Splunk® Asset and Risk Intelligence

Administer Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Identify data sources and filter by relevant events in Splunk Asset and Risk Intelligence

Data sources contain events that have asset-related data, and Splunk Asset and Risk Intelligence uses these events to discover assets and identities.

When setting up data sources for Splunk Asset and Risk Intelligence, you must first identify suitable data sources, and then you can filter those data sources by events that contain relevant asset data.

Identify data sources

Splunk Asset and Risk Intelligence can use any data source containing asset-relevant data. You can group these data sources into different categories as described in the following table:

Data source category Description Examples
Endpoint agent Agents that are typically installed on workstation, mobile, and server endpoints. These might include antivirus, data leakage, or server management agents.
  • Trellix
  • Crowdstrike
  • Splunk Forwarder
Scanning data Data that is obtained from network scanners and discovery tools. These might include asset or vulnerability scanners.
  • Qualys
  • Tenable
  • ServiceNow Discovery
Endpoint event data Data that is generated within endpoint log events that might contain relevant asset data.
  • Syslog from Linux or Unix
  • Windows Event Logs
  • Sysmon
Network event data Data that is generated within network log events that might contain relevant asset data.
  • VPN
  • DHCP
Database Asset-related data that is held in structured database tables or stores.
  • ServiceNow
  • CMBD solutions
Cloud Asset data from cloud providers.
  • AWS EC2
  • Azure
  • GCP
Splunk Add-on for Asset and Risk Intelligence An app deployed to your Splunk forwarders that gathers asset-relevant events for added enrichment and context. n/a

When you set up a data source in Splunk Asset and Risk Intelligence, the data source becomes assigned to an inventory and then prioritized. Splunk Asset and Risk Intelligence can only assign a data source to one or more inventories if the data source contains the key field for that inventory. As a result, when you identify a suitable data source, you might want to choose a source that contains at least 2 of the following fields:

Key field Inventory
nt_host Network
ip IP
user_id User
mac MAC
nt_host, product Software
nt_host, signature Vulnerability

Filter data sources by relevant events

Identifying relevant events in a data source is helpful because you can filter out events that aren't meaningful for asset discovery, and you can also limit the data Splunk Asset and Risk Intelligence processes.

For example, for a VPN data source, you might want to filter by connection events that contain the mac, user_id, and ip fields because the other events aren't required.

After you identify a data source, use the Search Processing Language (SPL) to filter the source by relevant events.

If you don't filter your data sources by relevant events, the processing speed of Splunk Asset and Risk Intelligence might decrease, and there might be duplicate data.

Data source types

There are 3 types of data sources you can add to Splunk Asset and Risk Intelligence. Each type updates at a different frequency in the app. For a reference of the different data source types, see the following table:

Data source type Description
Real-time A real-time data source updates in Splunk Asset and Risk Intelligence within seconds of the source generating the events.
Real-time sources contain asset-relevant events that you can search for without using search pipes in your SPL.
Batched A batched data source can include any of the following:
  • Events that update in real-time but have asset-related field values spread out over multiple events.
  • Events that don't update in real-time. Splunk Asset and Risk Intelligence indexes them on a schedule, such as once per day, instead.
  • Events with delayed indexing.
Batched data sources contain asset-relevant events that require an advanced search.
Static Static data sources are typically asset lists from databases, CMDBs, or uploads of Microsoft Excel or CSV files. For these sources, there might not be any indication of when each asset in the list was last detected on the network. You can label these sources as Passive in Splunk Asset and Risk Intelligence.

See also

Get started with the Splunk Add-on for Asset and Risk Intelligence in the Install and Manage Splunk Add-on for Asset and Risk Intelligence manual

Last modified on 19 September, 2024
Set up data sources for Splunk Asset and Risk Intelligence   Add or modify a data source in Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters