Splunk® Asset and Risk Intelligence

Investigate Assets and Assess Risk in Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Customize your asset investigation in Splunk Asset and Risk Intelligence

You can customize your asset investigation by adding notes to assets and identities and by adding asset context to Splunk Enterprise Security notable events.

Create and manage notes for network assets and user identities

You can save additional data about network assets and user identities by creating a note associated with the asset or identity. For example, you might add a note that explains when you expect an asset to be decommissioned or why an account was created.

To create a note, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Investigation from the main menu navigation bar.
  2. From the drop-down list, select either Network asset investigation or User identity investigation.
  3. Enter the network asset or user identity you want to add a note to.
  4. Select Submit.
  5. Select the edit icon ( edit ) on the Record panel.
  6. Select Add note.
  7. Enter your note.
  8. Select Add.

You can also manage your existing notes by selecting the edit icon ( edit ) or the delete icon ( remove ).

Enrich Splunk Enterprise Security notable events with asset context

Splunk Asset and Risk Intelligence can integrate with Splunk Enterprise Security to add asset context to notable events. With an active integration, Splunk Enterprise Security continuously updates its asset and identity inventories with Splunk Asset and Risk Intelligence data. Only a Splunk Asset and Risk Intelligence admin can activate the integration. See Activate integration with Splunk Enterprise Security in Splunk Asset and Risk Intelligence in the Administer Splunk Asset and Risk Intelligence manual.

With the Splunk Enterprise Security integration, you can do the following:

  • Add asset and identity swim lanes to Splunk Enterprise Security Asset and Identity Investigators
  • Enrich notable events with asset context
  • Add asset and identity investigation workflows actions to the Splunk Enterprise Security Incident Review report

Add swim lanes to Splunk Enterprise Security asset and identity investigators

Splunk Asset and Risk Intelligence adds two new swim lanes to Splunk Enterprise Security that you can add to the Asset Investigator and the Identity Investigator. To add these swim lanes, complete the following steps:

  1. In Splunk Enterprise Security, navigate to Security Intelligence and then User Intelligence.
  2. Select either the Asset Investigator or the Identity Investigator.
  3. Edit the view and add the Splunk Asset and Risk Intelligence Asset Detections or Identity Detections swim lane.

By adding the swim lanes, you can find details on asset relationships over time for the asset or identity you're investigating. For more details on editing swim lanes, see Asset and Identity Investigator dashboards in the Use Splunk Enterprise Security manual.

Add fields to Splunk Enterprise Security asset and identity lookups

Splunk Asset and Risk Intelligence includes two lookup files, ari_assets and ari_identities, that you can use with Splunk Enterprise Security asset and identity management.

To find the included fields in each lookup file, see Asset lookup fields and Identity lookup fields. You can also add additional fields from Splunk Asset and Risk Intelligence to use with Splunk Enterprise Security.

To add a field to the ari_assets or ari_identities lookup, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, locate the search you want to edit: ari_gen_lookup_aura_es_assets or ari_gen_lookup_aura_es_identities.
  2. Edit the search by adding the required fields to the end of the | table line of the search. For example, to add asset_type, edit the table line as follows:

    | table ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av lastdetect asset_type

    Don't edit any other lines of the search.

  3. Select Save.
  4. In Splunk Enterprise Security, select Configure then Data Enrichment and then Asset and Identity Management.
  5. Select Asset Fields or Identity Fields.
  6. Add the new fields.

To learn more about the Splunk Enterprise Security asset and identity lookup file fields, see Format an asset or identity list as a lookup in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual.

Enrich Splunk Enterprise Security notable events with asset context

You can add context to your Splunk Enterprise Security correlation searches to enrich the associated notable events. The added enrichment can help you accelerate your investigation. Use the following two search macros to add asset context to a correlation search:

  • ari_lookup_host()
  • ari_lookup_ip()

For example, if your correlation search produces a list of IP addresses, and the IP field is src_ip, then enter the following macro at the end of the correlation search: `ari_lookup_ip(src_ip)`. The macros produce the following asset fields as additional context:

  • nt_host
  • mac
  • dns
  • user_id
  • ip
  • product
  • vendor
  • lastdetect
  • asset_type
  • asset_class
  • os
  • os_version
  • city
  • state
  • country
  • location_id
  • region

Many of these fields are in the Additional Fields section of the Splunk Enterprise Security notable event by default. To add more fields, complete the following steps:

  1. In Splunk Enterprise Security, navigate to Configure then Incident Management and then Incident Review Settings.
  2. In the Incident Review - Event Attributes section, select +Add Field.
  3. Add the Splunk Asset and Risk Intelligence field you want to include. For example, the asset_type field with the label "Asset Type".
  4. Select Save. You can then find the field at the top of the table.
  5. After you add all the fields you want to include, select Save on the Incident Review Settings page.
Last modified on 05 August, 2024
Investigate assets in Splunk Asset and Risk Intelligence   Field reference for Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters