Splunk® Asset and Risk Intelligence

Administer Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Data source field mapping reference

In Splunk Asset and Risk Intelligence, data sources must have a common set of field mappings across each of the inventories. Splunk Asset and Risk Intelligence automatically maps the fields in known data sources to the relevant inventories. However, you must map certain fields in custom data sources to the appropriate inventories.

For custom batched data sources, you can map fields within the event search. For custom real-time data sources, you can map fields using field aliases, calculated fields, or field extractions.

Each inventory contains a different set of fields, but some inventories also share fields. The following list includes the inventories that you can map data sources to:

  • Network
  • IP
  • MAC
  • User
  • Software
  • Vulnerability

You don't need to map all of the fields in a data source. To see a reference list of the fields you can map for each inventory, see the following:

Some event searches for batched data sources contain a mapped field called ari_lastdetect, which indicates when the record was last updated. If the ari_lastdetect field is present, Splunk Asset and Risk Intelligence uses this field as the last detection date for the data source event. If there is no ari_lastdetect field, then Splunk Asset and Risk Intelligence uses the _time field from when the batched event search runs.

Network inventory field mapping

The network inventory contains the most data about an individual asset. Data sources mapped to this inventory must contain the ari_nt_host field.

The following table lists all of the fields that you can map to the network inventory:

Input field Description
ari_nt_host Hostname of the asset.
ari_vendor Vendor of the asset.
ari_user_id Any user ID in the event.
ari_dns The FQDN of the asset.
ari_ip IP address of the asset.
ari_ip_zone IP zone address of the asset. If left blank, the value becomes default.
ari_ip_translated Translated IP address of the asset. For example, an external IP of a VPN asset.
ari_lastdetect The last detection date of the source. If there is no ari_lastdetect date, then Splunk Asset and Risk Intelligence uses _time.
ari_mac MAC address of the asset.
ari_product Product name of the asset.
ari_product_version Product version of the asset.
ari_category Category of the asset. For example, "Domain controller".
asset_class The class of the asset. For example, "Desktop".
asset_type The type of asset. For example, "Server" or "Workstation".
av_version The product version of AV used.
business Business name of the asset.
bunit Business unit of the asset.
city City location of the asset.
classification Data classification of the asset. For example, "Internal" or "Restricted".
country Country location of the asset in a 2-digit country code format.
cpu_cores Number of CPU cores.
cpu_count Number of CPUs.
cpu_mhz Megahertz value of the CPU.
criticality Criticality of the asset. For example, "Critical" or "Low".
environment Field used to collect environment information. For example, "Prod" or "Dev".
fde_encrypted Numeric indicator of whether full disk encryption is active. This is typically set to 1 or null, where 1 means it is encrypted.
location_id Any identifying location code.
mem Amount of RAM.
os Operating system. For example, "Windows 7".
os_version Full version of the operating system. For example, "10.3.4.23".
primary_host The primary host that this host runs on if it's virtual.
priority Priority of the asset. For example, "Critical" or "Low".
provider The asset provider. For example, "Amazon".
region Region of the asset. For example, "AMER".
sensitivity Sensitivity of the asset. For example, "Critical" or "Low".
serial Serial number of the asset.
status Status of the asset. For example, "Active" or "Decommissioned".

IP inventory field mapping

The IP inventory captures all IP addresses associated with network assets. Data sources mapped to this inventory must contain the ari_ip field.

The following table lists all of the fields that you can map to the IP inventory:

Input field Description
ari_ip IP address of the asset.
business Business name of the asset.
bunit Business unit of the asset.
ari_ip_zone IP zone address of the asset. If left blank, the value becomes default.
ari_ip_translated Translated IP address of the asset, For example, an external IP of a VPN asset.
ip_type The type of IP address. For example, "VPN".
location_id Any identifying location code.
ari_nt_host Hostname of the asset.
ari_user_id User ID of the asset.
ari_mac MAC address of the asset.
ari_lastdetect The last detection date of the source. If there is no ari_lastdetect date, then Splunk Asset and Risk Intelligence uses _time.

MAC inventory field mapping

The MAC inventory captures all MAC addresses associated with network assets. Data sources mapped to this inventory must contain the ari_mac field.

MAC addresses going into Splunk Asset and Risk Intelligence automatically have dashes or colons removed.

The following table lists all of the fields that you can map to the MAC inventory:

Input field Description
ari_mac MAC address of the asset.
business Business name of the asset.
bunit Business unit of the asset.
location_id ​Any identifying location code.
ari_nt_host Hostname of the asset.
ari_user_id User ID of the asset.
ari_ip IP address of the asset.
ari_ip_zone IP zone address of the asset. If left blank, the value becomes default.
ari_lastdetect The last detection date of the source. If there is no ari_lastdetect date, then Splunk Asset and Risk Intelligence uses _time.
mac_product The product associated with the MAC address.
mac_vendor The vendor associated with the MAC address.

User inventory field mapping

The user inventory captures all users associated with network assets. Data sources mapped to this inventory must contain the ari_user_id field.

The following table lists all of the fields that you can map to the user inventory:

Input field Description
ari_user_id User ID of the asset.
business Business name of the asset.
bunit Business unit of the asset.
ari_ip IP address of the asset.
ari_ip_zone IP zone address of the asset. If left blank, the value becomes default.
ari_nt_host Hostname of the asset.
ari_mac MAC address of the asset.
ari_domain AD user domain information.
ari_lastdetect The last detection date of the source. If there is no ari_lastdetect date, then Splunk Asset and Risk Intelligence uses _time.

Software inventory field mapping

The software inventory captures all software products associated with network assets. Data sources mapped to this inventory must contain the ari_software_product field and the ari_nt_host field.

The following table lists all of the fields that you can map to the software inventory:

Input field Description
ari_nt_host Hostname of the asset.
ari_software_product Software product name.
ari_software_version Software product version.
ari_software_vendor Software product vendor name.
business Business name of the asset.
ari_lastdetect The last detection date of the source. If there is no ari_lastdetect date, then Splunk Asset and Risk Intelligence uses _time.

Vulnerability inventory field mapping

The vulnerability inventory captures all vulnerabilities associated with network assets. Data sources mapped to this inventory must contain the signature field and the ari_nt_host field.

The following table lists all of the fields that you can map to the vulnerability inventory:

Input field Description
signature Signature of the vulnerability.
ari_nt_host Hostname of the asset.
ari_user_id User ID of the asset.
agentuuid UUID of vulnerable agent.
assetuuid UUID of vulnerable asset.
business Business name of the asset.
bunit Business unit of the asset.
category The category of the discovered vulnerability. For example, "DoS".
cert The identifier in the vulnerability database provided by the United States Computer Emergency Readiness Team.
cve The identifier provided in the Common Vulnerabilities and Exposures index.
cvss The numeric indicator of the common vulnerability scoring system.
msft The Microsoft Security Advisory number.
mskb The Microsoft Knowledge Base article number.
os Operating system of the asset.
plugin_id Vulnerability plugin ID, which you can use to pull back the description, solution, references, and other data for that plugin ID.
protocol Protocol linked to the vulnerability. For example, "https".
scan_type The type of scan.
scan_uuid Unique identifier of the scan.
service Any services linked to the vulnerability.
severity Severity of the vulnerability.
severity_id Severity ID of the vulnerability.
signature_id The unique identifier or event code of the event signature.
state The current state of the vulnerability.
url The URL involved in the discovered vulnerability.
xref A cross-reference identifier associated with the vulnerability. In most cases, the xref field contains both the short name of the cross-referenced database and the unique identifier used in the external database.
port Port used by the vulnerability.
ari_lastdetect The last detection date of the source. If there is no ari_lastdetect date, then Splunk Asset and Risk Intelligence uses _time.
ari_firstdetect The first detection date of the source. If there is no ari_firstdetect date, then Splunk Asset and Risk Intelligence uses ari_lastdetect.
vendor_product Software product vendor name.
Last modified on 05 August, 2024
Activate data sources in Splunk Asset and Risk Intelligence   Add a custom field in Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters