /24.
  5. (Optional) Specify the Zone if you're utilizing IP zones. See Add IP zones to the company subnet directory in the Administer Splunk Asset and Risk Intelligence manual.
  6. (Optional) Select fields to group the subnet by.
  7. Select to geolocate the subnet by city, country, or location_id.
  8. Select Submit.

After you submit your IP subnet investigation search, you can find all the IP addresses discovered at the subnets and the known asset information for each one. You can also find subnets that match the company subnet directory to see if the discovered subnets are in your inventory.

Last modified on 16 October, 2024
Review reports on discovered assets in Splunk Asset and Risk Intelligence   Customize your asset investigation in Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters