Documentation > Splunk App for Enterprise Security > Data Source Integration Manual > Dashboard requirements matrix

Data Source Integration Manual

 


Introduction
How to add a data source
Source Types
Examples
Resources

Dashboard requirements matrix

Contents

Dashboard requirements matrix

In order to be displayed in the Enterprise Security dashboards, data must conform to the requirements specified in these tables. The tags, fields, and source types required by each dashboard and panel are shown. When certain fields are omitted, they are automatically replaced with default values (such as unknown). The rest of the data must still meet the source type and tag requirements for the dashboards.

Note: By default, the tags in the "Tags" column use an AND unless specifically defined.

Access Protection

Access Protection provides information about authentication attempts and access-control related events (login, logout, access allowed, access failure, use of default accounts, and so on).

Access Center

Panel Tags Fields Notes
Access Over Time authentication action, app, src, src_user, dest, user
Notable Access Events notable action, app, src, src_user, dest, user
Top Access authentication action, app, src, src_user, dest, user
Unique Access authentication action, app, src, src_user, dest, user

Access Tracker

Panel Tags Fields Notes
First Time Account Access authentication action, app, src, src_user, dest, user success (action=success)
Inactive Account Usage authentication action, app, src, src_user, dest, user The action field must be success (action=success)
Completely Inactive Accounts authentication action, app, src, src_user, dest, user The local field must be true (local=true)
Account Usage for Expired Identities authentication user, dest

Access Search

Panel Tags Fields Notes
timeline authentication action, app, src, src_user, dest, user

Account Management

Panel Tags Fields Notes
Management Events by Time account AND (management OR lockout) signature, src, src_nt_domain, src_user, dest, dest_nt_domain, user
Account Lockouts account AND (management OR lockout) signature, src, src_nt_domain, src_user, dest, dest_nt_domain, user
Account Management by Source User account AND (management OR lockout) src_user
Top Account Management Events account AND (management OR lockout) signature
Recent Account Management account AND (management OR lockout)

Default Account Activity

Panel Tags Fields Notes
Default Account Usage by Time account AND (default OR privileged) action,app,src, src_user, dest, user,bunit,category, The action field must be "success" (action=success)
Default Accounts in Use account AND (default OR privileged) user,user_category,dest_count
Default Local Accounts account AND local AND (default OR privileged) user,user_category,dest_count

Endpoint Protection

Endpoint Protection includes information about endpoints such as malware infections, system configuration, system state (CPU usage, open ports, uptime, and so on), system update history (which updates have been applied), and time synchronization information.

Malware Center

Panel Tags Fields Notes
Malware Activity Over Time malware AND attack action
Top Infections malware AND attack action, signature, dest
Malware Activity by Domain malware AND attack action, dest_nt_domain
Key Malware Statistics malware AND attack action, signature, dest, dest_nt_domain, vendor_product
First Time Infections malware AND attack action, signature, dest
Recent Malware malware AND attack

Malware Search

Panel Tags Fields Notes
timeline malware AND attack action, signature, dest, src, dest_nt_domain, user, file_name, file_path, file_hash

Malware Operations

Panel Tags Fields Notes
Average Infection Length by Time malware AND attack action
Anomalous Malware Infections malware AND attack dest, signature
Malware Client Distribution endpoint AND application AND report AND version dest, product_version, signature_version
Malware Signature Update Tracking endpoint AND application AND report AND version dest, product_version
Endpoint Application Errors endpoint AND application AND error

System Center

Panel Source type Tags Fields Notes
Operating Systems os AND report AND version os
Resource Utilization (cpu time) *:CPUTime PercentSystemTime, PercentUserTime
Resource Utilization (memory) *:Memory UsedBytes, FreeMBytes, TotalMBytes
Resource Utilization (disk) *:FreeDiskSpace FreeMegabytes, PercentFreeSpace, TotalMBytes, UsedMBytes
System Uptime *:Uptime SystemUpTime
System Configurations (SSHD Config) *:SSHDConfig dest, sshd_protocol,
System Configurations (SE Linux config) *:SELinuxConfig dest, selinux
Processes/Services (processes) *:LocalProcesses app
Processes/Services (services) *:Service app
Ports/Users (ports) *:UserAccounts listening port transport, dest, dest_port, user

Time Center

Panel Source type Tags Fields Notes
Systems Not Time Synching time AND synchronize dest
Indexing Time Delay time AND synchronize host, should_time_sync
NTP Anomalous StartMode *:Service time StartMode
Recent Time Synchronization Failure time AND synchronize AND failure

Endpoint Changes

Panel Source type Tags Fields Notes
Endpoint Changes by Action fs_notification OR WinRegistry dest, change_type, action, path, isdir, size, gid, uid, modtime, mode, hash
Endpoint Changes by Type fs_notification OR WinRegistry dest, change_type, action, path, isdir, size, gid, uid, modtime, mode, hash
Top Changes by System fs_notification OR WinRegistry dest, change_type, action, path, isdir, size, gid, uid, modtime, mode, hash
Recent Endpoint Changes fs_notification OR WinRegistry

Patch / Update Center

Panel Source type Tags Fields Notes
Updates by Status os AND update AND status status AND (HotFixID OR package)
Systems Not Updating os AND update AND status status AND (HotFixID OR package)
Automatic Update Anomalous StartMode *:Service update dest, app, start_mode
Anomalous System Uptime *:Uptime SystemUpTime, should_update, dest
Recent Update Errors os AND update AND error
Successful Updates os AND update AND status status AND (HotFixID OR package)

Patch / Update Profiler

Panel Source type Tags Fields Notes
Patches / Updates os AND update AND status status AND (HotFixID OR package)

Network Protection

Network Protection includes information about network traffic provided from devices such as firewalls, routers, and network-based intrusion detection systems.

Traffic Center

Panel Tags Fields Notes
Network Traffic Over Time network AND communicate action, bytes, bytes_in, bytes_out, dvc, transport, src, dest, src_port, dest_port
Top Network Traffic network AND communicate action, bytes, bytes_in, bytes_out, dvc, transport, src, dest, src_port, dest_port
Network Scanning Activity (port scanners) network AND communicate dest_port, src
Network Scanning Activity (system scanners) network AND communicate dest, src

Traffic Search

Panel Tags Fields Notes
timeline network AND communicate action, bytes, bytes_in, bytes_out, dvc, transport, src, dest, src_port, dest_port, vendor, product

Intrusion Center

Panel Tags Fields Notes
IDS Activity by Category/Severity ids AND attack category, severity
IDS Scanning Activity ids AND attack signature, src
IDS Activity Over Time ids AND attack dvc, category, signature, severity, src, dest, user, vendor_product, is_network, is_wireless, is_host, is_application
Top Attacks ids AND attack dvc, category, signature, severity, src, dest, user, vendor_product, is_network, is_wireless, is_host, is_application
First Time Attacks ids AND attack signature, dest

Intrusion Search

Panel Tags Fields Notes
timeline ids AND attack category, dest, dest_port, dvc, severity, signature, source, source_port, usr, vendor_product

Vulnerability Center

Panel Tags Fields Notes
Top Vulnerabilities vulnerability AND report signature
Most Vulnerable Hosts vulnerability AND report signature, severity
Vulnerabilities by Category/Severity vulnerability AND report category, severity, signature, dest
First Time Vulnerabilities vulnerability AND report category, severity, signature, dest

Vulnerability Operations

Panel Tags Fields Notes
Vulnerability Scan Activity vulnerability AND dvc severity, business unit, category, time
Vulnerabilities by Age vulnerability signature, dest
Delinquent Scanning vulnerability AND report category, severity, signature, dest, os

Vulnerability Profiler

Panel Tags Fields Notes
Vulnerability Profiler vulnerability category, severity, signature, cve, dest

Proxy Center

Panel Tags Fields Notes
Proxy Events web AND proxy status, action, http_method, http_content_type, http_user_agent, src, dest Proxy Events (note that the client machine is the dest and the server is the src)
Proxy Events Over Time web AND proxy status, action, http_method, http_content_type, http_user_agent Proxy Events Over Time
Top Source/Destination web AND proxy src, dest, bytes_in, bytes_out Top Source/Destination

Proxy Search

Panel Tags Fields Notes
timeline web AND proxy bytes_in, bytes_out, action, status, src, dest, http_content_type, http_method, http_referrer, http_user_agent, url, user

Network Changes

Panel Tags Fields Notes
Network Changes by Action network AND modify dvc, action, user, command
Network Changes by Device network AND modify dvc
Recent Network Changes network AND modify

Port & Protocol Tracker

Panel Tags Fields Notes
First Time Port Activity network AND communicate dvc,transport,dest_port The action field value must be "allowed" (action=allowed) and the dest_port must be greater than 0
Port Activity by Status network AND communicate transport, dest_port The action field value must be "allowed" (action=allowed) and the dest_port must be greater than 0
Port Status by Time network AND communicate transport, dest_port The action field value must be "allowed" (action=allowed) and the dest_port must be greater than 0

Identity

Identity correlation includes views that summarize the asset and identity lists and network sessions (DHCP, VPN).

Asset Center

The Asset Center contents are based upon the asset list lookup file.

Panel Tags Fields Notes
Assets by Priority priority
Assets by Business Unit bunit
Assets by Category category
Asset Information

Identity Center

The Identity Center contents are based upon the identity list lookup file.

Panel Tags Fields Notes
Identities by Priority priority
Identities by Business Unit bunit
Identities by Category category
Identities

Asset and Identity Search

The Asset and Identity Search dashboard is a timeline that uses information from the asset and identity lists.

Panel Tags Fields Notes
timeline

Session Center

Panel Tags Fields Notes
Sessions Over Time network AND session (start OR end) key, ip, mac, nt_host, dns, user, startTime, endTime
Sessions Length Distribution network AND session (start OR end) key, ip, mac, nt_host, dns, user, startTime, endTime
Sessions network AND session (start OR end) ip, mac, nt_host, dns, user, startTime, endTime

Audit

Incident Review Audit

Panel Tags Fields Notes
Review Activity by Reviewer over Time default OR privileged
Notable Events by Status default OR privileged
Top Reviewers default OR privileged
Recent Review Activity default OR privileged

Suppression Audit

Panel Tags Fields Notes
Currently Suppressed Events (Last 24 hours)
Suppressed Notable Event History
Suppression Management Activity
Expired Suppressions

Forwarder Audit

Panel Tags Fields Notes
Host Event Count over Time _time, app, view, user, host
Hosts Not Reporting host, user
Splunkd Resource Utilization _time, host
Splunkd Anomalous StartMode anomalous, avail, check, default, os, privileged, process, report, should_timesync, should_update

Search Audit

Panel Tags Fields Notes
Search Activity by Type default OR privileged
Search Activity by user user
Search Activity by Expense user

TSIDX Audit

The TSIDX Audit dashboard is populated by information in the namespaces located in $SPLUNK_DB/tsidxstats.

Panel Tags Fields Notes
Top TSIDX namespace by count tsidx_namespace
Top TSIDX namespace by file_size tsidx_namespace, file_size
TSIDX namespaces tsidx_namespace, splunk_server, earliest, latest, file_size

View Audit

Panel Tags Fields Notes
Splunk App for Enterprise Security View Activity
Expanded View Activity privileged OR default
Expected View Scorecard
Recent Web Service Errors

Data Protection

Panel Tags Fields Notes
Data Protection
Protecting Correlated Events with Event Hashing
Tampered Correlated Events
Protecting Event Data with IT Data Signing
Verifying Data Integrity Using IT Data Signing id, date, _time, ip_address, host_name, MAC_address
Protecting Splunk's Audit Data with Audit Signing
Verifying Splunk's Audit Data gap, validity
Retrieved from "http://docs.splunk.com/Documentation/ES/2.4/CreateTA/DashboardRequirementsMatrix"

This documentation applies to the following versions of ES: 2.2 , 2.2.1 , 2.4 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!