Investigate assets and identities in Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence creates asset inventories by aggregating data from different sources such as log files, network devices, cloud services, workstations, servers, and databases. You can investigate identities and assets, such as hostnames, IP addresses, and MAC addresses, discovered by Splunk Asset and Risk Intelligence.

Investigate an asset or identity

To investigate an asset or identity, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Investigation from the main menu navigation bar.
  2. From the drop-down list, select what you want to investigate. For example, Asset investigation.
  3. Depending on which investigation page you selected, enter either an asset or identity in the search box. For example, if you selected Asset investigation, you can enter 20.20.20.20 to investigate an IP address.
    Note: You can only search by user_id on the Identity investigation page.
  4. Select Submit.

After you enter an asset or identity to investigate, you can explore the resulting visualizations in the Details tab and begin your investigation.

To find a description of each visualization, see the following table:

Visualization Description
Health checkExamine the health of assets and identities based on known or custom metrics. You can also find the status, either Detected or Undetected, for active risk rules. A status of detected means that the active risk rule has been triggered. To modify the health check metric, see Create and manage metrics in Splunk Asset and Risk Intelligence.
Latest associationsFind the first and last discovery time of the asset or identity and see its associated data. For example, an asset might have an associated MAC address, IP address, and identity from when it was last discovered.
Geographic locationFind the geographic location associated with the asset or identity.
RecordFind fields and values pertaining to the asset or identity. You can also find the data source attributed to each field and value to identify where it came from. Field values with the Applied logic data source come from a processing and advanced logic calculation in Splunk Asset and Risk Intelligence, and field values with the Custom data source come from the custom fields added to a particular inventory.
Data sourcesFind details on data sources that have detected the asset or identity, including when the source last detected the asset or identity and how many days ago it was originally detected.
Discovered softwareFind all of the detected software and software details for the given asset or identity.

Review the detection activity of associated assets and identities

Discover associations with assets and identities, and then see how active they've been within a specified time frame. The default time frame is the past 7 days.

To review the detection activity of associated assets and identities, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Investigation from the main menu navigation bar.
  2. From the drop-down list, select what you want to investigate. For example, Asset investigation.
  3. Depending on which investigation page you selected, enter either an asset or identity in the search box. For example, if you selected Asset investigation, you can enter 20.20.20.20 to investigate an IP address.
    Note: You can only search by user_id on the Identity investigation page.
  4. Select Submit.
  5. Select the Activity tab.
  6. Using the drop-down list, specify a time range.
  7. Select an association type. For example, select Data sources to see which data sources detected that asset or identity over your specified period of time. Or, select Identity to find associated identities.

Assess the risk of an asset or identity using metric compliance data

While investigating an asset or identity, you can assess its risk by checking the metric compliance. For asset investigations, you can also see discovered vulnerabilities, risk scoring activity, and risk score trends.

  1. In Splunk Asset and Risk Intelligence, select Investigation from the main menu navigation bar.
  2. From the drop-down list, select what you want to investigate. For example, Asset investigation.
  3. Depending on which investigation page you selected, enter either an asset or identity in the search box. For example, if you selected Asset investigation, you can enter 20.20.20.20 to investigate an IP address.
    Note: You can only search by user_id on the Identity investigation page.
  4. Select Submit.
  5. Select the Risk tab.
  6. Review the Metric activity table for a list of associated metrics and their compliance status.
  7. Review the Metric compliance visualization to see the compliance percentage for all of the metrics in the activity table. For example, if there are 4 metrics for an asset and 2 of them are noncompliant, the compliance visualization shows 50% compliance.
  8. If you're investigating an asset, review the following:
    • The Discovered vulnerabilities table for a complete listing of vulnerabilities discovered on that asset.
    • The Risk scoring activity for the total risk score for the asset, the rules associated with the asset, and the severity of the risk score compared to assets of the same type with a risk score.
    • The Risk score trend for the average risk score over time for the given asset.

Visualize associated activity using attack surface explorer

Attack surface explorer gives you a complete view of an asset and its related activity over time. You can find details from associated activity such as MAC addresses, identities, IP addresses, risks, vulnerabilities, and installed software. Visualize which user accounts or service accounts are connected, which IP addresses are most active, and where risk or detection activity is concentrated. The line thickness serves as a visual indicator of detection activity, highlighting associations with the most activity and helping you identify patterns and potential areas of concern.

Follow these steps to investigate an asset or identity using attack surface explorer:

  1. Open the Investigation page for an asset or identity.
  2. Select the Attack surface tab. Alternatively, you can select the Activity tab and then select the node icon ( node ) on one of the association panels.
  3. Select a time range and an association type.

  4. Enter a number for Max nodes per association. Setting a maximum reduces noise and helps you focus on particular associations.

  5. (Optional) Select the Link weights check box to visualize the weight of detection activity. When you turn on link weights, the line, or link, between an asset and its associations appears thicker when there is more activity.

  6. Double-click another asset or identity in the attack surface explorer to visualize associations for that entity. Doing so reloads the attack surface explorer for the item you've selected. Alternatively, you can right-click the asset or identity and then select Explore to open a separate tab.

After you're finish exploring associations in the attack surface explorer, you can right-click on an asset or identity association and select Investigate to open a new investigation page for that entity.

Investigate an IP address by examining its subnet data

If you want to investigate an IP address that Splunk Asset and Risk Intelligence has not detected, or does not have complete data on, you can investigate it by examining its subnet data. Enter an IP address to search for ipv4 or ipv6 IP addresses detected in the same subnet. You can also specify which fields to group the subnets by, such as the city or country.

To investigate an IP address using subnet data, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Investigation from the main menu navigation bar.
  2. From the drop-down list, select IP subnet investigation.
  3. Enter the IP address you want to investigate in the search box.
  4. Select the Subnet mask. For example, ipv4 /24.
  5. (Optional) Specify the Zone if you're utilizing IP zones. See Add IP zones to the company subnet directory in the Administer Splunk Asset and Risk Intelligence manual.
  6. (Optional) Select fields to group the subnet by.
  7. Select to geolocate the subnet by city, country, or location_id.
  8. Select Submit.

After you submit your IP subnet investigation search, you can find all the IP addresses discovered at the subnets and the known asset information for each one. You can also find subnets that match the company subnet directory to see if the discovered subnets are in your inventory.