This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.
List of reports by security domain
Use these reports to create panels for your custom dashboards in the Splunk App for Enterprise Security. The add-ons, domain add-ons, and supporting add-ons can be found in $SPLUNK_HOME/etc/apps.
Access Reports
These reports are part of the DA-ESS-AccessProtection domain add-on.
| Report | Security Domain |
|---|---|
| Access - Access Over Time | Access |
| Access - Access Over Time by Action | Access |
| Access - Access Over Time by App | Access |
| Access - Account Usage For Expired Identities | Access |
| Access - Default Account Usage Over Time | Access |
| Access - Default Account Usage Over Time By App | Access |
| Access - Default Accounts in Use | Access |
| Access - Default Local Accounts | Access |
| Access - Distinct Apps | Access |
| Access - Distinct Destinations | Access |
| Access - Distinct Sources | Access |
| Access - Distinct Users | Access |
| Access - First Time Account Access | Access |
| Access - First Time Account Access Over Time | Access |
| Access - Inactive Account Usage | Access |
| Access - Inactive Accounts | Access |
| Access - Notable Access Events | Access |
| Access - Privileged Account Usage Over Time | Access |
| Access - Privileged Accounts in Use | Access |
| Access - Top Access By Destination | Access |
| Access - Top Access By Source | Access |
| Access - Total Access Attempts | Access |
| Access - Unique Access By App Count | Access |
| Access - Unique Access By Destination Count | Access |
| Access - Unique Access By User Count | Access |
Application State Reports
These reports are part of the DA-ESS-EndpointProtection domain add-on.
| Report | Security Domain |
|---|---|
| App State - Ports by System Count | App State |
| App State - Processes by System Count | App State |
| App State - Services by System Count | App State |
| App State - Systems by Port Count | App State |
| App State - Systems by Process Count | App State |
| App State - Systems by Service Count | App State |
Asset Reports
These reports are part of the SA-IdentityManagement supporting add-on.
| Report | Security Domain |
|---|---|
| Assets - Asset Information | Assets |
| Assets - Assets by Business Unit | Assets |
| Assets - Assets by Category | Assets |
| Assets - Assets by Priority | Assets |
Audit Reports
These reports are part of the SA-AuditAndDataProtection supporting add-on.
| Report | Security Domain |
|---|---|
| Audit - ES View Activity Over Time | Audit |
| Audit - Event Count Over Time By Top 10 Hosts | Audit |
| Audit - Expected ES View Activity | Audit |
| Audit - Hosts By Last Report Time | Audit |
| Audit - Searches Over Time by Type | Audit |
| Audit - Searches Over Time by User | Audit |
| Audit - Splunk Service Start Mode Anomalies | Audit |
| Audit - Splunkd Process Utilization | Audit |
| Audit - Top Searches by Run Time | Audit |
| Audit - Web Service Errors | Audit |
CIM Reports
These reports are part of the SA_CommonInformationModel supporting add-on.
| Report | Security Domain |
|---|---|
| CIM - Data Model Acceleration Details | CIM |
| CIM - Top Data Model Accelerations By Run Duration | CIM |
| CIM - Top Data Model Accelerations By Size | CIM |
Change Reports
These reports are part of the DA-ESS-AccessProtection and DA-ESS-NetworkProtection domain add-ons.
| Report | Security Domain |
|---|---|
| Change - Account Lockouts | Change |
| Change - Account Management by Source User | Change |
| Change - Account Management Over Time By Action | Change |
| Change - Endpoint Changes By Action | Change |
| Change - Endpoint Changes By System | Change |
| Change - Endpoint Changes By Type | Change |
| Change - Network Changes By Action | Change |
| Change - Network Changes By Device | Change |
| Change - Recent Account Management | Change |
| Change - Recent Endpoint Changes | Change |
| Change - Recent Network Changes | Change |
| Change - Top Account Management Events | Change |
Endpoint Reports
These reports are part of the DA-ESS-EndpointProtection domain add-on.
| Report | Security Domain |
|---|---|
| Endpoint - Application Errors | Endpoint |
| Endpoint - SELinux Configurations By System | Endpoint |
| Endpoint - SSHD Configurations By System | Endpoint |
IDS (Intrusion Detection Scan) Reports
These reports are part of the DA-ESS-Network Protection domain add-on.
| Report | Security Domain |
|---|---|
| IDS - Activity By Category | IDS |
| IDS - Activity By IDS Type | IDS |
| IDS - Activity By Severity | IDS |
| IDS - Activity Over Time | IDS |
| IDS - Activity Over Time By Attack | IDS |
| IDS - Activity Overl Time By Category | IDS |
| IDS - Activity Over Time By Destination | IDS |
| IDS - Activity Over Time By Device | IDS |
| IDS - Activity Over Time By Severity | IDS |
| IDS - Activity Over Time By Source | IDS |
| IDS - High Severity Attacks | IDS |
| IDS - New Attacks | IDS |
| IDS - Scanning Activity (Many Attacks) | IDS |
| IDS - Scanning Activity (Many Systems) | IDS |
| IDS - Top Attacks By Attack | IDS |
| IDS - Top Attacks By Category | IDS |
| IDS - Top Attacks By Destination | IDS |
| IDS - Top Attacks By Device | IDS |
| IDS - Top Attacks By Severity | IDS |
| IDS - Top Attacks By Source | IDS |
| IDS - Unique Categories | IDS |
| IDS - Unique Destinations | IDS |
| IDS - Unique Signature Count | IDS |
| IDS - Unique Sources | IDS |
Identities Reports
These reports are part of the SA-IdentityManagement supporting add-on.
| Report | Security Domain |
|---|---|
| Identities - Identities by Business Unit | Identities |
| Identities - Identities by Category | Identities |
| Identities - Identities by Priority | Identities |
| Identities - Identity Information | Identities |
Incident Review Reports
These reports are part of the SA-ThreatIntelligence supporting add-on.
| Report | Security Domain |
|---|---|
| Incident Review - Activity by Reviewer Over Time | Incident Review |
| Incident Review - Notable Events by Status | Incident Review |
| Incident Review - Recent Review by Activity | Incident Review |
| Incident Review - Top Reviewers | Incident Review |
Inventory Reports
These reports are part of the DA-ESS-EndpointProtection domain add-on.
| Report | Security Domain |
|---|---|
| Inventory - Operating Systems By System Count | Inventory |
| Inventory - System By User Count | Inventory |
| Inventory - Users By System Count | Inventory |
Malware Reports
These reports are part of the DA-ESS-EndpointProtection domain add-on.
| Report | Security Domain |
|---|---|
| Malware - Activity Over Time | Malware |
| Malware - Activity Over Time By Action | Malware |
| Malware - Activity Over Time By Infection | Malware |
| Malware - Average Infection Length | Malware |
| Malware - Average Infection Length Over Time | Malware |
| Malware - Clients By Product Version | Malware |
| Malware - Clients By Signature Version | Malware |
| Malware - Clients Not Updating Signatures | Malware |
| Malware - Infected System Count | Malware |
| Malware - Multiple Infections | Malware |
| Malware - New Infections | Malware |
| Malware - New Malware | Malware |
| Malware - Old Malware Infections | Malware |
| Malware - Oldest Infection | Malware |
| Malware - Oldest Infections | Malware |
| Malware - Percent Of Systems Infected | Malware |
| Malware - Repeat Infections | Malware |
| Malware - Systems With Anti-Malware | Malware |
| Malware - Top 10 Infected Domains | Malware |
| Malware - Top 10 Infected Systems | Malware |
| Malware - Top 10 Infections | Malware |
| Malware - Top Infected Domain | Malware |
| Malware - Top Infected System | Malware |
| Malware - Top Infection | Malware |
| Malware - Total Infection Count | Malware |
| Malware - Unique Infected Systems | Malware |
| Malware - Unique Infections | Malware |
| Malware - Unique Malware Count | Malware |
Notable Events Reports
These reports are part of the SplunkEnterpriseSecuritySuite add-on.
| Report | Security Domain |
|---|---|
| Notable - Events By Urgency | Notable |
| Notable - Events Over Time | Notable |
| Notable - Events Over Time By Security Domain | Notable |
| Notable - Top Events | Notable |
| Notable - Top Notable Event Destinations | Notable |
| Notable - Top Notable Event Sources | Notable |
| Notable - Total Events By Access Domain | Notable |
| Notable - Total Events By Audit Domain | Notable |
| Notable - Total Events By Endpoint Domain | Notable |
| Notable - Total Events By Identity Domain | Notable |
| Notable - Total Events By Network Domain | Notable |
| Notable - Total Events By Threat Domain | Notable |
Per-Panel Filtering Reports
These reports are part of the SA-Utils supporing add-on.
| Report | Security Domain |
|---|---|
| Per-Panel Filtering - Activity By User Over Time | Per-Panel Filtering |
| Per-Panel Filtering - Recent Activity | Per-Panel Filtering |
| Per-Panel Filtering - Top Users | Per-Panel Filtering |
Performance Reports
These reports are part of the DA-EndpointProtection domain add-on.
| Report | Security Domain |
|---|---|
| Performance - Average System Uptime | Performance |
| Performance - Indexing Time Delay By Host | Performance |
| Performance - Indexing Time Delay By Sourcetype | Performance |
| Performance - Maximum System Uptime | Performance |
| Performance - Memory Utilization By System | Performance |
| Performance - Minimum System Uptime | Performance |
| Performance - Number Of Systems Not Reporting | Performance |
| Performance - Number Of Systems Not Time Synchronizing | Performance |
| Performance - Number Of Systems With Update Anomalies | Performance |
| Performance - Storage Utilization By System | Performance |
| Performance - Systems Not Time Synching | Performance |
| Performance - Time Service Start Mode Anomalies | Performance |
| Performance - Time Synchronization Failures | Performance |
| Performance - Top-Average CPU Load Over Time By System | Performance |
| Performance - Uptime By System | Performance |
Sessions Reports
These reports are part of the SA-IdentityManagement supporting add-on.
| Report | Security Domain |
|---|---|
| Sessions - Network Session Details | Sessions |
| Sessions - Network Sessions Over Time | Sessions |
Suppression Reports
These reports are part of the SA-ThreatIntelligence supporting add-on.
| Report | Security Domain |
|---|---|
| Suppressions - Currently Suppressed Events Over Time | Suppressions |
| Suppressions - Expired Suppressions | Suppressions |
| Suppressions - Suppression History Over Time | Suppressions |
| Suppressions - Suppression Management Activity | Suppressions |
Traffic Reports
These reports are part of the DA-ESS-NetworkProtection domain add-on.
| Report | Security Domain |
|---|---|
| Traffic - Maximum Bytes | Traffic |
| Traffic - Mean Bytes | Traffic |
| Traffic - Minimum Bytes | Traffic |
| Traffic - New Port Activity | Traffic |
| Traffic - Prohibited Or Insecure Traffic Over Time | Traffic |
| Traffic - Prohibited Traffic Details | Traffic |
| Traffic - Scan Activity By Destination Ports | Traffic |
| Traffic - Scan Activity By Destinations | Traffic |
| Traffic - Standard Deviation Bytes | Traffic |
| Traffic - Threat List Communication | Traffic |
| Traffic - Top Traffic By Destination | Traffic |
| Traffic - Top Traffic By Destination Port | Traffic |
| Traffic - Top Traffic By Device | Traffic |
| Traffic - Top Traffic By Source | Traffic |
| Traffic - Top Traffic By Source Port | Traffic |
| Traffic - Top Traffic By Transport | Traffic |
| Traffic - Total Count | Traffic |
| Traffic - Traffic Over Time | Traffic |
| Traffic - Traffic Over Time By Action | Traffic |
| Traffic - Traffic Over Time By Bytes | Traffic |
| Traffic - Traffic Over Time By Destination | Traffic |
| Traffic - Traffic Over Time By Destination Port | Traffic |
| Traffic - Traffic Over Time By Device | Traffic |
| Traffic - Traffic Over Time By Source | Traffic |
| Traffic - Traffic Over Time By Source Port | Traffic |
| Traffic - Traffic Over Time By Transport Protocol | Traffic |
| Traffic - Traffic Size Anomalies | Traffic |
| Traffic - Traffic Size Anomalies Over Time | Traffic |
| Traffic - Unique Destinations | Traffic |
| Traffic - Unique Sources | Traffic |
Updates Reports
These reports are part of the DA-ESS-EndpointProtection domain add-on.
| Report | Security Domain |
|---|---|
| Updates - Available Updates | Updates |
| Updates - Available Updates by System | Updates |
| Updates - Installed Updates | Updates |
| Updates - Number of Systems Not Updating | Updates |
| Updates - Number of Systems With Start Mode Anomalies | Updates |
| Updates - Systems by Last Update Time | Updates |
| Updates - Top Systems Needing Updates | Updates |
| Updates - Top Updates Needed | Updates |
| Updates - Update Errors | Updates |
| Updates - Update Service Start Mode Anomalies | Updates |
| Updates - Updates by Status | Updates |
Utilities Reports
These reports are part of the SA-Utils supporting add-on.
| Report | Security Domain |
|---|---|
| Utils - Top REST Actions | Utils |
| Utils - Top REST Actions By Sourcetype | Utils |
| Utils - Top REST Actions By Duration | Utils |
Vulnerability Reports
These reports are part of the DA-ESS-NetworkProtection domain add-on.
| Report | Security Domain |
|---|---|
| Vuln - Average Vulnerability Age | Vuln |
| Vuln - Average Vulns Per System | Vuln |
| Vuln - Delinquent Scanning | Vuln |
| Vuln - Most Vulnerable Hosts | Vuln |
| Vuln - New Vulnerabilities | Vuln |
| Vuln - Percentage Of Vulnerable Systems | Vuln |
| Vuln - Scan Activity Over Time | Vuln |
| Vuln - Top Vulnerabilities | Vuln |
| Vuln - Total Vulnerabilities | Vuln |
| Vuln - Vulnerabilities By Age | Vuln |
| Vuln - Vulnerabilities By Category | Vuln |
| Vuln - Vulnerabilities By Severity | Vuln |
| Vuln - Vulnerable System Count | Vuln |
Web Reports
These reports are part of the DA-ESS-NetworkProtection domain add-on.
| Report | Security Domain |
|---|---|
| Web - Destination Count | Web |
| Web - Events Over Time By Action | Web |
| Web - Events Over Time By Content Type | Web |
| Web - Events Over Time By Method | Web |
| Web - Events Over Time By Status | Web |
| Web - Events Over Time By User Agent | Web |
| Web - HTTP Category Count | Web |
| Web - HTTP Category Details | Web |
| Web - HTTP Category Distribution | Web |
| Web - HTTP Category Maximum Count | Web |
| Web - HTTP Category Mean Count | Web |
| Web - HTTP Category Minimum Count | Web |
| Web - HTTP Category Standard Deviation Count | Web |
| Web - Source Count | Web |
| Web - Top Destinations | Web |
| Web - Top Sources | Web |
| Web - Total Events By Action | Web |
| Web - Total Events By Content Type | Web |
| Web - Total Events By Method | Web |
| Web - Total Events By Status | Web |
| Web - Total Events By User Agent | Web |
| Web - URL Count | Web |
| Web - URL Length Anomalies | Web |
| Web - URL Length Anomalies Over Time | Web |
| Web - URL Length Over Time | Web |
| Web - URL Length Standard Deviation | Web |
| Web - URL Maximum Length | Web |
| Web - URL Mean Length | Web |
| Web - URL Minimum Length | Web |
| Web - User Agent Count | Web |
| Web - User Agent Details | Web |
| Web - User Agent Distribution | Web |
| Web - User Agent Length Standard Deviation | Web |
| Web - User Agent Maximum Length | Web |
| Web - User Agent Mean Length | Web |
| Web - User Agent Minimum Length | Web |
Whois Reports
These reports are part of the DA-ESS-NetworkProtection domain add-on.
| Report | Security Domain |
|---|---|
| Whois - New Domain Activity | Whois |
| Whois - New Domain Activity By Age | Whois |
| Whois - New Domain Activity By TLD | Whois |
| Whois - Registration Details | Whois |
Last modified on 25 April, 2015
| Indexes | List of search macros |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3
Download manual
Feedback submitted, thanks!