Splunk® Asset and Risk Intelligence

Administer Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Create and manage metrics in Splunk Asset and Risk Intelligence

Security metrics in Splunk Asset and Risk Intelligence are quantifiable measurements that you can use to review the status of assets. Metrics are based on the data sources you add to Splunk Asset and Risk Intelligence, and they can help you identify security control gaps and track the remediation process.

Splunk Asset and Risk Intelligence includes a number of common security metrics called known metrics. You can also create your own custom metrics.

Add a known metric

To add a known metric, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Risk and then Metric and framework management.
  2. Select Add metric and then Add known metric.
  3. Select a metric from the Metric to add drop-down list.
  4. (Optional) Edit the pre-populated Name and Matrix label fields.
  5. Select a data source associated with the metric you're adding. The data sources in the drop-down list include sources that have already been configured.

    Select None if there are no data sources.

  6. (Optional) Select the check box for Map to known frameworks if you want to automatically apply the metric to any known cybersecurity frameworks.

    If you select this option, you can find the metric data on the framework dashboard by selecting Risk and then Frameworks.

  7. Select Add. It might take a few seconds before the metric gets added with all the necessary configurations.

After you add a metric, you might want to edit the metric logic. Known metrics don't require additional configuration, but you can customize the metric more by editing the metric logic. See Edit metric logic.

After you add and configure the metric, you can find it in the drop-down list by selecting Risk and then Metrics from the main menu navigation bar.

Available known metrics

The following table describes the known metrics available by default:

Metric Applicable asset types Type
Asset Management Server, Workstation, Network Asset
Data Loss Prevention Server, Workstation Asset
Default Accounts n/a Identity
Endpoint Security Server, Workstation Asset
Firewall Server, Workstation Asset
Full Disk Encryption Server, Workstation Asset
Legacy OS Server, Workstation Asset
Log Collection Server, Workstation Asset
Patch Management Server, Workstation Asset
Screen Locking Server, Workstation Asset
Secure Configuration Server, Workstation, Network Asset
Security Awareness Training n/a Identity
Vulnerability Scanning Server, Workstation, External Asset

Create a custom metric

To create a custom metric, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Risk and then Metric and framework management.
  2. Select Add metric and then Add custom metric.
  3. Enter a name for the metric.
  4. Using the drop-down list, select a Risk level.
  5. Enter a Metric snapshot schedule using cron format. The metric snapshot schedule is the frequency for generating a summary of metric compliance.
  6. Select the metric type, either Asset or Identity, that you want to use for the metric.
  7. (Optional) Select a Cybersecurity framework mapping.
  8. (Optional) Using the toggle switches, select where to display the metric in Splunk Asset and Risk Intelligence. You can add it to the home page, and then you can decide where to place it on the home page amongst other metrics. You can also add the metric to the health check panel on the relevant investigation page.
  9. Enter a Matrix dashboard label. This is the label used for the metric visualization on the Metrics matrix page.
  10. (Optional) Add additional labels and descriptions. You can enter short labels and longer descriptions to include with your metric. For example, for the Metric opportunity description, a helpful description might be, "All workstations discovered on the network within the last 15 days."
  11. Select Add.
  12. After Splunk Asset and Risk Intelligence successfully configures your metric, select Close.

After you create a custom metric, you must edit the metric logic. See Edit metric logic.

After you add and configure a custom metric, you can find it in the drop-down list by selecting Risk in the main menu navigation bar.

Edit metric settings

You can edit the default settings of a known metric, or you can modify the settings you created for a custom metric.

To edit a metric, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Risk and then Metric and framework management.
  2. Locate the metric you want to edit in the metrics table, and then select the settings icon ( settings ).
  3. Make your modifications. To save the metric, you must enter a value for the following fields:
    • Metric name
    • Metric snapshot schedule
    • Matrix dashboard label
  4. (Optional) To generate a metric compliance summary, select Generate metric snapshot.
  5. Select Update.

Edit metric logic

Metric logic powers metrics, and the metric logic determines the following:

  • The assets or identities in scope for the metric
  • The criteria that determines whether an asset is non-compliant

To edit the logic for a metric, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Risk management and then Metric and framework management.
  2. Locate the metric you want to edit the logic for in the metrics table, and then select the search icon ( search ).
  3. In the Opportunities section of the Edit metric logic dialog box, you can modify the following fields:
    • Asset types: Select which asset types are in scope for this metric. For example, if you want to create a metric only for workstation assets, select Workstation.

      This field applies only to asset metrics.

    • Last discovered: Identify the time range of data to include in the metric. This field uses Splunk relative time. For example, if the metric type is set to Asset, then a value of -15d includes all assets discovered in the past 15 days.
    • Fields: Identify the fields from the asset record to use in the metric. You can add more fields by selecting them from the drop-down list and selecting Add field, remove fields by selecting x, and reorder fields by dragging and dropping them.

      You can specify the lastdetect field for a particular source by adding the lastdetect_sourcename field.

    • Additional logic: Narrow down the scope of the metric even further. For example, if you want to limit the metric to report on only Windows laptops, enter os=Windows* asset_class=Laptop.

      You can't use pipe ( | ) operators or complex Splunk SPL in the advanced logic. However, you can select the where command from the drop-down list to enter a more advanced logic.

  4. In the Defects section of the Edit metric logic dialog box, you can modify the following fields:
    • Defect logic: The defect logic uses an if() or case() eval statement with the available field values to determine whether an asset is a defect or not. The defect value must be either 1 or 0, where 1 is non-compliant and 0 is compliant. The lastdetect_sourcename field represents the last detection time for a particular data source. For example, you can enter a logic to identify a missing last detected date, like defect = if(isnull(lastdetect_SnowCIServer),"1","0"), to see if Splunk Asset and Risk Intelligence has ever detected the asset in this data source or not.
    • Defect reason: If there are multiple reasons why an asset might be a defect, you can enter an if() or case() eval statement. For example, defect_reason = if(isnull(lastdetect_CrowdstrikeDevice),"No endpoint security agent detected","Not reporting into endpoint security"). If there is only one reason, you can enter the defect reason in quotes. For example, "Not in asset management solution".
  5. (Optional) Select Preview to see the logic results in the table. In the defect column, "1" indicates that the asset is a defect, and "0" indicates that the asset is not a defect.
  6. Select Update.

Edit a metric alert

After you create a custom metric or add a known metric, you can turn on an alert for the metric and set an alert schedule. To edit a metric alert, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Risk and then Metric and framework management.
  2. In the Metrics table, locate the metric you want to edit.
  3. Select the more icon ( more ) in the actions column.
  4. Select Edit alert.
  5. Select the toggle switch to turn on the metric alert.
  6. Enter an alert schedule.
  7. (Optional) Select the Send email toggle switch to turn on email notifications for the alert. Then, enter one or more email addresses.
  8. Select Update.

Split a metric by fields

Split up a metric by a particular field so that you can filter your metric dashboards without creating new metrics. For example, a large company might want to see metric data for each of its business units. Instead of creating a new metric for each business unit, you can split the metric by the bunit field. Then, when viewing the metric dashboard, you can select bunit in the Split by drop-down list.

You can split a metric only by the following fields:

Metric type Fields available to split by
Asset asset_type
bunit
environment
location_id
priority
provider
region
Identity domain
user_bunit
user_location_id
user_priority
user_region

There are two parts to configuring a metric split by fields:

  • Select a field to split the metric by
  • Add the field to metrics

Select a field to split the metric by

To split a metric by a particular field, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin and then Configuration settings.
  2. In the Metric display options section, select Edit.
  3. Using the drop-down lists in the Metric split by settings dialog box, select the field you want to split the metric by. You can select a field for assets and for identities. For example, you can select bunit for Assets.
  4. (Optional) Select the check box for Show on homepage if you want to be able to filter the homepage by the field you selected.
  5. Select Update.

Add the field to metrics

To add the field you selected to metrics, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Risk and then Metric and framework management.
  2. Locate the first metric with the appropriate type. For example, if you configured the split by settings for the Asset metric type, then identify the first metric in the table with a Type of Asset.
  3. Select the search icon ( search ) for that metric.
  4. In the Edit metric logic dialog box, use the Fields drop-down list to choose the split by field that you selected. For example, if you selected bunit as the split by field, make sure to add bunit to the list of fields for the metric.
  5. Select Add field.
  6. Select Update.
  7. Repeat this process for all other metrics of the same type.

The split takes effect after the next scheduled snapshot of the metrics. You can force a snapshot by selecting Edit metric settings for a metric and then selecting Generate metric snapshot. You must do this for all other metrics of the same type.

Last modified on 28 February, 2025
Add and manage asset types in Splunk Asset and Risk Intelligence   Add metric exceptions in Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters