Dashboard requirements matrix
| This page is currently a work in progress; expect frequent near-term updates.
|
In order to be displayed in the Enterprise Security dashboards, data must conform to the requirements specified in these tables. The tags, fields, and source types required by each dashboard and panel are shown. When certain fields are omitted, they are automatically replaced with default values (such as unknown). The rest of the data must still meet the source type and tag requirements for the dashboards.
Note: By default, the tags in the "Tags" column use an AND unless specifically defined.
Access Protection
Access Protection provides information about authentication attempts and access-control related events (login, logout, access allowed, access failure, use of default accounts, and so on).
Access Center
| Panel
|
Tags
|
Fields
|
Notes
|
| Access Over Time
|
authentication
|
action, app, src, src_user, dest, user
|
|
| Notable Access Events
|
notable
|
action, app, src, src_user, dest, user
|
|
| Top Access
|
authentication
|
action, app, src, src_user, dest, user
|
|
| Unique Access
|
authentication
|
action, app, src, src_user, dest, user
|
|
Access Tracker
| Panel
|
Tags
|
Fields
|
Notes
|
| First Time Account Access
|
authentication
|
action, app, src, src_user, dest, user
|
success (action=success)
|
| Inactive Account Usage
|
authentication
|
action, app, src, src_user, dest, user
|
The action field must be success (action=success)
|
| Completely Inactive Accounts
|
authentication
|
action, app, src, src_user, dest, user
|
The local field must be true (local=true)
|
| Account Usage for Expired Identities
|
authentication
|
user, dest
|
|
Access Search
| Panel
|
Tags
|
Fields
|
Notes
|
| timeline
|
authentication
|
action, app, src, src_user, dest, user
|
|
Account Management
| Panel
|
Tags
|
Fields
|
Notes
|
| Management Events by Time
|
account AND (management OR lockout)
|
signature, src, src_nt_domain, src_user, dest, dest_nt_domain, user
|
|
| Account Lockouts
|
account AND (management OR lockout)
|
signature, src, src_nt_domain, src_user, dest, dest_nt_domain, user
|
|
| Account Management by Source User
|
account AND (management OR lockout)
|
src_user
|
|
| Top Account Management Events
|
account AND (management OR lockout)
|
signature
|
|
| Recent Account Management
|
account AND (management OR lockout)
|
|
|
Default Account Activity
| Panel
|
Tags
|
Fields
|
Notes
|
| Default Account Usage by Time
|
account AND (default OR privileged)
|
action,app,src, src_user, dest, user,bunit,category,
|
The action field must be "success" (action=success)
|
| Default Accounts in Use
|
account AND (default OR privileged)
|
user,user_category,dest_count
|
|
| Default Local Accounts
|
account AND local AND (default OR privileged)
|
user,user_category,dest_count
|
|
Endpoint Protection
Endpoint Protection includes information about endpoints such as malware infections, system configuration, system state (CPU usage, open ports, uptime, and so on), system update history (which updates have been applied), and time synchronization information.
Malware Center
| Panel
|
Tags
|
Fields
|
Notes
|
| Malware Activity Over Time
|
malware AND attack
|
action
|
|
| Top Infections
|
malware AND attack
|
action, signature, dest
|
|
| Malware Activity by Domain
|
malware AND attack
|
action, dest_nt_domain
|
|
| Key Malware Statistics
|
malware AND attack
|
action, signature, dest, dest_nt_domain, vendor_product
|
|
| First Time Infections
|
malware AND attack
|
action, signature, dest
|
|
| Recent Malware
|
malware AND attack
|
|
|
Malware Search
| Panel
|
Tags
|
Fields
|
Notes
|
| timeline
|
malware AND attack
|
action, signature, dest, src, dest_nt_domain, user, file_name, file_path, file_hash
|
|
Malware Operations
| Panel
|
Tags
|
Fields
|
Notes
|
| Average Infection Length by Time
|
malware AND attack
|
action
|
|
| Anomalous Malware Infections
|
malware AND attack
|
dest, signature
|
|
| Malware Client Distribution
|
endpoint AND application AND report AND version
|
dest, product_version, signature_version
|
|
| Malware Signature Update Tracking
|
endpoint AND application AND report AND version
|
dest, product_version
|
|
| Endpoint Application Errors
|
endpoint AND application AND error
|
|
|
System Center
| Panel
|
Source type
|
Tags
|
Fields
|
Notes
|
| Operating Systems
|
|
os AND report AND version AND listening port
|
os
|
|
| Resource Utilization (cpu time)
|
*:CPUTime
|
os AND report AND version AND listening port
|
PercentSystemTime, PercentUserTime
|
|
| Resource Utilization (memory)
|
*:Memory
|
os AND report AND version AND listening port
|
UsedBytes, FreeMBytes, TotalMBytes
|
|
| Resource Utilization (disk)
|
*:FreeDiskSpace
|
os AND report AND version AND listening port
|
FreeMegabytes, PercentFreeSpace, TotalMBytes, UsedMBytes
|
|
| System Uptime
|
*:Uptime
|
os AND report AND version AND listening port
|
SystemUpTime
|
|
| System Configurations (SSHD Config)
|
*:SSHDConfig
|
os AND report AND version AND listening port
|
dest, sshd_protocol,
|
|
| System Configurations (SE Linux config)
|
*:SELinuxConfig
|
os AND report AND version AND listening port
|
dest, selinux
|
|
| Processes/Services (processes)
|
*:LocalProcesses
|
os AND report AND version AND listening port
|
app
|
|
| Processes/Services (services)
|
*:Service
|
os AND report AND version AND listening port
|
app
|
|
| Ports/Users (ports)
|
*:UserAccounts
|
os AND report AND version AND listening port
|
transport, dest, dest_port, user
|
|
Time Center
| Panel
|
Source type
|
Tags
|
Fields
|
Notes
|
| Systems Not Time Synching
|
|
time AND synchronize AND failure
|
dest
|
|
| Indexing Time Delay
|
|
time AND synchronize AND failure
|
host, should_time_sync
|
|
| NTP Anomalous StartMode
|
*:Service
|
time AND synchronize AND failure
|
StartMode
|
|
| Recent Time Synchronization Failure
|
|
time AND synchronize AND failure
|
|
|
Endpoint Changes
| Panel
|
Source type
|
Tags
|
Fields
|
Notes
|
| Endpoint Changes by Action
|
|
fs_notification OR WinRegistry
|
dest, change_type, action, path, isdir, size, gid, uid, modtime, mode, hash
|
|
| Endpoint Changes by Type
|
|
fs_notification OR WinRegistry
|
dest, change_type, action, path, isdir, size, gid, uid, modtime, mode, hash
|
|
| Top Changes by System
|
|
fs_notification OR WinRegistry
|
dest, change_type, action, path, isdir, size, gid, uid, modtime, mode, hash
|
|
| Recent Endpoint Changes
|
|
fs_notification OR WinRegistry
|
|
|
Patch / Update Center
| Panel
|
Source type
|
Tags
|
Fields
|
Notes
|
| Updates by Status
|
|
os AND update AND status
|
status AND (HotFixID OR package)
|
|
| Systems Not Updating
|
|
os AND update AND status
|
status AND (HotFixID OR package)
|
|
| Automatic Update Anomalous StartMode
|
*:Service
|
os AND update AND status
|
dest, app, start_mode
|
|
| Anomalous System Uptime
|
*:Uptime
|
os AND update AND status
|
SystemUpTime, should_update, dest
|
|
| Recent Update Errors
|
|
os AND update AND status
|
|
|
| Successful Updates
|
|
os AND update AND status
|
status AND (HotFixID OR package)
|
|
Patch / Update Profiler
| Panel
|
Source type
|
Tags
|
Fields
|
Notes
|
| Patches / Updates
|
|
os AND update AND status(HotFixID OR package)
|
dest, app, signature, status
|
|
Network Protection
Network Protection includes information about network traffic provided from devices such as firewalls, routers, and network-based intrusion detection systems.
Traffic Center
| Panel
|
Tags
|
Fields
|
Notes
|
| Network Traffic Over Time
|
network AND communicate
|
action, bytes, bytes_in, bytes_out, dvc, transport, src, dest, src_port, dest_port
|
|
| Top Network Traffic
|
network AND communicate
|
action, bytes, bytes_in, bytes_out, dvc, transport, src, dest, src_port, dest_port
|
|
| Network Scanning Activity (port scanners)
|
network AND communicate
|
dest_port, src
|
|
| Network Scanning Activity (system scanners)
|
network AND communicate
|
dest, src
|
|
Traffic Search
| Panel
|
Tags
|
Fields
|
Notes
|
| timeline
|
network AND communicate
|
action, bytes, bytes_in, bytes_out, dvc, transport, src, dest, src_port, dest_port, vendor_product
|
|
Intrusion Center
| Panel
|
Tags
|
Fields
|
Notes
|
| IDS Activity by Category/Severity
|
ids AND attack
|
category, severity
|
|
| IDS Scanning Activity
|
ids AND attack
|
signature, src
|
|
| IDS Activity Over Time
|
ids AND attack
|
dvc, category, signature, severity, src, dest, user, vendor_product, is_network, is_wireless, is_host, is_application
|
is_network, is_wireless, is_host, is_application are derived by ES and do not need to be extracted
|
|
| Top Attacks
|
ids AND attack
|
dvc, category, signature, severity, src, dest, user, vendor_product, is_network, is_wireless, is_host, is_application
|
is_network, is_wireless, is_host, is_application are derived by ES and do not need to be extracted
|
|
| First Time Attacks
|
ids AND attack
|
signature, dest
|
|
Intrusion Search
| Panel
|
Tags
|
Fields
|
Notes
|
| timeline
|
ids AND attack
|
category, dest, dest_port, dvc, severity, signature, src, src_port, usr, vendor_product
|
|
Vulnerability Center
| Panel
|
Tags
|
Fields
|
Notes
|
| Top Vulnerabilities
|
vulnerability AND report
|
signature
|
|
| Most Vulnerable Hosts
|
vulnerability AND report
|
signature, severity
|
|
| Vulnerabilities by Category/Severity
|
vulnerability AND report
|
category, severity, signature, dest
|
|
| First Time Vulnerabilities
|
vulnerability AND report
|
category, severity, signature, dest
|
|
Vulnerability Operations
| Panel
|
Tags
|
Fields
|
Notes
|
| Vulnerability Scan Activity
|
vulnerability AND dvc AND report
|
severity, business unit, category, time
|
|
| Vulnerabilities by Age
|
vulnerability AND dvc AND report
|
signature, dest
|
|
| Delinquent Scanning
|
vulnerability AND dvc AND report
|
category, severity, signature, dest, os
|
|
Vulnerability Profiler
| Panel
|
Tags
|
Fields
|
Notes
|
| Vulnerability Profiler
|
vulnerability
|
category, severity, signature, cve, dest
|
|
Web Center
| Panel
|
Tags
|
Fields
|
Notes
|
| Proxy Events
|
web AND proxy
|
status, action, http_method, http_content_type, http_user_agent, src, dest
|
Proxy Events (note that the client machine is the dest and the server is the src)
|
| Events Over Time By Method
|
web AND proxy
|
status, action, http_method, http_content_type, http_user_agent
|
Proxy Events Over Time
|
| Events Over Time By Status
|
web AND proxy
|
status, action, http_method, http_content_type, http_user_agent
|
Proxy Events Over Time
|
| Top Source/Destination
|
web AND proxy
|
src, dest, bytes_in, bytes_out
|
Top Source/Destination
|
Proxy Search
| Panel
|
Tags
|
Fields
|
Notes
|
| timeline
|
web AND proxy
|
bytes_in, bytes_out, action, status, src, dest, http_content_type, http_method, http_referrer, http_user_agent, url, user
|
|
Network Changes
| Panel
|
Tags
|
Fields
|
Notes
|
| Network Changes by Action
|
network AND change
|
dvc, action, user, command
|
|
| Network Changes by Device
|
network AND change
|
dvc, action, user, command
|
|
| Recent Network Changes
|
network AND change
|
dvc, action, user, command
|
|
Port & Protocol Tracker
| Panel
|
Tags
|
Fields
|
Notes
|
| First Time Port Activity
|
network AND communicate
|
dvc, transport, dest_port
|
The action field value must be "allowed" (action=allowed) and the dest_port must be greater than 0
|
| Port Activity by Status
|
network AND communicate
|
transport, dest_port
|
The action field value must be "allowed" (action=allowed) and the dest_port must be greater than 0
|
| Port Status by Time
|
network AND communicate
|
transport, dest_port
|
The action field value must be "allowed" (action=allowed) and the dest_port must be greater than 0
|
Identity
Identity correlation includes views that summarize the asset and identity lists and network sessions (DHCP, VPN).
Asset Center
The Asset Center contents are based on the asset list lookup files (for example assets.csv).
Identity Center
The Identity Center contents are based upon the identity list lookup files (for example identities.csv).
Asset and Identity Search
The Asset and Identity Search dashboard is a timeline that uses information from the various asset and identity lists.
| Panel
|
Tags
|
Fields
|
Notes
|
| timeline
|
|
Fields are from the asset and identity files
|
Data comes from the available asset and identity lists
(like assets.csv and identities.csv)
|
Session Center
| Panel
|
Tags
|
Fields
|
Notes
|
| Sessions Over Time
|
network AND session (start OR end)
|
key, ip, mac, nt_host, dns, user, startTime, endTime
|
|
| Sessions Length Distribution
|
network AND session (start OR end)
|
key, ip, mac, nt_host, dns, user, startTime, endTime
|
|
| Sessions
|
network AND session (start OR end)
|
ip, mac, nt_host, dns, user, startTime, endTime
|
|
Audit
Incident Review Audit
| Panel
|
Tags
|
Fields
|
Notes
|
| Review Activity by Reviewer over Time
|
default OR privileged
|
app, view, user
|
|
| Notable Events by Status
|
default OR privileged
|
app, view, user
|
|
| Top Reviewers
|
default OR privileged
|
app, view, user
|
|
| Recent Review Activity
|
default OR privileged
|
app, view, user
|
|
Suppression Audit
| Panel
|
Tags
|
Fields
|
Notes
|
| Currently Suppressed Events (Last 24 hours)
|
action AND status AND user
|
rule_id, source, suppression, urgency
|
|
| Suppressed Notable Event History
|
action AND status AND user
|
rule_id, source, suppression, urgency
|
|
| Suppression Management Activity
|
action AND status AND user
|
rule_id, source, suppression, urgency
|
|
| Expired Suppressions
|
action AND status AND user
|
rule_id, source, suppression, urgency
|
|
Forwarder Audit
| Panel
|
Tags
|
Fields
|
Notes
|
| Host Event Count over Time
|
host AND app
|
_time, app, view, user, host
|
|
| Hosts Not Reporting
|
host AND app
|
host, user
|
|
| Splunkd Resource Utilization
|
host AND app
|
_time, host
|
|
| Splunkd Anomalous StartMode
|
host AND app
|
anomalous, avail, check, default, os, privileged, process, report, should_timesync, should_update
|
|
Search Audit
The Search Audit dashboard uses audit data, collected automatically from the audit index during normal operation (base search: index=_audit).
| Panel
|
Tags
|
Fields
|
Notes
|
| Search Activity by Type
|
|
action, app, src, src_user, dest, user
|
uses the `search_activity` search macro
|
| Search Activity by user
|
|
action, app, src, src_user, dest, user
|
uses the `search_activity` search macro
|
| Search Activity by Expense
|
|
action, app, src, src_user, dest, user
|
uses the `search_activity` search macro
|
TSIDX Audit
The TSIDX Audit dashboard is populated by data from the custom REST handler, used to report on TSIDX namespace size and retention intervals (base search: "| `tsidx_rest`).
| Panel
|
Tags
|
Fields
|
Notes
|
| Top TSIDX namespace by count
|
|
tsidx_namespace, count
|
uses `tsidx_rest` search macro
|
| Top TSIDX namespace by file_size
|
|
tsidx_namespace, file_size
|
uses `tsidx_rest` search macro
|
| TSIDX namespaces
|
|
tsidx_namespace, splunk_server, earliest, latest, file_size
|
uses `tsidx_rest` search macro
|
View Audit
The View Audit dashboard shows audit data related to view activity; used to verify that a particular view has been visited; typically used to satisfy governance requirements dictating that certain logs or reports must be reviewed on a regular basis (base search: | `expected_views(<app name>)`. Some panels require populating the expected_views.csv lookup.
| Panel
|
Tags
|
Fields
|
Notes
|
| Splunk App for Enterprise Security View Activity
|
is_expected
|
action, app, src, src_user, dest, user
|
expected_views.csv needs to be populated
|
| Expanded View Activity
|
is_expected AND privileged OR default
|
action, app, src, src_user, dest, user
|
expected_views.csv needs to be populated
|
| Expected View Scorecard
|
is_expected
|
action, app, src, src_user, dest, user
|
expected_views.csv needs to be populated
|
| Recent Web Service Errors
|
web AND error
|
action, app, src, src_user, dest, user
|
|
Data Protection
The Data Protection dashboard shows various data related to data integrity settings. Several base searches access REST handlers, notable events, and data in the _audit index.
| Panel
|
Tags
|
Fields
|
Notes
|
| Data Protection
|
N/A
|
N/A
|
descriptive panel
|
| Protecting Correlated Events with Event Hashing
|
N/A
|
N/A
|
descriptive panel
|
| Tampered Correlated Events
|
decorated
|
action, app, src, src_user, dest, user
|
uses "tstats" from sa_notables
|
| Protecting Event Data with IT Data Signing
|
|
range, label
|
uses `audit_rest` search macro
|
| Verifying Data Integrity Using IT Data Signing
|
|
id, date, _time, ip_address, host_name, MAC_address
|
uses `index_settings` search macro
|
| Protecting Splunk's Audit Data with Audit Signing
|
|
range, label
|
uses `audit_rest` search macro
|
| Verifying Splunk's Audit Data
|
|
gap, validity, count
|
uses `audit_validation` search macro
|
| Anonymizing Sensitive Data
|
N/A
|
N/A
|
descriptive panel
|
| Detecting Sensitive Data
|
|
count, range
|
uses `notable("Audit - Personally Identifiable Information Detection - Rule")` search macro
|
Download manual
Feedback submitted, thanks!