Splunk® Asset and Risk Intelligence

Install and Upgrade Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Set up roles and capabilities for Splunk Asset and Risk Intelligence

After you initialize data for Splunk Asset and Risk Intelligence, you can start assigning users to roles and edit the capabilities of those roles to manage their access to functionality and data in Splunk Asset and Risk Intelligence.

Roles included in Splunk Asset and Risk Intelligence

There are two roles included with Splunk Asset and Risk Intelligence: ari_analyst and ari_admin. The following table describes each role:

Role Description
ari_analyst Assign to users who need to access analyst menus for tasks such as investigating assets and assessing risk. Those with the ari_analyst role have access to search only the ari_asset index.
ari_admin Assign to users who need to access administrative menus for tasks such as managing data sources, customizing metrics, and searching all Splunk Asset and Risk Intelligence indexes. The ari_admin role includes all of the Splunk Asset and Risk Intelligence capabilities by default.

On the Permission settings page, you can find the ari_admin role set up with several Splunk Asset and Risk Intelligence capabilities by default. To edit the capabilities for this role, see Manage capabilities for a role.

Assign roles to users

To assign roles to Splunk Asset and Risk Intelligence users, you must have the Splunk platform sc_admin or admin role. From the Splunk platform, select Settings and then Roles to create, assign, and manage roles. For more information, see Create and manage roles with Splunk Web in the Securing Splunk Cloud Platform manual.

If you have an admin role in a Splunk security product, you can add users and manage their roles and capabilities across Splunk security products all from one location in Splunk Cloud Platform.

Manage capabilities for a role

Splunk Asset and Risk Intelligence has several capabilities specific to the functionality in the app. To customize what users have access to, you can add and remove particular capabilities to and from roles. To add or remove capabilities to or from an existing role, complete the following steps:

  1. Select Admin and then Permission settings.
  2. Select or deselect the check boxes for the capabilities you want to add or remove.
  3. Select Save.

Capabilities in Splunk Asset and Risk Intelligence

The following table describes each capability:

Permission Associated capability Description
Manage data sources ari_manage_data_source_settings Add, report, and manage data sources on the Data source management page.

In order for the ari_manage_data_source_settings capability to function, the user must have the admin_all_objects capability. Assign the user a role that contains the admin_all_objects capability, such as the Splunk platform sc_admin or admin role. See Create and manage roles with Splunk Web in the Securing Splunk Cloud Platform manual.

Manage metrics ari_manage_metric_settings Create, remove, and edit metrics on the Metric and framework management page.

In order for the ari_manage_metric_settings capability to function, the user must have the admin_all_objects capability. Assign the user a role that contains the admin_all_objects capability, such as the Splunk platform sc_admin or admin role. See Create and manage roles with Splunk Web in the Securing Splunk Cloud Platform manual.

Manage metric exceptions ari_manage_report_exceptions Add and remove metric exceptions.
Add alerts ari_dashboard_add_alerts Create alerts based on metric defects shown on the Metrics posture page.
Edit table fields ari_edit_table_fields Edit the fields displayed in tables across the Discovery, Metrics, and Investigation pages.
Save filters ari_save_filters Save custom filters and share with other users.
Manage filters ari_manage_filters Edit and delete saved filters.
Manage homepage settings ari_manage_homepage_settings Edit the dashboard on the home page.
Last modified on 28 February, 2025
Initialize data for Splunk Asset and Risk Intelligence   Uninstall Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters