Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Identity dashboards

The Identity domain correlates host information to assets and provides additional information about the source and targets of events. The concepts of Identity correlation and Asset management are treated similarly in the Splunk App for Enterprise Security. For a thorough background in the use of Asset records and Identity records, see the section on Asset management.

For Asset Center, clicking on "ip", "nt_host", "mac", or "dns" will take you to the Asset Investigator dashboard. Clicking on "owner" will take you to the Identity Investigator dashboard. Clicking on anything else takes you to the Search dashboard.

For Identity Center, clicking on an "identity" value will take you to the Identity Investigator dashboard. Clicking on anything else (for example, priority=critical) will take you to the Search page.

If asset_investigator and/or identity_investigator are not present on the system, the drill down takes you to the Search dashboard.

Asset Center dashboard

The Asset Center provides a way to review and search the asset list. To use this dashboard, an asset list must be created - a list of hosts, IP addresses, and subnets within the organization, along with information about each asset. The asset list provides information about the source and destination of events and is used to determine asset properties such as asset location and the urgency of notable events.

Es-AssetCenterDashboard24.png

Clicking on chart elements or table rows on this page displays the raw events that are generating the items represented. See dashboard drilldown for more information.

The following table describes the panels for this dashboard.

Panel Description
Dashboard filters Restricts the view on the current dashboard to assets that match the selected criteria. Selections apply to the current dashboard only. See descriptions of the standard filter options. The following domain-specific options are available:
  • String Search: restricts the view to assets with matching text in the dns, nt_host, ip, or mac fields. Use an asterisk to match zero or more characters.
  • Range Search: restricts the view to the most specific asset/range that matches the given information. This performs the same type of search that Enterprise Security uses to associate assets with events. See "Assets list" in the Splunk App for Enterprise Security Installation and Configuration Manual for more information.
    Note: This only returns the most specific asset and therefore will only return one result.
  • City: limits the search to assets within the selected city
  • Priority: limits the search to assets within the selected priority
Assets by Priority Shows the relative number of assets by priority and helps identify how the asset priorities are distributed. Generally, it is a good idea to designate fewer hosts as critical priority with progressively more hosts within the lower priorities.
Assets by Business Unit Shows the relative number of assets by business unit and helps identify how the assets are distributed.
Assets by Category Shows the relative number of assets by category and helps identify how the assets are distributed.
Asset Information Shows all assets that match the current dashboard filter.

Note: Text values in search fields must be lowercase text.

Using string and range IP address searches

The Asset Center provides two types of IP address searches, to support differentiation between individual machine records and descriptive range records. String searches are useful for hostname and wildcard searches, such as listing systems that are in private RFC1918 network ranges. Range searches are useful for finding a specific and complete IP address, even if that address is not explicitly listed.

For example, these three records from the sample data can be used (trimmed for length):

nt_host,ip,priority - asset table lookup headers for sample data

,192.168.15.8-192.168.15.10,medium
acmefileserver,192.168.15.9-192.168.15.9,low
,192.168.15.9-192.169.15.27,high
  • A string search for "192.168.15.*" will return all three records, because the string "192.168.15." can be found in all three ip fields.
  • A range search for "192.168.15.*" will return nothing, because the wildcard has no numeric value.
  • A string search for "192.168.15.9" will return nothing, because there is no individual record with that address (even though the address is matched by two ranges).
  • A range search for "192.168.15.9" will return "acmefileserver,192.168.15.9-192.168.15.9,low" because it is the most specific matching record
  • A string search for "192.168.15.10" will return nothing, because there is no individual record with that address (even though the address is matched by two ranges).
  • A range search for "192.168.15.10" will return ",192.168.15.8-192.168.15.10,medium" because it is the most specific matching record
  • A string search for "acmefileserver" will return "acmefileserver,192.168.15.9-192.168.15.9,low" because the nt_host field matches exactly.

Range searches can be used for textual strings as well, but this is not recommended. For instance, a range search for "acmefileserver" will return "acmefileserver,low" because it is the most specific matching record to that hostname. The IP address 192.168.15.9 is omitted from the returned result though, which can be confusing.

Identity Center dashboard

The Identity Center dashboard provides information about all of the identities associated with this instance of the Splunk App for Enterprise Security.

The Identity Center provides a way to review and search the identity list. To use this dashboard, an identity list (or table) must be created - a list of account names, legal names, nicknames, alternate names, and phone numbers within the organization. The identity list provides contact information for individuals involved in events and is used to determine asset properties such as owner and user.

Click on the magnifying glass (Es-magnifying glass.png) to see the identities currently associated with the instance.

Es-IC blank search.png

Panel Description
User name
Priority Select priority (unknown, low, medium, high, critical) from drop-down list
Business unit Enter text by key=name pairs (for example, bunit=americas)
Category Select from drop-down list
Search Search by key=name pairs (for example, priority=critical)

Note: Text values in the filter fields must be lowercase text. To see only identities tagged as "watchlist" in the Identities list, click "Watchlisted identities only".

For more detail,click on an identity in the Identities list in this dashboard.

Es-IC Identities.png

And the name is populated in the Assets and Identities Search dashboard.

Es-Asset Identities from Identities.png

Using the filters (and search) it is possible to drill down for more information.

The filter for the Identity Center dashboard uses a search that is operating on an identity table, not events. The search needs key=value pairs to be specified in this filter to work correctly, not text.

Example key=value pairs:

  email=*acmetech.com
  nick=anickname
  bunit=americas

Here is an example of how these key=value pairs would be used with search:

Es-IC dashboard search.png

Session Center dashboard

The Session Center dashboard provides an overview of network sessions. Network sessions are used to correlate network activity to a user using session data provided by DHCP or VPN servers, for example. Use the Session Center to review the session logs and identify the user or machine associated with an IP address used during a session.

Es-SessionCenterDashboard22.png

The Session Center can also help identify anomalous activity such as excessively long sessions. The drill-down option is not available from this dashboard. Configure new data inputs through the Splunk Settings menu or search for particular traffic events directly through Incident Review.

The following table describes the panels for this dashboard.

Panel Description
Dashboard filters Restricts the view on the current dashboard to sessions that contain the search string.
Longest Sessions Lists excessively long network sessions. Long sessions may indicate insecure network usage. For example, some employees may establish and maintain a VPN session from their home network to the company network continuously. A continuous network session increases the chance that a security problem on the employee's network could impact the company by allowing an attacker to use the VPN connection to compromise additional systems.
Most Recent Sessions Lists the network sessions that have been most recently opened, based on the session start time. This panel shows details associated with each recently opened session, such as the user, MAC address, IP address, NT host name and DNS name.

Note: Text values in search fields must be lowercase text.

Last modified on 28 December, 2013
PREVIOUS
More Network dashboards
  NEXT
Audit dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters