Splunk® Asset and Risk Intelligence

Administer Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Create and manage cybersecurity frameworks in Splunk Asset and Risk Intelligence

Cybersecurity frameworks provide standardized guidelines for addressing risk. Splunk Asset and Risk Intelligence includes a number of common security frameworks, such as NIST and HIPAA, called known frameworks. You can also create your own custom frameworks.

By adding frameworks to Splunk Asset and Risk Intelligence, you can provision metrics that map to the framework controls, and then use them to identify security control gaps and track the remediation process.

You don't need to add a framework to add a metric.

Every active framework has an associated dashboard that you can filter based on category, control, or metric. The dashboard includes all the metrics provisioned for that framework. After you add and activate a framework, you can find it by selecting Risk and then Frameworks in the main menu navigation bar.

Available known frameworks

The following table describes the known frameworks available in Splunk Asset and Risk Intelligence:

Known framework Framework name Description
NIST CSFv2 US National Institute of Standards and Technology Based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risks. It's widely used by public and private organizations of all sectors and sizes around the world.
ISO/IEC 27001:2022 International Organization for Standardization / International Electrotechnical Commission Provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining, and continually improving an information security management system.
HIPAA Health Insurance Portability and Accountability Act of 1996 Establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form.
PCI v4 Payment Card Industry Data Security Standard Provides a baseline of technical and operational requirements designed to protect account data.
ASD ISM Australian Signals Directorate Information Security Manual Protects information technology and operational technology systems, applications, and data from cyber threats.
ASD Essential 8 Australian Signals Directorate Essential Eight Helps organizations protect themselves against various cyber threats with a set of prioritized mitigation strategies. The Essential Eight is designed to protect organizations' internet-connected information technology networks.
CCCS ITSG-33 Canadian Centre for Cyber Security, IT Security Guidance Publication Contains a catalogue of security controls structured into three classes of control families: technical, operational and management. These together represent a holistic collection of standardized security requirements that can be considered and leveraged when building and operating IT environments.
NCSC CAF v3.2 UK National Cyber Security Centre, Cyber Assessment Framework Provides a systematic and comprehensive approach for assessing the extent of which cyber risks to essential functions are being managed by the organization responsible.
NCSC Cyber Essentials UK National Cyber Security Centre, Cyber Essentials Helps protect organizations against a whole range of the most common cyber attacks with a government-backed scheme.
NERC CIP v5 North American Electric Reliability Corporation Critical Infrastructure Protection Reduces risks to the reliability of the Bulk Electric Systems (BES) from any compromise of critical cyber assets, such as computers, software, and communication networks, that support those systems.
NIST SP 800-171 r3 US National Institute of Standards and Technology Provides federal agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI), when the information is resident in nonfederal systems and organizations. The requirements apply to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components.
NIST SP 800-53 r5 US National Institute of Standards and Technology Provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the nation from a diverse set of threats and risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk.
NZISM v3.8 New Zealand Information Security Manual Designed to meet the needs of agency information security executives as well as vendors, contractors, and consultants who provide services to agencies.

Add a known framework

To add a known framework, complete the following steps:

  1. Select Admin then Risk management and then Metric and framework management.
  2. In the Cybersecurity frameworks table, select Add framework and then Add known framework.
  3. Select a framework from the drop-down list of templates.
  4. (Optional) Edit the framework name and ID.
  5. (Optional) You can map metrics as you add the framework or after you add the framework. Select the check boxes to map metrics to framework controls. Metrics with Map metric have already been added to Splunk Asset and Risk Intelligence, and metrics with Create metric have not.
  6. Select Add.

    If you selected to create metrics, it might take some time for the system to create these metrics.

  7. Locate the framework you added in the Cybersecurity frameworks table, and then activate it by selecting the settings icon ( settings ) and turning the toggle switch to Active. You must activate the framework in order to view the framework dashboard and metric mappings.

Add a custom framework

Create a custom framework with your own categories and controls, and then map metrics to each control.

To add a custom framework, complete the following steps:

  1. Select Admin then Risk management and then Metric and framework management.
  2. In the Cybersecurity frameworks table, select Add framework and then Add custom framework.
  3. Enter a name and ID for the framework.
  4. (Optional) Enter a framework description.
  5. Activate the framework by turning the toggle switch to Active. You must activate the framework in order to map metrics to the controls of the framework.
  6. Select Add.
  7. Locate the framework you added in the Cybersecurity frameworks table, and then select the settings icon ( settings ) to add categories.
    1. Select Add category.
    2. Enter a name and ID for the category.
    3. (Optional) Enter a description for the category.
    4. Select Add.
    5. (Optional) In the Categories section, select the settings icon ( settings ) to edit a category and the remove icon ( remove ) to delete one.
    6. Select Update.
  8. Locate the framework you added in the Cybersecurity frameworks table, and then select the preferences icon ( preferences ) to add controls and their associated metrics.
    1. Select Add control.
    2. Using the drop-down list, select a category to add the control to.
    3. Enter a control ID.
    4. (Optional) Enter a description for the control.
    5. Using the drop-down list, select metrics to map to the control.

      You can also select controls to map a particular metric. See Create and manage metrics in Splunk Asset and Risk Intelligence.

    6. Select Add.

Edit or delete a framework

To edit or delete a framework, complete the following steps:

  1. Select Admin then Risk management and then Metric and framework management.
  2. Locate the framework you added in the Cybersecurity frameworks table, and then select the settings icon ( settings ) to edit it. Make sure to select Update to save your changes.
  3. Locate the framework you added in the Cybersecurity frameworks table, and then select the remove icon ( remove ) to delete it.
Last modified on 28 February, 2025
Create and manage risk scoring rules in Splunk Asset and Risk Intelligence   Monitor, export, and share audit data in Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters