Splunk® Enterprise Security

Use Splunk Enterprise Security

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Domain dashboards

This page is currently a work in progress; expect frequent near-term updates.

Common dashboard features

The domain dashboards include a number of features that are common to many of the dashboards.

Note: Dashboard filters may not apply to all panels within a dashboard.

Dashboard filters

Many dashboards have a filter bar to restrict the view on the current dashboard to events that match the selected criteria. Selections apply to the current dashboard only; they do not affect other dashboards in Enterprise Security. The following is a typical filter bar.

Es-dashboardFiltersBar.png

To use the filter, make your selections and/or enter the desired text, then click the magnifying glass (Es-magnifying glass.png) to run the search. For instance, many dashboards support selection of Business Unit or Category, which allows security managers and analysts to compare posture and patterns between different organizational units.

Filter Description
Action Filter based on the status of the action; choices depend on the context:

When status is related to the action's source:
success The source of the action successfully completed the action (for example, successfully authenticated to the destination device)
failure The source of the action did not successfully complete the action (for example, failed to authenticate to the destination device)

When an action is subject to a device, such as a firewall, that controls the activity of other objects or users:
allowed The device allowed the action
blocked The device blocked the action

When the action is subject to an anti-virus client:
allowed The malicious executable was allowed to exist.
blocked The malicious executable was prevented from performing the action.
deferred The malicious executable could not be fully remediated but will be remediated at a future time. This is common when a file cannot be cleaned until the system is rebooted, causing it to be deferred until the next reboot cycle.

Business Unit Filter based on the business unit of the host. Enter the text string to match the business unit. Use the asterisk (*) wildcard to match any number of characters. For example, a* matches america and asia. Match is case-insensitive; all text values must be lowercase.

Note: Business Unit is a free form field implemented using the Splunk for Enterprise Security asset list and identities list. To use this filter, the asset list must be configured for the deployment. See the Enterprise Security Installation and Configuration Manual for more information.

Category Filter based on the categories to which the host belongs. It is possible to filter on multiple categories by selecting each category to include.

Ess-categorizedAssetsDropdown.png
Note: To use this filter, the Splunk App for Enterprise Security category list and asset list must set up for the deployment. It can be any set of chosen categories. Common examples are compliance and security standards governing the asset (such as PCI), or functional categories (such as server, domain_controller, and so on.). See the Enterprise Security Installation and Configuration Manual for more information.

Time range picker Filter by time range. Select the time range from the drop-down or click Custom time to specify a start and end time.

Dashboard drill down

Use the alerts and charts on the Enterprise Security dashboards to drill down into the underlying events by clicking on a point or segment on a chart or a row in a table. Each domain also includes a custom search dashboard to help search for events related to that domain.

Enterprise Security uses the Splunk drill down feature to see the details behind the tables and charts in dashboards.

View full results

The View full results link at the bottom of a panel displays the Search dashboard. Use this to search for the underlying events that are aggregated on the panel.

To use this link:

1. Go to the panel displaying the events of interest.

2. Click View full results at the bottom of the panel.

Drill-down from charts

To use data drill-down on charts, click on a segment or point on a chart to view the related events - in this case, events that match the underlying search for the panel and also match the field value clicked. For example, for Malware Activity by Domain, click on a domain in the chart and a search window is displayed with a search for all malware activity in that domain.

To use data drill-down from a chart:

1. Navigate to the chart containing the events.

Es-dashboard chart1.png

Es-dashboard chart2.png

Es-dashboard chart3.png

2. Click on a segment, bar, or point on the chart. Drill-down displays a domain-specific search dashboard, the general search dashboard, or shows a second panel underneath the first.

Es-dashboardcharts2ndpanel2.png

Es-dashboardcharts2ndpanel3.png

Es-dashboardcharts2ndpanel1.png

3. In some cases, drill-down displays a second panel underneath the first. In this case, it is possible to drill down further by clicking on a row and/or column as described in the next section.

Es-2ndLevelDrilldown.png

Drill-down from tables

Click on a segment or point on a table to view the related events:

1. Navigate to the table containing the events.

Ess-DrilldownTable.png

2. Click on a row in the table. Drill-down displays a domain-specific search dashboard, the general search dashboard, or shows a second panel underneath the first.

Ess-selectedRowDrilldown.png

For some tables, drill-down can select two related items for the search. For example, in the following table, "Account Management Details for User Administrator", clicking administrator at the beginning of the row shows all events where the src_user is administrator. Clicking 2003DOMAIN in a row that begins with administrator shows all events where the src_user is administrator and the dest_nt_domain is 2003DOMAIN.

Ess-drilldown2items.png

3. If drill-down displays a second table underneath the first, drill down further by clicking on a row and/or column.

4. In other cases, drill-down displays a chart showing the results for the selection.

Ess-drilldownResultsChart.png

Last modified on 10 December, 2013
PREVIOUS
Advanced Threat dashboards 		  NEXT
Access dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters