Splunk® Asset and Risk Intelligence

Install and Upgrade Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Set up roles and capabilities for Splunk Asset and Risk Intelligence

After you initialize data for Splunk Asset and Risk Intelligence, you can start adding roles and assigning users to those roles to manage access to functionality and data in Splunk Asset and Risk Intelligence. You can also delete a role if you no longer need it.

Add a role

You can add roles, such as those included with Splunk Asset and Risk Intelligence or those you create yourself. To add a role, complete the following steps:

  1. Select Admin and then Permission settings.
  2. Select Add role capabilities.
  3. Using the Role drop-down list, select the role you want to add. For example, you can select the user role, which is automatically included with Splunk Asset and Risk Intelligence. Or, if you created a custom role in the Splunk platform, you can select that role.
  4. Select the check boxes for the capabilities you want to include with the role.
  5. Select Add.

Roles included in Splunk Asset and Risk Intelligence

There are two roles included with Splunk Asset and Risk Intelligence: user and ari_admin. The following table describes each role and lists any roles from the Splunk platform that can inherit it.

Role Description Roles that can inherit it
user Assign to users who need to access analyst menus for tasks such as investigating assets and assessing risk. Those with the user role have access to search only the ari_asset index. power
ari_admin Assign to users who need to access administrative menus for tasks such as managing data sources, customizing metrics, and searching all Splunk Asset and Risk Intelligence indexes. admin

On the Permission settings page, you can find the ari_admin role set up with several Splunk Asset and Risk Intelligence capabilities by default. To edit the capabilities for this role, see Manage capabilities for a role.

Assign roles to users

To assign roles to Splunk Asset and Risk Intelligence users, you must have the Splunk platform sc_admin or admin role. From the Splunk platform, select Settings and then Roles to create, assign, and manage roles. For more information, see Create and manage roles with Splunk Web in the Securing Splunk Cloud Platform manual.

If you have an admin role in a Splunk security product, you can add users and manage their roles and capabilities across Splunk security products all from one location in Splunk Cloud Platform.

Manage capabilities for a role

Splunk Asset and Risk Intelligence has several capabilities specific to the functionality in the app. To customize what users have access to, you can add and remove particular capabilities to and from roles. To add or remove capabilities to or from an existing role, complete the following steps:

  1. Select Admin and then Permission settings.
  2. In the actions column of the capabilities table, select the edit icon ( edit ) for the role you want to edit.
  3. Select or deselect the check boxes for the capabilities you want to add or remove.
  4. Select Update.

Capabilities in Splunk Asset and Risk Intelligence

The following table describes each capability:

Capability Description
ari_dashboard_add_alerts Create alerts based on metric defects shown on the Metrics posture page.
ari_edit_table_fields Edit the fields displayed in tables across the Discovery, Metrics, and Investigation pages.
ari_manage_data_source_settings Add, report, and manage data sources on the Data source management page.

To add this capability, you must first add the admin_all_objects capability from Splunk Web. See Create and manage roles with Splunk Web in the Securing Splunk Cloud Platform manual.

ari_manage_filters Edit and delete saved filters.
ari_manage_homepage_settings Edit the dashboard on the home page.
ari_manage_metric_settings Create, remove, and edit metrics on the Metric framework management page.

To add this capability, you must first add the admin_all_objects capability from Splunk Web. See Create and manage roles with Splunk Web in the Securing Splunk Cloud Platform manual.

ari_manage_posture_settings Add and remove metrics from the Metrics posture page.
ari_manage_report_exceptions Add and remove metric exceptions.
ari_save_filters Save custom filters and share with other users.

Delete a role

To remove a role and its configured capabilities from Splunk Asset and Risk Intelligence, complete the following steps:

  1. Select Admin and then Permission settings.
  2. Find the role you want to delete, and then select the delete icon (x).
  3. Select Delete to confirm that you want to remove it.
Last modified on 05 August, 2024
Initialize data for Splunk Asset and Risk Intelligence   Uninstall Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters