Splunk® Enterprise Security

Data Source Integration Manual

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Dashboard requirements matrix

This page is currently a work in progress; expect frequent near-term updates.

In order to be displayed in the Enterprise Security dashboards, data must conform to the requirements specified in these tables. The tags, fields, and source types required by each dashboard and panel are shown. When certain fields are omitted, they are automatically replaced with default values (such as unknown). The rest of the data must still meet the source type and tag requirements for the dashboards.

Note: By default, the tags in the "Tags" column use an AND unless specifically defined.

Access Protection

Access Protection provides information about authentication attempts and access-control related events (login, logout, access allowed, access failure, use of default accounts, and so on).

Access Center

Panel Tags Fields Notes
Access Over Time authentication action, app, src, src_user, dest, user
Notable Access Events notable action, app, src, src_user, dest, user
Top Access authentication action, app, src, src_user, dest, user
Unique Access authentication action, app, src, src_user, dest, user

Access Tracker

Panel Tags Fields Notes
First Time Account Access authentication action, app, src, src_user, dest, user success (action=success)
Inactive Account Usage authentication action, app, src, src_user, dest, user The action field must be success (action=success)
Completely Inactive Accounts authentication action, app, src, src_user, dest, user The local field must be true (local=true)
Account Usage for Expired Identities authentication user, dest

Access Search

Panel Tags Fields Notes
timeline authentication action, app, src, src_user, dest, user

Account Management

Panel Tags Fields Notes
Management Events by Time account AND (management OR lockout) signature, src, src_nt_domain, src_user, dest, dest_nt_domain, user
Account Lockouts account AND (management OR lockout) signature, src, src_nt_domain, src_user, dest, dest_nt_domain, user
Account Management by Source User account AND (management OR lockout) src_user
Top Account Management Events account AND (management OR lockout) signature
Recent Account Management account AND (management OR lockout)

Default Account Activity

Panel Tags Fields Notes
Default Account Usage by Time account AND (default OR privileged) action,app,src, src_user, dest, user,bunit,category, The action field must be "success" (action=success)
Default Accounts in Use account AND (default OR privileged) user,user_category,dest_count
Default Local Accounts account AND local AND (default OR privileged) user,user_category,dest_count

Endpoint Protection

Endpoint Protection includes information about endpoints such as malware infections, system configuration, system state (CPU usage, open ports, uptime, and so on), system update history (which updates have been applied), and time synchronization information.

Malware Center

Panel Tags Fields Notes
Malware Activity Over Time malware AND attack action
Top Infections malware AND attack action, signature, dest
Malware Activity by Domain malware AND attack action, dest_nt_domain
Key Malware Statistics malware AND attack action, signature, dest, dest_nt_domain, vendor_product
First Time Infections malware AND attack action, signature, dest
Recent Malware malware AND attack

Malware Search

Panel Tags Fields Notes
timeline malware AND attack action, signature, dest, src, dest_nt_domain, user, file_name, file_path, file_hash

Malware Operations

Panel Tags Fields Notes
Average Infection Length by Time malware AND attack action
Anomalous Malware Infections malware AND attack dest, signature
Malware Client Distribution endpoint AND application AND report AND version dest, product_version, signature_version
Malware Signature Update Tracking endpoint AND application AND report AND version dest, product_version
Endpoint Application Errors endpoint AND application AND error

System Center

Panel Source type Tags Fields Notes
Operating Systems os AND report AND version AND listening port os
Resource Utilization (cpu time) *:CPUTime os AND report AND version AND listening port PercentSystemTime, PercentUserTime
Resource Utilization (memory) *:Memory os AND report AND version AND listening port UsedBytes, FreeMBytes, TotalMBytes
Resource Utilization (disk) *:FreeDiskSpace os AND report AND version AND listening port FreeMegabytes, PercentFreeSpace, TotalMBytes, UsedMBytes
System Uptime *:Uptime os AND report AND version AND listening port SystemUpTime
System Configurations (SSHD Config) *:SSHDConfig os AND report AND version AND listening port dest, sshd_protocol,
System Configurations (SE Linux config) *:SELinuxConfig os AND report AND version AND listening port dest, selinux
Processes/Services (processes) *:LocalProcesses os AND report AND version AND listening port app
Processes/Services (services) *:Service os AND report AND version AND listening port app
Ports/Users (ports) *:UserAccounts os AND report AND version AND listening port transport, dest, dest_port, user

Time Center

Panel Source type Tags Fields Notes
Systems Not Time Synching time AND synchronize AND failure dest
Indexing Time Delay time AND synchronize AND failure host, should_time_sync
NTP Anomalous StartMode *:Service time AND synchronize AND failure StartMode
Recent Time Synchronization Failure time AND synchronize AND failure

Endpoint Changes

Panel Source type Tags Fields Notes
Endpoint Changes by Action fs_notification OR WinRegistry dest, change_type, action, path, isdir, size, gid, uid, modtime, mode, hash
Endpoint Changes by Type fs_notification OR WinRegistry dest, change_type, action, path, isdir, size, gid, uid, modtime, mode, hash
Top Changes by System fs_notification OR WinRegistry dest, change_type, action, path, isdir, size, gid, uid, modtime, mode, hash
Recent Endpoint Changes fs_notification OR WinRegistry

Patch / Update Center

Panel Source type Tags Fields Notes
Updates by Status os AND update AND status status AND (HotFixID OR package)
Systems Not Updating os AND update AND status status AND (HotFixID OR package)
Automatic Update Anomalous StartMode *:Service os AND update AND status dest, app, start_mode
Anomalous System Uptime *:Uptime os AND update AND status SystemUpTime, should_update, dest
Recent Update Errors os AND update AND status
Successful Updates os AND update AND status status AND (HotFixID OR package)

Patch / Update Profiler

Panel Source type Tags Fields Notes
Patches / Updates os AND update AND status(HotFixID OR package) dest, app, signature, status

Network Protection

Network Protection includes information about network traffic provided from devices such as firewalls, routers, and network-based intrusion detection systems.

Traffic Center

Panel Tags Fields Notes
Network Traffic Over Time network AND communicate action, bytes, bytes_in, bytes_out, dvc, transport, src, dest, src_port, dest_port
Top Network Traffic network AND communicate action, bytes, bytes_in, bytes_out, dvc, transport, src, dest, src_port, dest_port
Network Scanning Activity (port scanners) network AND communicate dest_port, src
Network Scanning Activity (system scanners) network AND communicate dest, src

Traffic Search

Panel Tags Fields Notes
timeline network AND communicate action, bytes, bytes_in, bytes_out, dvc, transport, src, dest, src_port, dest_port, vendor, product

Intrusion Center

Panel Tags Fields Notes
IDS Activity by Category/Severity ids AND attack category, severity
IDS Scanning Activity ids AND attack signature, src
IDS Activity Over Time ids AND attack dvc, category, signature, severity, src, dest, user, vendor_product, is_network, is_wireless, is_host, is_application is_network, is_wireless, is_host, is_application are derived by ES and do not need to be extracted
Top Attacks ids AND attack dvc, category, signature, severity, src, dest, user, vendor_product, is_network, is_wireless, is_host, is_application is_network, is_wireless, is_host, is_application are derived by ES and do not need to be extracted
First Time Attacks ids AND attack signature, dest

Intrusion Search

Panel Tags Fields Notes
timeline ids AND attack category, dest, dest_port, dvc, severity, signature, src, src_port, user, vendor_product

Vulnerability Center

Panel Tags Fields Notes
Top Vulnerabilities vulnerability AND report signature
Most Vulnerable Hosts vulnerability AND report signature, severity
Vulnerabilities by Category/Severity vulnerability AND report category, severity, signature, dest
First Time Vulnerabilities vulnerability AND report category, severity, signature, dest

Vulnerability Operations

Panel Tags Fields Notes
Vulnerability Scan Activity vulnerability AND dvc AND report severity, business unit, category, time
Vulnerabilities by Age vulnerability AND dvc AND report signature, dest
Delinquent Scanning vulnerability AND dvc AND report category, severity, signature, dest, os

Vulnerability Profiler

Panel Tags Fields Notes
Vulnerability Profiler vulnerability category, severity, signature, cve, dest

Web Center

Panel Tags Fields Notes
Proxy Events web AND proxy status, action, http_method, http_content_type, http_user_agent, src, dest Proxy Events (note that the client machine is the dest and the server is the src)
Events Over Time By Method web AND proxy status, action, http_method, http_content_type, http_user_agent Proxy Events Over Time
Events Over Time By Status web AND proxy status, action, http_method, http_content_type, http_user_agent Proxy Events Over Time
Top Source/Destination web AND proxy src, dest, bytes_in, bytes_out Top Source/Destination

Proxy Search

Panel Tags Fields Notes
timeline web AND proxy bytes_in, bytes_out, action, status, src, dest, http_content_type, http_method, http_referrer, http_user_agent, url, user

Network Changes

Panel Tags Fields Notes
Network Changes by Action network AND change dvc, action, user, command
Network Changes by Device network AND change dvc, action, user, command
Recent Network Changes network AND change dvc, action, user, command

Port & Protocol Tracker

Panel Tags Fields Notes
First Time Port Activity network AND communicate dvc, transport, dest_port The action field value must be "allowed" (action=allowed) and the dest_port must be greater than 0
Port Activity by Status network AND communicate transport, dest_port The action field value must be "allowed" (action=allowed) and the dest_port must be greater than 0
Port Status by Time network AND communicate transport, dest_port The action field value must be "allowed" (action=allowed) and the dest_port must be greater than 0

Identity

Identity correlation includes views that summarize the asset and identity lists and network sessions (DHCP, VPN).

Asset Center

The Asset Center contents are based on the asset list lookup files (for example assets.csv).

Identity Center

The Identity Center contents are based upon the identity list lookup files (for example identities.csv).

Asset and Identity Search

The Asset and Identity Search dashboard is a timeline that uses information from the various asset and identity lists.

Panel Tags Fields Notes
timeline Fields are from the asset and identity files Data comes from the available asset and identity lists
(like assets.csv and identities.csv)

Session Center

Panel Tags Fields Notes
Sessions Over Time network AND session (start OR end) key, ip, mac, nt_host, dns, user, startTime, endTime
Sessions Length Distribution network AND session (start OR end) key, ip, mac, nt_host, dns, user, startTime, endTime
Sessions network AND session (start OR end) ip, mac, nt_host, dns, user, startTime, endTime

Audit

Incident Review Audit

Panel Tags Fields Notes
Review Activity by Reviewer over Time default OR privileged app, view, user
Notable Events by Status default OR privileged app, view, user
Top Reviewers default OR privileged app, view, user
Recent Review Activity default OR privileged app, view, user

Suppression Audit

Panel Tags Fields Notes
Currently Suppressed Events (Last 24 hours) action AND status AND user rule_id, source, suppression, urgency
Suppressed Notable Event History action AND status AND user rule_id, source, suppression, urgency
Suppression Management Activity action AND status AND user rule_id, source, suppression, urgency
Expired Suppressions action AND status AND user rule_id, source, suppression, urgency

Forwarder Audit

Panel Tags Fields Notes
Host Event Count over Time host AND app _time, app, view, user, host
Hosts Not Reporting host AND app host, user
Splunkd Resource Utilization host AND app _time, host
Splunkd Anomalous StartMode host AND app anomalous, avail, check, default, os, privileged, process, report, should_timesync, should_update

Search Audit

The Search Audit dashboard uses audit data, collected automatically from the audit index during normal operation (base search: index=_audit).

Panel Tags Fields Notes
Search Activity by Type action, app, src, src_user, dest, user uses the `search_activity` search macro
Search Activity by user action, app, src, src_user, dest, user uses the `search_activity` search macro
Search Activity by Expense action, app, src, src_user, dest, user uses the `search_activity` search macro

TSIDX Audit

The TSIDX Audit dashboard is populated by data from the custom REST handler, used to report on TSIDX namespace size and retention intervals (base search: "| `tsidx_rest`).

Panel Tags Fields Notes
Top TSIDX namespace by count tsidx_namespace, count uses `tsidx_rest` search macro
Top TSIDX namespace by file_size tsidx_namespace, file_size uses `tsidx_rest` search macro
TSIDX namespaces tsidx_namespace, splunk_server, earliest, latest, file_size uses `tsidx_rest` search macro

View Audit

The View Audit dashboard shows audit data related to view activity; used to verify that a particular view has been visited; typically used to satisfy governance requirements dictating that certain logs or reports must be reviewed on a regular basis (base search: | `expected_views(<app name>)`. Some panels require populating the expected_views.csv lookup.

Panel Tags Fields Notes
Splunk App for Enterprise Security View Activity is_expected action, app, src, src_user, dest, user expected_views.csv needs to be populated
Expanded View Activity is_expected AND privileged OR default action, app, src, src_user, dest, user expected_views.csv needs to be populated
Expected View Scorecard is_expected action, app, src, src_user, dest, user expected_views.csv needs to be populated
Recent Web Service Errors web AND error action, app, src, src_user, dest, user

Data Protection

The Data Protection dashboard shows various data related to data integrity settings. Several base searches access REST handlers, notable events, and data in the _audit index.

Panel Tags Fields Notes
Data Protection N/A N/A descriptive panel
Protecting Correlated Events with Event Hashing N/A N/A descriptive panel
Tampered Correlated Events decorated action, app, src, src_user, dest, user uses "tstats" from sa_notables
Protecting Event Data with IT Data Signing range, label uses `audit_rest` search macro
Verifying Data Integrity Using IT Data Signing id, date, _time, ip_address, host_name, MAC_address uses `index_settings` search macro
Protecting Splunk's Audit Data with Audit Signing range, label uses `audit_rest` search macro
Verifying Splunk's Audit Data gap, validity, count uses `audit_validation` search macro
Anonymizing Sensitive Data N/A N/A descriptive panel
Detecting Sensitive Data count, range uses `notable("Audit - Personally Identifiable Information Detection - Rule")` search macro
Last modified on 17 December, 2014
FAQ   Common Information Model

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters