Splunk® Asset and Risk Intelligence

Investigate Assets and Assess Risk in Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Investigate assets and identities in Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence creates asset inventories by aggregating data from different sources such as log files, network devices, cloud services, workstations, servers, and databases. You can investigate identities and assets, such as hostnames, IP addresses, and MAC addresses, discovered by Splunk Asset and Risk Intelligence.

Investigate an asset or identity

To investigate an asset or identity, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Investigation from the main menu navigation bar.
  2. From the drop-down list, select what you want to investigate. For example, Asset investigation.
  3. Depending on which investigation page you selected, enter either an asset or identity in the search box. For example, if you selected Asset investigation, you can enter 20.20.20.20 to investigate an IP address.

    You can only search by user_id on the Identity investigation page.

  4. Select Submit.

After you enter an asset or identity to investigate, you can explore the resulting visualizations in the Details tab and begin your investigation.

To find a description of each visualization, see the following table:

Visualization Description
Health check Examine the health of assets and identities based on known or custom metrics. You can also find the status, either Detected or Undetected, for active risk rules. A status of detected means that the active risk rule has been triggered. To modify the health check metric, see Create and manage metrics in Splunk Asset and Risk Intelligence.
Latest associations Find the first and last discovery time of the asset or identity and see its associated data. For example, an asset might have an associated MAC address, IP address, and identity from when it was last discovered.
Geographic location Find the geographic location associated with the asset or identity.
Record Find fields and values pertaining to the asset or identity. You can also find the data source attributed to each field and value to identify where it came from. Field values with the Applied logic data source come from a processing and advanced logic calculation in Splunk Asset and Risk Intelligence, and field values with the Custom data source come from the custom fields added to a particular inventory.
Data sources Find details on data sources that have detected the asset or identity, including when the source last detected the asset or identity and how many days ago it was originally detected.
Discovered software Find all of the detected software and software details for the given asset or identity.

Review the detection activity of associated assets and identities

Discover associations with assets and identities, and then see how active they've been within a specified time frame. The default time frame is the past 7 days.

To review the detection activity of associated assets and identities, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Investigation from the main menu navigation bar.
  2. From the drop-down list, select what you want to investigate. For example, Asset investigation.
  3. Depending on which investigation page you selected, enter either an asset or identity in the search box. For example, if you selected Asset investigation, you can enter 20.20.20.20 to investigate an IP address.

    You can only search by user_id on the Identity investigation page.

  4. Select Submit.
  5. Select the Activity tab.
  6. Using the drop-down list, specify a time range.
  7. Select an association type. For example, IP address.

Assess the risk of an asset or identity using metric compliance data

While investigating an asset or identity, you can assess its risk by checking the metric compliance. For asset investigations, you can also see discovered vulnerabilities, risk scoring activity, and risk score trends.

  1. In Splunk Asset and Risk Intelligence, select Investigation from the main menu navigation bar.
  2. From the drop-down list, select what you want to investigate. For example, Asset investigation.
  3. Depending on which investigation page you selected, enter either an asset or identity in the search box. For example, if you selected Asset investigation, you can enter 20.20.20.20 to investigate an IP address.

    You can only search by user_id on the Identity investigation page.

  4. Select Submit.
  5. Select the Risk tab.
  6. Review the Metric activity table for a list of associated metrics and their compliance status.
  7. Review the Metric compliance visualization to see the compliance percentage for all of the metrics in the activity table. For example, if there are 4 metrics for an asset and 2 of them are noncompliant, the compliance visualization shows 50% compliance.
  8. If you're investigating an asset, review the following:
    • The Discovered vulnerabilities table for a complete listing of vulnerabilities discovered on that asset.
    • The Risk scoring activity for the total risk score for the asset, the rules associated with the asset, and the severity of the risk score compared to assets of the same type with a risk score.
    • The Risk score trend for the average risk score over time for the given asset.

Visualize relationships between assets and identities with attack surface explorer

You can visualize relationships between assets and identities over time using the attack surface explorer.

  1. Open the Investigation page for an asset or identity.
  2. Select the Attack surface explorer tab. Alternatively, you can select the Activity tab and then select the node icon ( node ) on one of the association panels.
  3. Select a time range and an association type.
  4. (Optional) Exclude particular values with the Exclude association values field. For example, if there's a particular IP address you don't want to use in the comparison, you can select it as an excluded value.
  5. Select the number of Relationship degrees you want to visualize in the relationship diagram. Relationship degrees determine the association level of the asset comparison. For example, 2 relationship degrees might show the users associated with an asset, while 3 relationship degrees might show the asset, the users, and then additional assets associated with each user.
  6. (Optional) Select the Link weights check box to visualize the weight of asset relationships in the relationship diagram. The link weight is an association percentage determined by the number of detections between assets. When you turn on link weights, the line, or link, between assets appears thicker when the relationship is stronger.


Investigate an IP address by examining its subnet data

If you want to investigate an IP address that Splunk Asset and Risk Intelligence has not detected, or does not have complete data on, you can investigate it by examining its subnet data. Enter an IP address to search for ipv4 or ipv6 IP addresses detected in the same subnet. You can also specify which fields to group the subnets by, such as the city or country.

To investigate an IP address using subnet data, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Investigation from the main menu navigation bar.
  2. From the drop-down list, select IP subnet investigation.
  3. Enter the IP address you want to investigate in the search box.
  4. Select the Subnet mask. For example, ipv4 /24.
  5. (Optional) Specify the Zone if you're utilizing IP zones. See Add IP zones to the company subnet directory in the Administer Splunk Asset and Risk Intelligence manual.
  6. (Optional) Select fields to group the subnet by.
  7. Select to geolocate the subnet by city, country, or location_id.
  8. Select Submit.

After you submit your IP subnet investigation search, you can find all the IP addresses discovered at the subnets and the known asset information for each one. You can also find subnets that match the company subnet directory to see if the discovered subnets are in your inventory.

Last modified on 28 February, 2025
Review discovery reports on assets and identities in Splunk Asset and Risk Intelligence   Customize investigations in Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters