Splunk® Asset and Risk Intelligence

Administer Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Activate integration with Splunk Enterprise Security in Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence can integrate with Splunk Enterprise Security to add asset context to findings and enhance swim lanes for the Asset and Identity Investigators. With an active integration, Splunk Enterprise Security continuously updates its asset and identity inventories with Splunk Asset and Risk Intelligence data. Only a Splunk Asset and Risk Intelligence admin can activate the integration.

To learn more about what you can do with the Splunk Enterprise Security integration with Splunk Asset and Risk Intelligence, see Use Splunk Asset and Risk Intelligence data with Splunk Enterprise Security.

Activate the Splunk Enterprise Security integration

To activate the integration with Splunk Enterprise Security, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Integrations and then Enterprise Security configuration.
  2. Select Enable Integration.
  3. Select Enable. After all of the integration items display "Success", the dialog window closes.

After you activate the integration, you must configure the asset and identity synchronization in order for Splunk Asset and Risk Intelligence data to appear in Splunk Enterprise Security.

Configuring the asset and identity synchronization

To configure the asset and identity synchronization between Splunk Asset and Risk Intelligence inventory fields and Splunk Enterprise Security fields, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Integrations and then Enterprise Security configuration.
  2. In the Asset and identity synchronization section, select the settings icon in the Assets row.
  3. Toggle the switch to Active.
  4. Use the drop-down list to set the Sync schedule. The sync schedule represents how often the assets are sent to Splunk Enterprise Security. The default time is Every 15 mins.
  5. Use the drop-down list to set the Discovered period. The discovered period represents the scope of the assets sent based on their last discovery date. The default is all assets discovered in the Past 30 days.
  6. Map the Splunk Asset and Risk Intelligence Inventory field(s) to the Enterprise Security field as required. You can map some Enterprise Security fields to more than one inventory field.

    In the Asset and Identity management view in Splunk Enterprise Security, you can add or remove Asset fields. If you want to map a Splunk Asset and Risk Intelligence field such as asset_type to an equivalent field in Enterprise Security, you must add it as an asset field in Enterprise Security first in order for it to appear for mapping.

  7. Select Save.
  8. Repeat the same steps for Identity synchronization.

Deactivate the Splunk Enterprise Security integration

To deactivate the integration with Splunk Enterprise Security, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Integrations and then Enterprise Security configuration.
  2. Select Disable Integration.
  3. Select Disable. After all of the integration removal items display "Success", the dialog box closes.
Last modified on 28 February, 2025
Monitor, export, and share audit data in Splunk Asset and Risk Intelligence   Integrate ServiceNow data with Splunk Asset and Risk Intelligence data

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters