Analyze an asset or user
To analyze an asset or user, complete the following steps:
- In Exposure Analytics, select Investigation from the main menu navigation bar.
- From the drop-down list, select what you want to investigate. For example, Asset investigation.
- Depending on which investigation page you selected, enter either an asset or identity in the search box. For example, if you selected Asset investigation, you can enter
20.20.20.20to investigate an IP address.Note: You can only search by user_id on the Identity investigation page. - Select Submit.
After you enter an asset or user to analyze, you can explore the resulting visualizations in the Details tab and begin your investigation.
To find a description of each visualization, see the following table:
| Visualization | Description |
|---|---|
| Health check | Examine the health of assets and identities based on known or custom metrics. You can also find the status, either Detected or Undetected, for active risk rules. A status of detected means that the active risk rule has been triggered. To modify the health check metric, see Create and manage metrics in Splunk Asset and Risk Intelligence. |
| Latest associations | Find the first and last discovery time of the asset or identity and see its associated data. For example, an asset might have an associated MAC address, IP address, and identity from when it was last discovered. |
| Geographic location | Find the geographic location associated with the asset or identity. |
| Record | Find fields and values pertaining to the asset or identity. You can also find the data source attributed to each field and value to identify where it came from. Field values with the Applied logic data source come from a processing and advanced logic calculation in Splunk Asset and Risk Intelligence, and field values with the Custom data source come from the custom fields added to a particular inventory. |
| Sources | Find details on data sources that have detected the asset or identity, including when the source last detected the asset or identity and how many days ago it was originally detected. |
| Discovered software | Find all of the detected software and software details for the given asset or identity. |