Investigate assets in Splunk Asset and Risk Intelligence
Splunk Asset and Risk Intelligence creates asset inventories by aggregating data from different sources such as log files, network devices, cloud services, workstations, servers, and databases. You can investigate any of the following items discovered by Splunk Asset and Risk Intelligence:
- Network assets
- User identities
- IP addresses
- MAC addresses
- Software
- Vulnerabilities
- IP subnets
Investigate a network asset, user identity, IP address, or MAC address
To investigate a network asset, user identity, IP address, or MAC address, complete the following steps:
- In Splunk Asset and Risk Intelligence, select Investigation from the main menu navigation bar.
- From the drop-down list, select what you want to investigate. For example, IP address investigation.
- Enter the name of the asset, identity, or address you want to investigate in the search box. For example, you can enter
20.20.20.20
for an IP address investigation. - Select Submit.
After you enter an asset, identity, or address to investigate, you can explore the resulting visualizations and begin your investigation.
To find a description of each visualization, see the following table:
Visualization | Description | Asset type dashboard it shows up in |
---|---|---|
Health check | Examine the health of assets based on known or custom metrics. To modify the health check metric, see Create and manage metrics in Splunk Asset and Risk Intelligence. | Network asset |
Record | Find fields and values pertaining to the asset. You can also find the data source attributed to each field and value to identify where it came from. Field values with the Applied logic data source come from a processing and advanced logic calculation in Splunk Asset and Risk Intelligence, and field values with the Custom data source come from the custom fields added to a particular inventory. |
|
Data sources | Find details on data sources that have detected the asset, including when the source last detected the asset and how many days ago it was originally detected. |
|
Geographic location | Find the geographic location associated with the asset. |
|
Discovered software | Find all of the detected software and software details for the given asset. | Network asset |
Discovered vulnerability | Find all of the detected vulnerabilities and vulnerability details for the given asset. | Network asset |
Detection activity | Discover how active the asset has been within the specified time frame. The default time frame is the past 7 days. |
|
Associated <asset> | Identify relationships between assets over the past 30 days. Select the node icon ( ) to open the attack surface explorer and visualize the relationship between your selected assets. |
|
Visualize relationships between assets with attack surface explorer
You can visualize relationships between network assets, IP addresses, users, and MAC addresses over time using the attack surface explorer. There are two ways to use the attack surface explorer:
- Manually enter the source, target, and source value on the Attack surface explorer page.
- Open the attack surface explorer from an investigation page, such as User identity investigation.
To visualize relationships by manually entering the source, target, and source value on the Attack surface explorer page, complete the following steps:
- Select Investigation and then Attack surface explorer in Splunk Asset and Risk Intelligence.
- Select a timeframe and a source.
- Enter the value of the asset, identity, or address you want to compare.
- Select a target.
- Select the number of Relationship degrees you want to visualize in the relationship diagram. Relationship degrees determine the association level of the asset comparison. For example, 2 relationship degrees might show the users associated with an asset, while 3 relationship degrees might show the asset, the users, and then additional assets associated with each user.
- (Optional) Select the Link weights check box to visualize the weight of asset relationships in the relationship diagram. The link weight is an association percentage determined by the number of detections between assets. When you turn on link weights, the line, or link, between assets appears thicker when the relationship is stronger.
- Select Submit.
- (Optional) After you see the relationship diagram display, you can exclude particular values by selecting the values in the Exclude target values list. For example, if there's a particular IP address you don't want to use in the comparison, you can select it as an excluded target value.
To visualize relationships by opening the attack surface explorer from an investigation page, complete the following steps:
- Select Investigation in Splunk Asset and Risk Intelligence.
- Select an investigation page. For example, User identity investigation or Software investigation.
Each investigation page includes associations. For example, if you're investigating user identities, there's a panel called Associated IP addresses. - Select the node icon ( ) for one of the association panels to open the attack surface explorer. Opening the attack surface explorer from an investigation pre-populates the source, target, and values.
- (Optional) Select the Link weights check box to visualize the weight of asset relationships in the relationship diagram. The link weight is an association percentage determined by the number of detections between assets. When you turn on link weights, the line, or link, between assets appears thicker when the relationship is stronger.
- Select Submit.
- (Optional) After you see the relationship diagram display, you can exclude particular values by selecting the values in the Exclude target values list. For example, if there's a particular IP address you don't want to use in the comparison, you can select it as an excluded target value.
Use filtered searches to investigate vulnerabilities and software
With Splunk Asset and Risk Intelligence, you can filter and discover vulnerabilities and software in your network. Filter software by vendor, product, or version, and filter vulnerabilities by vulnerability signature.
To filter and investigate vulnerabilities or software, complete the following steps:
- In Splunk Asset and Risk Intelligence, select Investigation from the main menu navigation bar.
- From the drop-down list, select Vulnerability investigation or Software investigation.
- Enter filters to configure your search. For example, to filter your software investigation by Microsoft Office products, enter Microsoft as the vendor and Office as the product.
- Select Submit. In the resulting report, you can see totals for unique vulnerabilities and network assets within your filtered search.
- (Optional) Select a row in the filtered search table to open the investigation for that asset.
Investigate an IP address by examining its subnet data
If you want to investigate an IP address that Splunk Asset and Risk Intelligence has not detected, or does not have complete data on, you can investigate it by examining its subnet data. Enter an IP address to search for ipv4 or ipv6 IP addresses detected in the same subnet. You can also specify which fields to group the subnets by, such as the city or country.
To investigate an IP address using subnet data, complete the following steps:
- In Splunk Asset and Risk Intelligence, select Investigation from the main menu navigation bar.
- From the drop-down list, select IP subnet investigation.
- Enter the IP address you want to investigate in the search box.
- Select the Subnet mask. For example, ipv4 /24.
- (Optional) Specify the Zone if you're utilizing IP zones. See Add IP zones to the company subnet directory in the Administer Splunk Asset and Risk Intelligence manual.
- (Optional) Select fields to group the subnet by.
- Select to geolocate the subnet by
city
,country
, orlocation_id
. - Select Submit.
After you submit your IP subnet investigation search, you can find all the IP addresses discovered at the subnets and the known asset information for each one. You can also find subnets that match the company subnet directory to see if the discovered subnets are in your inventory.
Review reports on discovered assets in Splunk Asset and Risk Intelligence | Customize your asset investigation in Splunk Asset and Risk Intelligence |
This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2
Feedback submitted, thanks!