Splunk® Asset and Risk Intelligence

Administer Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Create and manage risk scoring rules in Splunk Asset and Risk Intelligence

In Splunk Asset and Risk Intelligence, you can create risk scoring rules based on filters or metrics to assign risk to assets. By assigning risk, you can monitor and investigate assets based on their risk level and total risk score.

The following table describes the risk terms in Splunk Asset and Risk Intelligence:

Risk term Description
Risk score The score that results from the process of creating a risk scoring filter, adding a risk scoring rule, and then running the rule to assign a score to each affected asset.
Risk scoring rule Rules based on filters or metrics to assign risk to assets. By assigning risk, you can monitor and investigate assets based on their risk level and total risk score.
Risk score period A specific period of time following the execution of a risk scoring rule when the risk score is valid.
Total risk score The total calculated risk score for each asset, or the sum of all active risk scores from all risk rules that affect each asset. Only risk scores within their risk score period are included in the total risk score.

Add a risk scoring rule

A risk scoring rule based on a metric checks whether or not an asset is a defect of that metric. For example, if you added a full disk encryption metric for laptop workstations, you can create a risk scoring rule that assigns risk to any asset that doesn't comply with that metric.

A risk scoring rule based on a filter checks whether or not an asset matches the logic you defined in the filter. For example, if you created a filter for all the laptops used by executives in your organization, you can create a risk scoring rule that assigns a higher risk to those assets because the data might be more sensitive.

Prerequisite

Before you can add a risk scoring rule, you must first add a metric or a risk scoring filter. See Create and manage metrics in Splunk Asset and Risk Intelligence or Add a risk scoring filter.

Steps

  1. In Splunk Asset and Risk Intelligence, select Admin then Risk management and then Risk scoring rule management.
  2. Select Add new rule.
  3. Enter a name and description for the rule.
  4. Using the drop-down list, select a Filter type. For example, to create a rule based on a metric, select Asset metric. Or, to create a rule based on a filter you created, you can select Asset record, Asset software, or Asset vulnerability.
    1. Select the filter or metric you want to use.
    2. Select Add filter. You can add more than one filter to the risk rule, and you can also remove filters by selecting the remove icon ( remove ) in Selected filters.
  5. Select a Risk level to assign to assets that fit the risk scoring rule. For example, a High risk score receives a risk score of 50 by default. To customize the risk score for each risk level, see Modify risk settings.
  6. Enter a Risk score period in seconds. Splunk Asset and Risk Intelligence calculates risk for assets discovered within the time frame you specify for the risk score period. By default, Splunk Asset and Risk Intelligence uses the risk score for a risk score period of 24 hours, or 86400 seconds, after an asset triggers a risk rule. During this period, the score contributes to the total risk score for the asset. After this period passes, the score no longer contributes to the total risk score unless the risk rule triggers again.
  7. Activate the risk scoring rule by turning the toggle switch to Active. You must activate a risk scoring rule in order to run it on discovered assets.
  8. Select Add rule.

By default, the risk processing search is turned on so that Splunk Asset and Risk Intelligence can assign risk to assets. To turn on or turn off the risk processing search, see Modify risk settings.

After you add a risk scoring rule, the rule runs on a schedule where Splunk Asset and Risk Intelligence processes the risk and then calculates composite risk scores for assets. To modify the default schedule or to run the risk processing search outside of its defined schedule, see Modify risk settings.

Add a risk scoring filter

With risk scoring filters, you can select how you want to filter assets, and then use that filter to create risk scoring rules that assign risk to particular assets. You can build risk scoring filters based on asset records, software, or vulnerabilities.

To add a risk scoring filter, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Discovery and then select which discovery page you want to see. For example. Asset discovery.

    You can only create risk scoring filters for asset, software, and vulnerability discovery.

  2. Enter a Filter name.

    You might have to select Show filters first to open the filter editor.

  3. Use the drop-down list to select a Discovered time frame.
  4. Select the App check box to make the filter app-specific and available for other users to use for discovery.
  5. Select the Risk check box.
  6. If you want to filter by fields, select Field filtering and then configure your filter using the drop-down lists. Select the add icon ( add ) to add an additional field.
  7. If you want to filter by a search, select SPL search and then enter the SPL into the Search box.

    You can filter by fields or by SPL search, but not by both. If you enter a search to filter by, then switching to field filtering clears any SPL data you've input.

  8. Select Search to see the results.
  9. Select Save as new filter.
  10. (Optional) To erase your configured filter, select Reset filter.

After you add a risk scoring filter, you can create a risk scoring rule that assigns risk to assets that meet the parameters of your filter. See Add a risk scoring rule.

Edit an existing risk scoring filter

You can also modify a risk scoring filter that already exists. To edit a risk scoring filter, complete the following steps:

    1. In Splunk Asset and Risk Intelligence, select Discovery and then select which discovery page you want to see. For example. Identity discovery.
  2. Using the drop-down list, select a Filter type, such as Assets.

    You might have to select Show filters first to open the filter editor.

  3. Select the Filter you want to edit. Choosing an existing filter populates the filter editor with the logic added to create the filter. For example, asset_type="Workstation".
  4. Edit the filter name, discovery period, field filtering, or SPL search.
  5. Select Search to see the results.
  6. Select Update to save the new risk scoring filter.

Edit or delete a risk scoring rule

To edit or delete a risk scoring rule, complete the following steps:

  1. Select Admin then Risk management and then Risk scoring rule management.
  2. Locate the risk scoring rule you added in the Risk scoring rules table.
  3. To edit the rule, select the settings icon ( settings ). You can change the name and description, add and remove filters, and adjust the risk level and risk score period.
    1. Select Update to save your changes.
  4. To delete the rule, locate the risk scoring rule in the Risk scoring rules table, and then select the remove icon ( remove ).
Last modified on 28 February, 2025
Add metric exceptions in Splunk Asset and Risk Intelligence   Create and manage cybersecurity frameworks in Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters