What is Splunk Asset and Risk Intelligence (ARI)?

What is Splunk Asset and Risk Intelligence?

Not Just a CMDB

ARI is not a traditional Configuration Management Database (CMDB). It is a security investigation tool designed to aid analysts by leveraging data already ingested into Splunk, requiring no additional agents.

Core Capabilities

ARI provides accurate and fast context, continuously discovers assets, identifies compliance violations, and reduces risk exposure through out-of-the-box and custom frameworks.

Challenges Addressed by ARI

Key Security Challenges

Security teams face three major challenges:
• Efficiently identifying and maintaining up-to-date asset inventories across networks
• Correlating alert data with specific assets and identities during investigations, often requiring cross-referencing multiple tools
• Meeting compliance and audit requirements with detailed asset knowledge

Five Core Requirements

To solve these challenges, organisations need to:
• Discover assets continuously as they are added or removed
• Manage and categorise assets to understand security needs and business function
• Identify relationships between assets, users, and other entities
• Secure assets and track vulnerabilities
• Maintain compliance posture effectively

Comprehensive Asset Visibility and Context

Continuous Discovery and Enrichment

ARI continuously discovers assets using existing Splunk data sources, correlates asset metadata like IPs, MAC addresses, software, and vulnerabilities, and enriches this data for greater insight.

Mapping Asset-Identity Relationships

Security teams can quickly identify relationships between assets and users, track changes such as IP address updates or new user associations, and understand the blast radius of security incidents.

Compliance and Audit Support

Tracking In-Scope Assets

Organisations often struggle to maintain full visibility over assets critical for compliance. ARI offers continuous endpoint compliance metrics and dashboards for real-time validation.

Proactive Compliance Management

Custom compliance metrics can be built for areas like laptop encryption, vulnerability scanning, and malware protection, helping close compliance gaps as they arise.

Integration with Enterprise Security and CMDB

Enhancing Investigations

ARI autopopulates enterprise security asset and identity frameworks, enriching events with detailed asset context and streamlining investigation workflows.

Bidirectional CMDB Integration

By integrating with ServiceNow CMDB, ARI ensures asset data remains accurate and up-to-date, sending unmanaged assets for management and updating existing records.

Automated Ticketing for Compliance

Non-compliant assets can trigger automated tickets in ServiceNow, helping close security gaps efficiently.