Splunk® Asset and Risk Intelligence

Investigate Assets and Assess Risk in Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Use Splunk Asset and Risk Intelligence data with Splunk Enterprise Security

Splunk Asset and Risk Intelligence can integrate with Splunk Enterprise Security to add asset and identity context to findings. With an active integration, Splunk Enterprise Security continuously updates its asset and identity inventories with Splunk Asset and Risk Intelligence data. Only a Splunk Asset and Risk Intelligence admin can activate the integration. See Activate integration with Splunk Enterprise Security in Splunk Asset and Risk Intelligence in the Administer Splunk Asset and Risk Intelligence manual.

With the Splunk Enterprise Security integration, you can do the following:

  • Add asset and identity swim lanes to Splunk Enterprise Security Asset and Identity Investigators.
  • Enrich findings with asset context.
  • Add asset and identity investigation workflows actions to the Splunk Enterprise Security analyst queue.

In Splunk Enterprise Security version 8.x, notable events are now known as findings and incident review is now known as the analyst queue. See Splunk Enterprise Security Glossary.

Add swim lanes to Splunk Enterprise Security asset and identity investigators

Splunk Asset and Risk Intelligence adds two new swim lanes to Splunk Enterprise Security that you can add to the Asset Investigator and the Identity Investigator. To add these swim lanes, complete the following steps:

  1. In Splunk Enterprise Security, navigate to Analytics then Security Intelligence and then User Intelligence.
  2. Select the Asset Investigator.
  3. Edit the view and add the Splunk Asset and Risk Intelligence Asset Detections swim lane.
  4. Repeat the same steps for the Identity Investigator and add the Identity Detections swim lane.

By adding the swim lanes, you can find details on asset relationships over time for the asset or identity you're investigating. The asset detections swim lane shows changes to the asset over time, including changes to IP addresses and users. Similarly, the identity detections swim lane shows changes in asset relationships over time for the specific identity under investigation.

For more details on editing swim lanes, see Asset and identity investigator dashboards in the Use Splunk Enterprise Security manual.

Use Splunk Asset and Risk Intelligence workflow actions in Splunk Enterprise Security

The following table describes the workflow actions available to use in Splunk Enterprise Security after you integrate with Splunk Asset and Risk Intelligence.

Workflow action Fields it applies to Function
ARI - Asset Investigation Any hostname, MAC address, or IP address field: src, dest, src_ip, dest_ip, ip, dvc_ip, src_host, dest_host, dest_nt_host, src_nt_host, host, nt_host, dvc_nt_host, orig_host, dvc_mac, mac, orig_host_mac, src_mac, dest_mac, risk_object Launches the Asset investigation view in Splunk Asset and Risk Intelligence.
ARI - Identity Investigation Any user field: user, src_user, dest_user, user_id, risk_object Launches the Identity investigation view in Splunk Asset and Risk Intelligence.
ARI - IP to Asset Attribution Any IP address field: src,dest, src_ip, dest_ip, ip, dvc_ip, orig_host_ip Launches the IP to Asset Attribution view in Splunk Asset and Risk Intelligence.

Use Splunk Asset and Risk Intelligence risk factors in Splunk Enterprise Security

Modify risk with risk-based alerting in Splunk Enterprise Security using Splunk Asset and Risk Intelligence risk factors. In order for the Splunk Asset and Risk Intelligence risk factors to function correctly, you must do the following:

  • Configure active risk rules in Splunk Asset and Risk Intelligence.
  • Add the ari_risk_score field to Asset from the Splunk Enterprise Security Asset and Identity management page.
  • Turn on the risk factors in the Risk Factor Editor in Splunk Enterprise Security.

The following table describes the available Splunk Asset and Risk Intelligence risk factors:

Name Description Condition for ari_risk_score Operation Factor
ARI Critical Risk Asset (dest) Increases the risk for dests when the Splunk Asset and Risk Intelligence risk score for the associated asset is critical > 100 Multiplication 2
ARI Critical Risk Asset (src) Increases the risk for srcs when the Splunk Asset and Risk Intelligence risk score for the associated asset is critical > 100 Multiplication 2
ARI High Risk Asset (dest) Increases the risk for dests when the Splunk Asset and Risk Intelligence risk score for the associated asset is high Between 50 and 100 Multiplication 1.5
ARI High Risk Asset (src) Increases the risk for srcs when the Splunk Asset and Risk Intelligence risk score for the associated asset is high Between 50 and 100 Multiplication 1.5
ARI Medium Risk Asset (dest) Increases the risk for dests when the Splunk Asset and Risk Intelligence risk score for the associated asset is medium Between 10 and 49 Multiplication 1.1
ARI Medium Risk Asset (src) Increases the risk for srcs when the Splunk Asset and Risk Intelligence risk score for the associated asset is medium Between 10 and 49 Multiplication 1.1

For more information on risk factors in Splunk Enteprise Security, see Adjusting risk using risk factors in Splunk Enterprise Security.

Enrich Splunk Enterprise Security with additional asset and identity context

You must complete the following two parts to enrich Splunk Enterprise Security with additional asset and identity context:

  • Part 1: Add asset and identity fields to Splunk Enterprise Security
  • Part 2: Enrich findings using asset and identity fields

Part 1: Add asset and identity fields to Splunk Enterprise Security

Splunk Enterprise Security includes asset and identity fields that enrich findings. You can add additional fields, such as operating system, vendor, or product.

To add a field to assets and identities in Splunk Enterprise Security, complete the following steps:

  1. In Splunk Enterprise Security, select Configure then All configurations and then Assets and identities.
  2. Select the Asset fields tab.
  3. Select Add new field.
  4. Enter the Field name.
  5. (Optional) If you want to merge multiple fields from Splunk Asset and Risk Intelligence into one field, select Multivalue. For example, you can merge vendor and product to make a field called vendor_product.
  6. Select Save.
  7. Repeat these steps in the Identity fields tab.
  8. In Splunk Asset and Risk Intelligence, select Admin then Integrations and then Enterprise Security configuration.
  9. In the Asset and identity synchronization table, select the settings icon for Assets.
  10. Map the Splunk Asset and Risk Intelligence Inventory field(s) to your newly defined Enterprise Security field.

    If the Splunk Enterprise Security field wasn't defined as Multivalue, then you can only add one inventory field.

  11. Select Save.
  12. Repeat these steps for identity fields.

The newly mapped fields populate in Splunk Enterprise Security the next time that the integration synchronization occurs, which is every 15 minutes by default.

Part 2: Enrich findings using asset and identity fields

To display an asset or identity field on findings in the Splunk Enterprise Security analyst queue, complete the following steps:

  1. In Splunk Enterprise Security, select Configure then All configurations and then Field values for findings.

    If you're using Splunk Enterprise Security version 7.x or earlier, select Configure then Incident Management and then Incident Review Settings. Then, in the Incident Review - Event Attributes section, select +Add Field.

  2. Select + Field.
  3. Create a src and dest definition for each field to ensure that the field appears in a finding when a correlation occurs. For example, if you want to add a field called vendor_product, add a field called src_vendor_product with a Label called Source vendor product, and then add a field called dest_vendor_product with a Label called Destination vendor product.
  4. Repeat these steps for each asset and identity field you want to appear on findings in the analyst queue.
  5. Select Save on the Field values for findings page to save all fields.
Last modified on 28 February, 2025
Customize investigations in Splunk Asset and Risk Intelligence   Field reference for Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters