Set up directories for Splunk Asset and Risk Intelligence

Note: Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Splunk Asset and Risk Intelligence includes 2 internal data sources for enrichment: a company subnet directory and a company user directory. Populate these directories to locate assets on internal networks and provide context on user IDs.

Populate the company subnet directory

You can incorporate location data from your company into Splunk Asset and Risk Intelligence if you have a subnet listing. Populating a company subnet directory is optional, but you might want to use one to identify asset locations.

To populate the company subnet directory, complete the following steps:

  1. Select Admin then Data enrichment and then Company subnet directory.
  2. Update the subnet listing by uploading a CSV file, entering a Splunk search, or manually entering the subnet fields. Follow the steps for your preferred method:
Method Steps
Upload a CSV file
  1. Select the upload icon ( upload ). The CSV file you upload must contain the required subnet listing fields. See Required subnet listing fields.
  2. Using the drop-down list, select whether you want to Merge or Overwrite any existing data.
  3. Select Upload.

Note: The maximum upload size limit is 5mb. Upload larger files or files containing fields with different names using the Splunk lookup functionality.
Enter a Splunk search
  1. Select the search icon ( search ).
  2. Enter your search using the Search Processing Language (SPL). The search must return the required subnet listing fields. See Required subnet listing fields. For example, the end of a search looks like the following: 
    | table subnet, location_id, city, state, country, region, provider, type, vlan, description, zone
  3. Select Merge or Overwrite for the Search mode. You can choose to overwrite any existing subnets with the search, or you can merge the search with existing subnets, including entries that have already been manually added.
  4. (Optional) If you want to run the search immediately, select Run search. Selecting this option runs the search before the designated cron schedule.
  5. (Optional) Preview your search results by selecting Preview search.
  6. Select Save.
Manually enter the subnet fields
  1. Select the add icon ( + ).
  2. Enter a value for each subnet field.
  3. Select Add.

After you populate the company subnet directory, you can manually add more entries by selecting the add icon ( add ), and you can edit, clone, or remove entries using the actions icons.

Required subnet listing fields

The subnet listing must contain the following fields:

Field Value
subnetSubnet and mask. For example, 10.10.10.10/24.
zoneSubnet IP zone of the entry.
location_idAny location ID used by the business.
descriptionDescription of the subnet entry.
providerName of a provider. For example, AWS.
cityCity name for the entry.
state2-digit U.S. state or Canadian province. For example, "ON".
country2-digit country code. For example, "US".
regionRegion. For example, "AMER" or "EMEA".
typeSubnet type of the entry.
vlanSubnet virtual LAN of the entry.
Note: Some fields can have null values, but the fields must be included in the lookup table header. Don't change null values to "unknown" or something similar.

Add IP zones to the company subnet directory

With IP zones, you can differentiate network areas for the same IP address. For example, if a company acquires another company, you might want to specify a zone for each subnet entry.

To use IP zones, you must identify an IP zone for each entry in the company subnet directory and also for each data source you add to Splunk Asset and Risk Intelligence.

Note: By default, each subnet entry has a zone value of default, and each data source has an ip_zone value of default. If you don't want to use IP zones, you don't need to edit these values.

To add a new IP zone in the company subnet directory, complete the following steps:

  1. Select Admin then Data enrichment and then Company subnet directory.
  2. Select the add icon (+) to add a subnet entry with the new IP zone to your company subnet directory.
  3. Enter a new name for the IP zone.
  4. Select Add.
  5. Select the add icon (+) to add additional subnet entries with the new IP zone.

    Note: You can't edit the IP zone for existing subnet entries.

After you add IP zones to your company subnet directory, make sure to also identify IP zones for each data source you add. See Data source field mapping reference.

Populate the company user directory

You must populate the company user directory to store asset context such as user IDs and email addresses.

To populate the company user directory, complete the following steps:

  1. Select Admin then Data enrichment and then Company user directory.
  2. Update the user listing by uploading a CSV file, entering a Splunk search, or manually entering the user fields. Follow the steps for your preferred method:
Method Steps
Upload a CSV file
  1. Select the upload icon ( upload ). The CSV file you upload must contain the required user listing fields. See Required user listing fields.
  2. Using the drop-down list, select whether you want to Merge or Overwrite any existing data.
  3. Select Upload.
Note: The maximum upload size limit is 5mb. Upload larger files or files containing fields with different names using the Splunk lookup functionality.
Enter a Splunk search
  1. Select the search icon ( search ).
  2. Enter your search using the Search Processing Language (SPL). The search must return the required user listing fields. See Required user listing fields. For example, the end of a search looks like the following: 
    | table user_id, user_first, user_last, user_email, user_business, user_bunit, user_category, user_title user_location_id, user_city, user_state, user_country, user_start_date, user_end_date, user_priority, user_first_created, user_last_updated
  3. Select Merge or Overwrite for the Search mode. You can choose to overwrite any existing user data with the search, or you can merge the search with existing user data, including entries that have already been manually added.
  4. (Optional) If you want to run the search immediately, select Run search. Selecting this option runs the search before the designated cron schedule.
  5. (Optional) Preview your search results by selecting Preview search.
  6. Select Save.
Manually enter the user fields
  1. Select the add icon ( + ).
  2. Enter a value for each user field.
  3. Select Add.

After you populate the company user directory, you can manually add more entries by selecting the add icon ( add ), and you can edit, clone, or remove entries using the actions icons.

Required user listing fields

The user directory listing must contain the following fields:

Field Value
user_idThe username for the listing.
user_firstFirst name of the user.
user_lastLast name of the user.
user_categoryCategory of the user. For example, "contractor" or "employee".
user_emailEmail address of the user.
user_titleThe job title of the user.
user_businessBusiness of the user.
user_bunitBusiness unit of the user.
user_cityCity where the user is based.
user_state2-digit U.S. state or Canadian province where the user is based. For example, "ON".
user_country2-digit country code where the user is based. For example, "US".
user_location_idLocation ID used by the business to identify a company location.
user_priorityThe priority of the user. For example, an executive might be "high" priority.
user_start_dateThe date the user started at the company.
user_end_dateThe date the user left the company.
Note: Some fields can have null values, but the fields must be included in the lookup table header. Don't change null values to "unknown" or something similar.