Review discovery reports on assets and identities in Splunk Asset and Risk Intelligence

In Splunk Asset and Risk Intelligence, you can review summary reports on discovered assets, identities, software, and vulnerabilities. Discovery reports include data such as geographic locations and trends over time.

Access discovery reports

To find discovery reports in Splunk Asset and Risk Intelligence, complete the following steps:

1. Select Discovery in the main menu navigation bar.
2. Select the type of discovery report you want to view, such as Identity discovery or Asset discovery.

Filter discovery reports

You can filter discovery reports by particular fields or by a Search Processing Language (SPL) search. Then, you can save that filter and return to the same view at a later time. To create a report filter, complete the following steps:

1. In Splunk Asset and Risk Intelligence, select Discovery from the main menu navigation bar, and then select the discovery report you want to view. For example, Asset discovery.
2. Select Show filters.
3. For only the asset discovery, use the drop-down list to select a filter type, such as Asset or IP address.
4. Enter a name for your filter.
5. Using the drop-down list, select the time frame you want to search within.
6. Choose how you want to use and share the filter by selecting the appropriate Sharing check boxes.
   1. Select the App check box to make the filter app-specific and available for other users to use for discovery.
   2. If you turn on App sharing, you can also make the filter a risk scoring filter by selecting the Risk check box. See Add a risk scoring filter.
7. If you want to filter by fields, select Field filtering and then configure your filter using the drop-down lists. Select the add icon ( ) to add an additional field.
8. If you want to filter by a search, select SPL search and then enter the SPL into the Search box.

   You can filter by fields or by SPL search, but not by both. If you enter a search to filter by, then switching to field filtering clears any SPL data you've input.

9. Select Search to see the results.
10. Select Save as new filter.
11. (Optional) To erase your configured filter, select Reset filter.

After you save a filter, you can return to that view by selecting it from the Filter drop-down list.

Add or remove fields in the details table

In the Asset details table of each discovery report, you can add or remove fields that appear in the table. To add or remove fields, complete the following steps:

1. In Splunk Asset and Risk Intelligence, select Discovery from the main menu navigation bar, and then select the discovery report you want to view. For example, Asset discovery.
2. In the Asset details table, select the settings icon ( ).
3. To add a field, use the drop-down list to select a new field. You can add more by selecting the add icon ( ).
4. To remove a field, select the remove icon ( ) next to the field name in the Selected fields box.
5. (Optional) To erase any changes you made, select Reset fields.
6. Select Update.

Export a report

To export a report from Splunk Asset and Risk Intelligence, complete the following steps:

1. Select Discovery from the main menu navigation bar, and then select the discovery report you want to view. For example, Asset discovery.
2. In the details table, select the download icon ( ).
3. Enter a name for the file.
4. Select an Output format, such as JSON.
5. Select Download.

Use insight dashboards to review reports on systems and accounts associated with discovered assets

You can use Splunk Asset and Risk Intelligence insight dashboards to review data on other discoveries, such as operating systems, IoT devices, and default accounts. To find insight dashboards, select Discovery in the main menu navigation bar. Then, select the insight dashboard you want to view. To learn more about what each dashboard reports on, see the following table: