Specialized search dashboards
The domains include search dashboards to find events specific to that domain. Use the filters at the top of the dashboard or craft free-form searches using the Enterprise Security fields and tags. When an event of interest is discovered, use workflow actions to investigate further. Workflow actions in the search dashboards can automatically initiate a Splunk search to continue an investigation, perform actions on a selected host (for example, ping a specific host or run a whois command), or access external security information, (for example, run a Google search on a field containing vulnerability information).
Use filters
Each search dashboard within Enterprise Security includes domain-specific filtering at the top. In addition to the general domain filter options, the search filters allow a string to be specified that a specific field value must match. When a string is entered in an entry box, use an asterisk (*) to represent any number of characters. For example, entering *server* finds myserver and server127.
To use the options provided on the filter, select and/or fill in the search items. Click the magnifying glass
(
) to start the search for events that match all of the entered criteria.
Use fields and tags
By default, Splunk provides powerful search capabilities for generic IT data. In addition, the advanced reporting and correlation in the Splunk App for Enterprise Security requires that common patterns in different types of data be identified and labeled. Enterprise Security uses the Splunk data-enhancement features, such as fields and tags, to give more precision in searches and to provide the consistency needed to build correlation searches and dashboards. Tags and fields in Enterprise Security are organized using an extended version of the Splunk Common Information Model.
- Tags: Group events into categories at a high level, such as '
attack', 'authentication', 'network', or 'malware'. Most events have multiple tags; the combination of tags gives a complete categorization of the event from the point of view of Enterprise Security. For example, the tags for an attempted denial of service include 'network' and 'attack' while the tags for a Trojan horse include 'malware' and 'attack'.
- Fields: Identify significant components inside individual events, such as the source (
src) or destination (dest) of the event. Most types of data in Enterprise Security include general fields such asdest,src, anduseralong with fields that are specific to that type of data. For example, the dashboards and correlation searches for malware detection in Enterprise Security rely on malware-specific fields such asfile_hash,file_path,action_taken,signature, andvendor.
Use tags and fields in any search dashboard in Enterprise Security. For more information about fields and tags, see "Tags and alias field values in Splunk Web" in the core Splunk product documentation.
Fields
Fields in Splunk are searchable name/value pairs in the event data provide more precision in searches.
Example:
A raw event from Symantec's antivirus software might look something like this:
Aug 30 2010 01:46:51,5,1,983142,ZIN52W01TDRM63,SYSTEM,Trojan
Horse,c:\windows\system32\reset5e.dll,3,4,3,256,1090519040,"",0,,0,,0,2
5464,0,0,0,0,0,0,,0,0,0,0,WMSMSUSNY001002,{761B429C-4029-4984-8903-
4DA74A60489F},,(IP)-157.235.203.168,SAV.acmetech.COM_USEAST,DS,00:11:25
:76:38:5F,10.1.4.4010,,,,,,,,,,,,,,,,0,5D95444F36C24748BF07752CD14A2311
,d5904584-07f7-4609-b7ae-ea60be70cf05,0,
Enterprise Security includes an add-on that finds important fields in this raw data.
Example:
In the event above, the fields found by the TA-sav add-on include the following:
- the
signaturefield, which has the valueTrojan Horse
- the
file_pathfield, which has the valueC:\Windows\system32\~.exe
- the
userfield, which has the valueSYSTEM
Fields in the Splunk App for Enterprise Security have the same names regardless of vendor or the specific file format of the original data. This allows a search by field across all types of data, regardless of source. Searching by field restricts the results to matching values in that field. Use the asterisk (*) wildcard to match any number of characters.
Example:
The search file_path="*system*"
- Returns events with
systemin thefile_pathfield, regardless of the type of data or data format.
- Does not return events with
SYSTEMin theuserfield.
For more information about fields and tags, see "Tags and alias field values in Splunk Web" in the core Splunk product documentation.
Use workflow actions
More information about a host involved in an event can be determined using the workflow actions menu in any search dashboard in Enterprise Security. Workflow actions automatically initiate a Splunk search to continue an investigation, perform actions on a selected host, or access external security information. Workflow actions are available on most fields.
| Asset related fields | Identity related fields |
|---|---|
| dest, src, dest_ip, src_ip, dest_dns, src_dns,
dest_mac, src_mac, dest_nt_host, src_nt_host |
dest_owner, src_owner, user, user_identity, user_name |
Access external resources
Use the workflow actions menu to find additional information about a source or destination by going to these external resources:
| Panel | Description |
|---|---|
| Google dest | Lookup a location on Google Maps. This workflow action is available whenever all of the following fields are present: ( |
| Nbtstat | Perform a NetBIOS name lookup. To use this, the search head must be running Windows or have Samba installed. This workflow action is available whenever any of the following fields are present: |
| Nslookup | Perform a DNS lookup. This workflow action is available whenever any of the following fields are present: |
| Ping | Ping the host using an ICMP echo request to make sure it is online. This workflow action is available whenever any of the following fields are present: dest, dest_dns, dest_ip, dest_nt_host, dvc, dvc_dns, dvc_ip, dvc_nt_host, host, host_dns, host_ip, host_nt_host, src, src_dns, src_ip, src_nt_host
|
| View DShield details | Use DShield to determine if the IP has been reported as performing malicious activity on the Internet. This workflow action is available whenever any of the following fields are present: |
| View Domain Dossier | View information about a domain using information available online. This workflow action is available whenever any of the following fields are present: |
To use workflow actions to access external resources:
1. Find the host to investigate further at the bottom of an event.
2. Click the down arrow at the right of the field.
Note: If the field is present in the event, but does not appear at the bottom, add it to the list of selected fields using the Field Picker.
3. Select the external resource to use.
Go to the Search dashboard
Run a search against the selected host by choosing a Search option (for example, Malware Search, Intrusion Search) from the workflow actions menu. Selecting one of the search options displays the Search dashboard and runs a search on related activity against the selected host. For example, selecting the Intrusion Search workflow action for an IP address will run a search that looks through all available IDS log data for the selected IP address and returns any available log data representing attacks against the network with the IP address as the source.
This documentation applies to the following versions of Splunk® Enterprise Security: 3.0
Download manual
Feedback submitted, thanks!