Splunk® Enterprise Security

Use Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Introduction to the dashboards available in Splunk Enterprise Security

Splunk Enterprise Security includes more than 100 dashboards to identify and investigate security incidents, reveal insights in your events, accelerate incident investigations, monitor the status of various security domains, and audit your incident investigations and your ES deployment.

The specific dashboards that will be most useful to you depend on how you plan to use Splunk Enterprise Security.

Identify and investigate security incidents

You can identify and investigate security incidents with a suite of dashboards and workflows. Splunk Enterprise Security uses correlation searches to identify notable events in your environment that represent security incidents.

  • Security Posture provides a high-level overview of the notable events in your environment over the last 24 hours. Identify the security domains with the most incidents, and the most recent activity. See Security Posture dashboard.
  • Incident Review shows the details of all notable events identified in your environment. Triage, assign, and review the details of notable events from this dashboard. See Incident Review.
  • My Investigations shows all investigations in your environment. Open and work investigations to track your progress and activity while investigating multiple related security incidents. See My Investigations.

Accelerate your investigations with security intelligence

A set of security intelligence dashboards allow you to investigate incidents with specific types of intelligence.

  • Risk analysis allows you to assess the risk scores of systems and users across your network and identify particularly risky devices and users posing a threat to your environment. See Risk Analysis.
  • Protocol intelligence dashboards use packet capture data from stream capture apps to provide network insights that are relevant to your security investigations. Identify suspicious traffic, DNS activity, email activity, and review the connections and protocols in use in your network traffic. See Protocol Intelligence dashboards.
  • Threat intelligence dashboards use the threat intelligence sources included in Splunk Enterprise Security and custom sources that you configure to provide context to your security incidents and identify known malicious actors in your environment. See Threat Intelligence dashboards.
  • User intelligence dashboards allow you to investigate and monitor the activity of users and assets in your environment. See Asset and Identity Investigator dashboards and User Activity Monitoring.
  • Web intelligence dashboards help you analyze web traffic in your network and identify notable HTTP categories, user agents, new domains, and long URLs. See Web Intelligence dashboards.

Monitor security domain activity

Domain dashboards provided with Splunk Enterprise Security allow you to monitor the events and status of important security domains. You can review the data summarized on the main dashboards, and use the search dashboards for specific domains to investigate the raw events.

  • Access domain dashboards display authentication and access-related data, such as login attempts, access control events, and default account activity. See Access dashboards.
  • Endpoint domain dashboards display endpoint data relating to malware infections, patch history, system configurations, and time synchronization information. See Endpoint dashboards.
  • Network domain dashboards display network traffic data provided by devices such as firewalls, routers, network intrusion detection systems, network vulnerability scanners, proxy servers, and hosts. See Network dashboards and Web Center and Network Changes dashboards and Port & Protocol Tracker dashboard.
  • Identity domain dashboards display data from your asset and identity lists, as well as the types of sessions in use. See Asset and Identity dashboards.

Visualize security metrics

Create a glass table to visualize security metrics in your environment. Monitor threat activity in your environment, assess the state of your Splunk Enterprise Security deployment, or map out the pathway that an attacker took through your network to monitor future intrusion attempts by an attacker in the future. See Create a glass table.

Audit activity in Splunk Enterprise Security

The audit dashboards provide insight into background processes and tasks performed by Splunk Enterprise Security. Some audit dashboards allow you to review actions taken by users in Splunk Enterprise Security, while others provide insight into your deployment and the status of your data models and content use. See Audit dashboards.

Last modified on 26 May, 2021
Create a glass table in   Customize Splunk Enterprise Security dashboards to fit your use case

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters