Activate integration with Splunk Enterprise Security in Splunk Asset and Risk Intelligence

Note: Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Splunk Asset and Risk Intelligence can integrate with Splunk Enterprise Security to add asset context to notable events. With an active integration, Splunk Enterprise Security continuously updates its asset and identity inventories with Splunk Asset and Risk Intelligence data. Only a Splunk Asset and Risk Intelligence admin can activate the integration.

To learn more about what you can do with the Splunk Enterprise Security integration with Splunk Asset and Risk Intelligence, see Enrich Splunk Enterprise Security notable events with asset context in the Investigate Assets and Assess Risk in Splunk Asset and Risk Intelligence manual.

Activate the Splunk Enterprise Security integration

To activate the integration with Splunk Enterprise Security, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Integrations and then Enterprise Security configuration.
  2. Select Enable Integration.
  3. Select Enable.
  4. After all of the integration items display "Success", select Close.

Deactivate the Splunk Enterprise Security integration

To deactivate the integration with Splunk Enterprise Security, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Integrations and then Enterprise Security configuration.
  2. Select Remove Integration.
  3. Select Remove.
  4. After all of the integration removal items display "Success", select Close.