Splunk® Enterprise Security

Use Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Search View matrix

This page is currently a work in progress; expect frequent near-term updates.

This topic includes information on in the Splunk for Enterprise Security correlation searches associated with the dashboards, along with support and correlation searches that generate notable events, but are not directly used by dashboards.

Correlations search thresholds

The following table lists the correlation searches with adjustable thresholds:

Correlation search Description Default
Endpoint - Active Unremediated Malware Infection Number of days that the device was unable to clean the infection 3
Endpoint - Anomalous New Services Number of new services 9
Endpoint - Anomalous New Processes Number of new processes 9
Endpoint - Anomalous User Account Creation Number of new processes in a 24 hr period 3
Access - Brute Force Access Behavior Detected Number of failures 6
Access - Excessive Failed Logins Number of authentication attempts 6
Endpoint - High Number of Infected Hosts Number of infected hosts 100
Endpoint - Host with Excessive Number of Listening Ports Number of listening ports 20
Endpoint - Host with Excessive Number of Processes Number of running processes 200
Endpoint - Host with Excessive Number of Services Number of running services 100
Endpoint - Host with Multiple Infections Total number of infections per host > 1
Endpoint - Old Malware Infection Number of days host had infection 30 days
Endpoint - Recurring Malware Infection Number of days that the device was re-infected 3 days
Network - Substantial Increase in an Event Number of events (self-baselines based on average) 3 St Dev.
Network - Substantial Increase in Port Activity (by destination) Number of targets (self-baselines based on average) 3 St Dev.
Network - Vulnerability Scanner Detection (by event) Number of unique events 25
Network - Vulnerability Scanner Detection (by targets) Number of unique targets 25

Visible searches

These searches support dashboard panels in the user interface.

You cannot disable the Security Posture, Incident Review, or Auditing dashboards using Configure > Domains and Dashboards.

Security Posture & Incident Review dashboards

search / dashboard security posture incident review access center correlation search support
ESS - Notable Events X X X

Access Protection dashboards

search \ dashboard access center access search access tracker account management default accounts correlation search support
Access - All Authentication - Base X X X X X
Access - All Account Management - TSIDX Gen X
Endpoint - User Account Tracker - TSIDX Gen X X


Network Protection dashboards

search \ dashboard ids center ids search network changes port protocol tracker proxy center proxy search traffic center traffic search vuln center vuln operations vuln profiler correlation search support
Network - All IDS Attacks - Base X X
Network - All Communication X
Network - All Communication - Base X X
Network - All Proxy X
Network - All Proxy - TSIDX Gen X X X
Network - Vulnerability Tracker - TSIDX Gen X X X X

Identity Management dashboards

search \ dashboard asset center identity center session center correlation search support
Identity - Session Start - TSIDX Gen X
Identity - Session End - TSIDX Gen X


Resources dashboards

search \ dashboard event geography incident review access center correlation search support
ESS - Notable Events by Geography - Base X

Background searches

These are support searches and correlation searches that generate notable events, and are not directly used by dashboards.

  • Access - Insecure Or Cleartext Authentication - Rule
  • Access - Brute Force Access Behavior Detected - Rule
  • Access - Inactive Account Usage - Rule
  • Access - Default Account Usage - Rule
  • Access - Excessive Failed Logins - Rule
  • Access - Default Accounts At Rest - Rule
  • Access - Completely Inactive Account - Rule
  • Access - Cleartext Password At Rest - Rule
  • Access - High or Critical Priority Individual Logging into Infected Machine - Rule
  • Audit - Anomalous Audit Trail Activity Detected - Rule
  • Audit - Expected Host Not Reporting - Rule
  • Audit - Personally Identifiable Information Detection - Rule
  • Endpoint - Old Malware Infection - Rule
  • Endpoint - Outbreak Observed - Rule
  • Endpoint - Prohibited Process Detection - Rule
  • Endpoint - Prohibited Service Detection - Rule
  • Endpoint - Recurring Malware Infection - Rule
  • Endpoint - Should Timesync Host Not Syncing - Rule
  • Endpoint - Anomalous New Listening Port - Rule
  • Endpoint - Anomalous New Processes - Rule
  • Endpoint - Anomalous New Services - Rule
  • Endpoint - Anomalous User Account Creation - Rule
  • Endpoint - High Number Of Infected Hosts - Rule
  • Endpoint - High Or Critical Priority Host With Malware - Rule
  • Endpoint - High Number of Hosts With Infection - Rule
  • Endpoint - Host Sending Excessive Email - Rule
  • Endpoint - Host With Excessive Number Of Listening Ports - Rule
  • Endpoint - Host With Excessive Number Of Processes - Rule
  • Endpoint - Host With Excessive Number Of Services - Rule
  • Endpoint - Host With Multiple Infections - Rule
  • Identity - Make Categories - TSIDX Gen
  • Identity - Activity from Expired User Identity - Rule
  • Network - Policy Or Configuration Change - Rule
  • Network - RapidShare Activity - Rule
  • Network - SANS Block List Activity - Rule
  • Network - Source And Destination - TSIDX Gen
  • Network - Spyware Activity - Rule
  • Network - Substantial Increase in Port Activity (By Destination) - Rule
  • Network - Substantial Increase in an Event - Rule
  • Network - Tor Router Activity - Rule
  • Network - Unapproved Port Activity Detected - Rule
  • Network - Unroutable Host Activity - Rule
  • Network - Vulnerability Scanner Detection (by event) - Rule
  • Network - Vulnerability Scanner Detection (by targets) - Rule
  • Network - Attack Volume - TSIDX Gen
  • Network - High Volume of Traffic from High or Critical Host - Rule
  • Network - Internet Proxy Server Activity - Rule
  • Network - Known Web Attacker Activity - Rule
  • Network - LogMeIn Activity - Rule
  • Network - PirateBay Activity - Rule
  • Threat - Watchlisted Events - Rule
Last modified on 17 April, 2014
Search information   Search macros

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters