Using Splunk Asset and Risk Intelligence after upgrading to Splunk Enterprise Security 8.5

Splunk Enterprise Security (ES) 8.5 includes a feature called exposure analytics, which provides built-in asset and user discovery and reporting. Because Splunk Asset and Risk Intelligence (ARI) already provides this functionality, you can choose whether to configure exposure analytics based on your workflow preferences and available search head resources.

After you upgrade to Splunk ES 8.5, you have two options for using Splunk ARI:

Use Splunk ARI without exposure analytics. Continue using Splunk ARI with no additional configuration required.
Use Splunk ARI with exposure analytics. Configure exposure analytics for a more integrated experience within Splunk ES.

Option 1: Use Splunk ARI without exposure analytics

If you do not configure exposure analytics, your existing Splunk ARI workflows continue without any additional steps or search head resource usage.

This option requires you to turn on the Splunk ES integration in Splunk ARI so that the asset and identity lookups in Splunk ES populate.

When using this option:

The Entity discovery view in Splunk ES remains unpopulated. Use the Asset discovery and Identity discovery views in Splunk ARI instead.
The Entity analysis view in Splunk ES populates with asset and identity lookup data from Splunk ARI. For complex relationship and association mapping, use the Investigation views in Splunk ARI, which provide deeper context.

Option 2: Use Splunk ARI with exposure analytics

If you configure exposure analytics, the Entity discovery and Entity analysis views in Splunk ES populate completely, providing a more integrated experience.

When using this option, data flows in the following order:

Splunk ARI discovers assets and identities.
That data flows into exposure analytics in Splunk ES.
Exposure analytics populates the asset and identity lookups in Splunk ES.

Before you configure this option, review your search head capacity. Setting up exposure analytics increases search processing and concurrency on the Splunk ES search head. Monitor search load after configuration. This configuration is reversible.

See Configure exposure analytics to use with Splunk Asset and Risk Intelligence.

Security Offerings

Using Splunk Asset and Risk Intelligence after upgrading to Splunk Enterprise Security 8.5

Option 1: Use Splunk ARI without exposure analytics

Option 2: Use Splunk ARI with exposure analytics

ON THIS PAGE

Splunk Enterprise

Splunk Cloud Platform

Splunkbase

Enterprise Security

SOAR

IT Service Intelligence

Content Packs

Splunk Observability Cloud

AppDynamics SaaS

AppDynamics On-Premises

SAP Agent

Developer Documentation

Splunkbase

Splunk Enterprise

Splunk Cloud Platform

Splunkbase

DATA MANAGEMENT

SEARCH AND ANALYTICS

ADMINISTRATION

Enterprise Security

SOAR

ENTERPRISE SECURITY

SOAR

RELATED APPS

IT Service Intelligence

Content Packs

ITSI

IT Ops

ADMINISTRATION

EXTENSIONS

Splunk Observability Cloud

MONITORING

DATA MANAGEMENT

ADMINISTRATION

AppDynamics SaaS

AppDynamics On-Premises

SAP Agent

ESSENTIALS

MONITORING

ADMINISTRATION

Developer Documentation

Splunkbase

PLATFORM

OBSERVABILITY

REFERENCE

Resources

REFERENCE

Learn More

Support

Using Splunk Asset and Risk Intelligence after upgrading to Splunk Enterprise Security 8.5

Option 1: Use Splunk ARI without exposure analytics

Option 2: Use Splunk ARI with exposure analytics