Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Reports

Use these reports to create panels for your custom dashboards in the Splunk App for Enterprise Security. The add-ons, domain add-ons, and supporting add-ons can be found in $SPLUNK_HOME/etc/apps.

Access Reports

These reports are part of the DA-ESS-AccessProtection domain add-on.

Access Reports
Report Security Domain
Access - Access Over Time Access
Access - Access Over Time by Action Access
Access - Access Over Time by App Access
Access - Account Usage For Expired Identities Access
Access - Default Account Usage Over Time Access
Access - Default Account Usage Over Time By App Access
Access - Default Accounts in Use Access
Access - Default Local Accounts Access
Access - Distinct Apps Access
Access - Distinct Destinations Access
Access - Distinct Sources Access
Access - Distinct Users Access
Access - First Time Account Access Access
Access - First Time Account Access Over Time Access
Access - Inactive Account Usage Access
Access - Inactive Accounts Access
Access - Notable Access Events Access
Access - Privileged Account Usage Over Time Access
Access - Privileged Accounts in Use Access
Access - Top Access By Destination Access
Access - Top Access By Source Access
Access - Total Access Attempts Access
Access - Unique Access By App Count Access
Access - Unique Access By Destination Count Access
Access - Unique Access By User Count Access

Application State Reports

These reports are part of the DA-ESS-EndpointProtection domain add-on.

Application State Reports
Report Security Domain
App State - Ports by System Count App State
App State - Processes by System Count App State
App State - Services by System Count App State
App State - Systems by Port Count App State
App State - Systems by Process Count App State
App State - Systems by Service Count App State

Asset Reports

These reports are part of the SA-IdentityManagement supporting add-on.

Asset Reports
Report Security Domain
Assets - Asset Information Assets
Assets - Assets by Business Unit Assets
Assets - Assets by Category Assets
Assets - Assets by Priority Assets

Audit Reports

These reports are part of the SA-AuditAndDataProtection supporting add-on.

Audit Reports
Report Security Domain
Audit - ES View Activity Over Time Audit
Audit - Event Count Over Time By Top 10 Hosts Audit
Audit - Expected ES View Activity Audit
Audit - Hosts By Last Report Time Audit
Audit - Searches Over Time by Type Audit
Audit - Searches Over Time by User Audit
Audit - Splunk Service Start Mode Anomalies Audit
Audit - Splunkd Process Utilization Audit
Audit - Top Searches by Run Time Audit
Audit - Web Service Errors Audit

CIM Reports

These reports are part of the SA_CommonInformationModel supporting add-on.

CIM Reports
Report Security Domain
CIM - Data Model Acceleration Details CIM
CIM - Top Data Model Accelerations By Run Duration CIM
CIM - Top Data Model Accelerations By Size CIM

Change Reports

These reports are part of the DA-ESS-AccessProtection and DA-ESS-NetworkProtection domain add-ons.

Network Change Reports
Report Security Domain
Change - Account Lockouts Change
Change - Account Management by Source User Change
Change - Account Management Over Time By Action Change
Change - Endpoint Changes By Action Change
Change - Endpoint Changes By System Change
Change - Endpoint Changes By Type Change
Change - Network Changes By Action Change
Change - Network Changes By Device Change
Change - Recent Account Management Change
Change - Recent Endpoint Changes Change
Change - Recent Network Changes Change
Change - Top Account Management Events Change

Endpoint Reports

These reports are part of the DA-ESS-EndpointProtection domain add-on.

Endpoint Reports
Report Security Domain
Endpoint - Application Errors Endpoint
Endpoint - SELinux Configurations By System Endpoint
Endpoint - SSHD Configurations By System Endpoint

IDS (Intrusion Detection Scan) Reports

These reports are part of the DA-ESS-Network Protection domain add-on.

IDS Reports
Report Security Domain
IDS - Activity By Category IDS
IDS - Activity By IDS Type IDS
IDS - Activity By Severity IDS
IDS - Activity Over Time IDS
IDS - Activity Over Time By Attack IDS
IDS - Activity Overl Time By Category IDS
IDS - Activity Over Time By Destination IDS
IDS - Activity Over Time By Device IDS
IDS - Activity Over Time By Severity IDS
IDS - Activity Over Time By Source IDS
IDS - High Severity Attacks IDS
IDS - New Attacks IDS
IDS - Scanning Activity (Many Attacks) IDS
IDS - Scanning Activity (Many Systems) IDS
IDS - Top Attacks By Attack IDS
IDS - Top Attacks By Category IDS
IDS - Top Attacks By Destination IDS
IDS - Top Attacks By Device IDS
IDS - Top Attacks By Severity IDS
IDS - Top Attacks By Source IDS
IDS - Unique Categories IDS
IDS - Unique Destinations IDS
IDS - Unique Signature Count IDS
IDS - Unique Sources IDS

Identities Reports

These reports are part of the SA-IdentityManagement supporting add-on.

Identities Reports
Report Security Domain
Identities - Identities by Business Unit Identities
Identities - Identities by Category Identities
Identities - Identities by Priority Identities
Identities - Identity Information Identities

Incident Review Reports

These reports are part of the SA-ThreatIntelligence supporting add-on.

Incident Review Reports
Report Security Domain
Incident Review - Activity by Reviewer Over Time Incident Review
Incident Review - Notable Events by Status Incident Review
Incident Review - Recent Review by Activity Incident Review
Incident Review - Top Reviewers Incident Review

Inventory Reports

These reports are part of the DA-ESS-EndpointProtection domain add-on.

Inventory Reports
Report Security Domain
Inventory - Operating Systems By System Count Inventory
Inventory - System By User Count Inventory
Inventory - Users By System Count Inventory

Malware Reports

These reports are part of the DA-ESS-EndpointProtection domain add-on.

Malware Reports
Report Security Domain
Malware - Activity Over Time Malware
Malware - Activity Over Time By Action Malware
Malware - Activity Over Time By Infection Malware
Malware - Average Infection Length Malware
Malware - Average Infection Length Over Time Malware
Malware - Clients By Product Version Malware
Malware - Clients By Signature Version Malware
Malware - Clients Not Updating Signatures Malware
Malware - Infected System Count Malware
Malware - Multiple Infections Malware
Malware - New Infections Malware
Malware - New Malware Malware
Malware - Old Malware Infections Malware
Malware - Oldest Infection Malware
Malware - Oldest Infections Malware
Malware - Percent Of Systems Infected Malware
Malware - Repeat Infections Malware
Malware - Systems With Anti-Malware Malware
Malware - Top 10 Infected Domains Malware
Malware - Top 10 Infected Systems Malware
Malware - Top 10 Infections Malware
Malware - Top Infected Domain Malware
Malware - Top Infected System Malware
Malware - Top Infection Malware
Malware - Total Infection Count Malware
Malware - Unique Infected Systems Malware
Malware - Unique Infections Malware
Malware - Unique Malware Count Malware

Notable Events Reports

These reports are part of the SplunkEnterpriseSecuritySuite add-on.

Notable Events Reports
Report Security Domain
Notable - Events By Urgency Notable
Notable - Events Over Time Notable
Notable - Events Over Time By Security Domain Notable
Notable - Top Events Notable
Notable - Top Notable Event Destinations Notable
Notable - Top Notable Event Sources Notable
Notable - Total Events By Access Domain Notable
Notable - Total Events By Audit Domain Notable
Notable - Total Events By Endpoint Domain Notable
Notable - Total Events By Identity Domain Notable
Notable - Total Events By Network Domain Notable
Notable - Total Events By Threat Domain Notable

Per-Panel Filtering Reports

These reports are part of the SA-Utils supporing add-on.

Per-Panel Filtering Reports
Report Security Domain
Per-Panel Filtering - Activity By User Over Time Per-Panel Filtering
Per-Panel Filtering - Recent Activity Per-Panel Filtering
Per-Panel Filtering - Top Users Per-Panel Filtering

Performance Reports

These reports are part of the DA-EndpointProtection domain add-on.

Threat Lists
Report Security Domain
Performance - Average System Uptime Performance
Performance - Indexing Time Delay By Host Performance
Performance - Indexing Time Delay By Sourcetype Performance
Performance - Maximum System Uptime Performance
Performance - Memory Utilization By System Performance
Performance - Minimum System Uptime Performance
Performance - Number Of Systems Not Reporting Performance
Performance - Number Of Systems Not Time Synchronizing Performance
Performance - Number Of Systems With Update Anomalies Performance
Performance - Storage Utilization By System Performance
Performance - Systems Not Time Synching Performance
Performance - Time Service Start Mode Anomalies Performance
Performance - Time Synchronization Failures Performance
Performance - Top-Average CPU Load Over Time By System Performance
Performance - Uptime By System Performance

Sessions Reports

These reports are part of the SA-IdentityManagement supporting add-on.

Sessions
Report Security Domain
Sessions - Network Session Details Sessions
Sessions - Network Sessions Over Time Sessions

Suppression Reports

These reports are part of the SA-ThreatIntelligence supporting add-on.

Suppressions
Report Security Domain
Suppressions - Currently Suppressed Events Over Time Suppressions
Suppressions - Expired Suppressions Suppressions
Suppressions - Suppression History Over Time Suppressions
Suppressions - Suppression Management Activity Suppressions

Traffic Reports

These reports are part of the DA-ESS-NetworkProtection domain add-on.

Traffic Reports
Report Security Domain
Traffic - Maximum Bytes Traffic
Traffic - Mean Bytes Traffic
Traffic - Minimum Bytes Traffic
Traffic - New Port Activity Traffic
Traffic - Prohibited Or Insecure Traffic Over Time Traffic
Traffic - Prohibited Traffic Details Traffic
Traffic - Scan Activity By Destination Ports Traffic
Traffic - Scan Activity By Destinations Traffic
Traffic - Standard Deviation Bytes Traffic
Traffic - Threat List Communication Traffic
Traffic - Top Traffic By Destination Traffic
Traffic - Top Traffic By Destination Port Traffic
Traffic - Top Traffic By Device Traffic
Traffic - Top Traffic By Source Traffic
Traffic - Top Traffic By Source Port Traffic
Traffic - Top Traffic By Transport Traffic
Traffic - Total Count Traffic
Traffic - Traffic Over Time Traffic
Traffic - Traffic Over Time By Action Traffic
Traffic - Traffic Over Time By Bytes Traffic
Traffic - Traffic Over Time By Destination Traffic
Traffic - Traffic Over Time By Destination Port Traffic
Traffic - Traffic Over Time By Device Traffic
Traffic - Traffic Over Time By Source Traffic
Traffic - Traffic Over Time By Source Port Traffic
Traffic - Traffic Over Time By Transport Protocol Traffic
Traffic - Traffic Size Anomalies Traffic
Traffic - Traffic Size Anomalies Over Time Traffic
Traffic - Unique Destinations Traffic
Traffic - Unique Sources Traffic

Updates Reports

These reports are part of the DA-ESS-EndpointProtection domain add-on.

Updated Reports
Report Security Domain
Updates - Available Updates Updates
Updates - Available Updates by System Updates
Updates - Installed Updates Updates
Updates - Number of Systems Not Updating Updates
Updates - Number of Systems With Start Mode Anomalies Updates
Updates - Systems by Last Update Time Updates
Updates - Top Systems Needing Updates Updates
Updates - Top Updates Needed Updates
Updates - Update Errors Updates
Updates - Update Service Start Mode Anomalies Updates
Updates - Updates by Status Updates

Utilities Reports

These reports are part of the SA-Utils supporting add-on.

Utilities Reports
Report Security Domain
Utils - Top REST Actions Utils
Utils - Top REST Actions By Sourcetype Utils
Utils - Top REST Actions By Duration Utils

Vulnerability Reports

These reports are part of the DA-ESS-NetworkProtection domain add-on.

Vulnerability Reports
Report Security Domain
Vuln - Average Vulnerability Age Vuln
Vuln - Average Vulns Per System Vuln
Vuln - Delinquent Scanning Vuln
Vuln - Most Vulnerable Hosts Vuln
Vuln - New Vulnerabilities Vuln
Vuln - Percentage Of Vulnerable Systems Vuln
Vuln - Scan Activity Over Time Vuln
Vuln - Top Vulnerabilities Vuln
Vuln - Total Vulnerabilities Vuln
Vuln - Vulnerabilities By Age Vuln
Vuln - Vulnerabilities By Category Vuln
Vuln - Vulnerabilities By Severity Vuln
Vuln - Vulnerable System Count Vuln

Web Reports

These reports are part of the DA-ESS-NetworkProtection domain add-on.

Web Reports
Report Security Domain
Web - Destination Count Web
Web - Events Over Time By Action Web
Web - Events Over Time By Content Type Web
Web - Events Over Time By Method Web
Web - Events Over Time By Status Web
Web - Events Over Time By User Agent Web
Web - HTTP Category Count Web
Web - HTTP Category Details Web
Web - HTTP Category Distribution Web
Web - HTTP Category Maximum Count Web
Web - HTTP Category Mean Count Web
Web - HTTP Category Minimum Count Web
Web - HTTP Category Standard Deviation Count Web
Web - Source Count Web
Web - Top Destinations Web
Web - Top Sources Web
Web - Total Events By Action Web
Web - Total Events By Content Type Web
Web - Total Events By Method Web
Web - Total Events By Status Web
Web - Total Events By User Agent Web
Web - URL Count Web
Web - URL Length Anomalies Web
Web - URL Length Anomalies Over Time Web
Web - URL Length Over Time Web
Web - URL Length Standard Deviation Web
Web - URL Maximum Length Web
Web - URL Mean Length Web
Web - URL Minimum Length Web
Web - User Agent Count Web
Web - User Agent Details Web
Web - User Agent Distribution Web
Web - User Agent Length Standard Deviation Web
Web - User Agent Maximum Length Web
Web - User Agent Mean Length Web
Web - User Agent Minimum Length Web

Whois Reports

These reports are part of the DA-ESS-NetworkProtection domain add-on.

Whois Reports
Report Security Domain
Whois - New Domain Activity Whois
Whois - New Domain Activity By Age Whois
Whois - New Domain Activity By TLD Whois
Whois - Registration Details Whois
Last modified on 12 December, 2013
Data models   High Performance Analytics Store namespaces

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters