Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Security Posture dashboard

The Security Posture dashboard is the home screen for the Splunk App for Enterprise Security, designed to provide high-level insight into the notable events across all domains in your deployment, suitable for display in a Security Operations Center (SOC). This dashboard shows all events from the past 24 hours, along with the trends over the past 24 hours, and auto-updates in real time providing real-time information on events.

Es-SecurityPostureDashboard 3.0.png

Key indicators

Key indicators at the top of the dashboard display selected notable events for your deployment over the past 24 hours. The current total count of events, the trend of events, and the total increase or decrease in numbers are shown.

Dashboard panels

The following table describes the panels for this dashboard. Drill-down is available for graphs and tables. See "dashboard drill-down" for more information.

Panel Description
Notable Events by Security Domain Displays the total number of notable events for each domain and supporting applications. The key indicators provide an overview of the notable events for that domain.
Configure severity levels by going to Configure > App Settings > Configure Rangemaps. See the Installation and Configuration Manual for more information.
Notable Events by Urgency Gives a holistic view of notable events.
  • Notable Events by Urgency uses an urgency calculation based on the priority assigned to the asset and the severity assigned to the correlation search. The urgency helps assess the true importance of an issue.

Identity priorities can also be monitored through this dashboard.
Note: Configure asset priorities using the asset list; configure identity priorities using the identity list. If no priority is available for an asset or identity, a priority of "unknown" is used. See the Installation and Configuration Manual for more information.)
Click on an area in the chart to open an Incident Review dashboard showing all notable events with that urgency in the past 24 hours.

Notable Events by Time Gives a holistic view of notable events.
  • Notable Events by Time: Shows a standard time line of when events occurred. Use this to detect spikes in activity. Click on a time on the chart to show an Incident Review dashboard showing all notable events in the selected minute.
Notable Events by Count Events organized by number of events (most to least)
Top Notable Events by Source / Destination Events organized by source / destination (most to least)
Last modified on 07 February, 2014
PREVIOUS
Enterprise Security Home
  NEXT
Incident Review dashboard

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters