Onboarding with Splunk Asset and Risk Intelligence
As an admin user with the ari_admin role, you can begin setting up Splunk Asset and Risk Intelligence for users after completing the installation of the application.
- Splunk Asset and Risk Intelligence includes two internal data sources for enrichment: a company subnet directory and a company user directory. Populate these directories to help locate assets on internal networks and provide context on user IDs. See Set up directories for Splunk Asset and Risk Intelligence.
- Splunk Asset and Risk Intelligence includes known, compatible data sources that can pull data from specific events. You can select from these data sources or add your own custom data sources. See Set up data sources for Splunk Asset and Risk Intelligence.
- Add custom fields by populating the custom data inventory with the field values for each asset. See Add a custom field in Splunk Asset and Risk Intelligence.
- Turn on Splunk Asset and Risk Intelligence discovery searches to start discovering assets. See Turn on or turn off discovery searches in Splunk Asset and Risk Intelligence.
- Select which metrics to report on based on the data sources you selected. You can add known metrics included with Splunk Asset and Risk Intelligence, or you can create custom metrics. See Create and manage metrics in Splunk Asset and Risk Intelligence.
- Use Splunk Asset and Risk Intelligence default enrichment rules to improve asset information such as missing field values. You can also create custom enrichment rules. See Manage enrichment rules in Splunk Asset and Risk Intelligence.
- Activate integration with Splunk Enterprise Security to enrich notable events with Splunk Asset and Risk Intelligence asset context. See Activate integration with Splunk Enterprise Security in Splunk Asset and Risk Intelligence.