This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.
Search View matrix
| This page is currently a work in progress; expect frequent near-term updates. |
This topic includes information on in the Splunk for Enterprise Security correlation searches associated with the dashboards, along with support and correlation searches that generate notable events, but are not directly used by dashboards.
Correlations search thresholds
The following table lists the correlation searches with adjustable thresholds:
| Correlation search | Description | Default |
|---|---|---|
| Endpoint - Active Unremediated Malware Infection | Number of days that the device was unable to clean the infection | 3 |
| Endpoint - Anomalous New Services | Number of new services | 9 |
| Endpoint - Anomalous New Processes | Number of new processes | 9 |
| Endpoint - Anomalous User Account Creation | Number of new processes in a 24 hr period | 3 |
| Access - Brute Force Access Behavior Detected | Number of failures | 6 |
| Access - Excessive Failed Logins | Number of authentication attempts | 6 |
| Endpoint - High Number of Infected Hosts | Number of infected hosts | 100 |
| Endpoint - Host with Excessive Number of Listening Ports | Number of listening ports | 20 |
| Endpoint - Host with Excessive Number of Processes | Number of running processes | 200 |
| Endpoint - Host with Excessive Number of Services | Number of running services | 100 |
| Endpoint - Host with Multiple Infections | Total number of infections per host | > 1 |
| Endpoint - Old Malware Infection | Number of days host had infection | 30 days |
| Endpoint - Recurring Malware Infection | Number of days that the device was re-infected | 3 days |
| Network - Substantial Increase in an Event | Number of events (self-baselines based on average) | 3 St Dev. |
| Network - Substantial Increase in Port Activity (by destination) | Number of targets (self-baselines based on average) | 3 St Dev. |
| Network - Vulnerability Scanner Detection (by event) | Number of unique events | 25 |
| Network - Vulnerability Scanner Detection (by targets) | Number of unique targets | 25 |
Visible searches
These searches support dashboard panels in the user interface.
You cannot disable the Security Posture, Incident Review, or Auditing dashboards using Configure > Domains and Dashboards.
Security Posture & Incident Review dashboards
| search / dashboard | security posture | incident review | access center | correlation search support |
|---|---|---|---|---|
| ESS - Notable Events | X | X | X |
Access Protection dashboards
| search \ dashboard | access center | access search | access tracker | account management | default accounts | correlation search support |
|---|---|---|---|---|---|---|
| Access - All Authentication - Base | X | X | X | X | X |
Network Protection dashboards
| search \ dashboard | ids center | ids search | network changes | port protocol tracker | proxy center | proxy search | traffic center | traffic search | vuln center | vuln operations | vuln profiler | correlation search support |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Network - All IDS Attacks - Base | X | X | ||||||||||
| Network - All Communication | X | |||||||||||
| Network - All Communication - Base | X | X | ||||||||||
| Network - All Proxy | X |
Resources dashboards
| search \ dashboard | event geography | incident review | access center | correlation search support |
|---|---|---|---|---|
| ESS - Notable Events by Geography - Base | X |
Background searches
These are support searches and correlation searches that generate notable events, and are not directly used by dashboards.
- Access - Insecure Or Cleartext Authentication - Rule
- Access - Brute Force Access Behavior Detected - Rule
- Access - Inactive Account Usage - Rule
- Access - Default Account Usage - Rule
- Access - Excessive Failed Logins - Rule
- Access - Default Accounts At Rest - Rule
- Access - Completely Inactive Account - Rule
- Access - Cleartext Password At Rest - Rule
- Access - High or Critical Priority Individual Logging into Infected Machine - Rule
- Audit - Anomalous Audit Trail Activity Detected - Rule
- Audit - Expected Host Not Reporting - Rule
- Audit - Personally Identifiable Information Detection - Rule
- Endpoint - Old Malware Infection - Rule
- Endpoint - Outbreak Observed - Rule
- Endpoint - Prohibited Process Detection - Rule
- Endpoint - Prohibited Service Detection - Rule
- Endpoint - Recurring Malware Infection - Rule
- Endpoint - Should Timesync Host Not Syncing - Rule
- Endpoint - Anomalous New Listening Port - Rule
- Endpoint - Anomalous New Processes - Rule
- Endpoint - Anomalous New Services - Rule
- Endpoint - Anomalous User Account Creation - Rule
- Endpoint - High Number Of Infected Hosts - Rule
- Endpoint - High Or Critical Priority Host With Malware - Rule
- Endpoint - High Number of Hosts With Infection - Rule
- Endpoint - Host Sending Excessive Email - Rule
- Endpoint - Host With Excessive Number Of Listening Ports - Rule
- Endpoint - Host With Excessive Number Of Processes - Rule
- Endpoint - Host With Excessive Number Of Services - Rule
- Endpoint - Host With Multiple Infections - Rule
- Identity - Make Categories - TSIDX Gen
- Identity - Activity from Expired User Identity - Rule
- Network - Policy Or Configuration Change - Rule
- Network - RapidShare Activity - Rule
- Network - SANS Block List Activity - Rule
- Network - Source And Destination - TSIDX Gen
- Network - Spyware Activity - Rule
- Network - Substantial Increase in Port Activity (By Destination) - Rule
- Network - Substantial Increase in an Event - Rule
- Network - Tor Router Activity - Rule
- Network - Unapproved Port Activity Detected - Rule
- Network - Unroutable Host Activity - Rule
- Network - Vulnerability Scanner Detection (by event) - Rule
- Network - Vulnerability Scanner Detection (by targets) - Rule
- Network - Attack Volume - TSIDX Gen
- Network - High Volume of Traffic from High or Critical Host - Rule
- Network - Internet Proxy Server Activity - Rule
- Network - Known Web Attacker Activity - Rule
- Network - LogMeIn Activity - Rule
- Network - PirateBay Activity - Rule
- Threat - Watchlisted Events - Rule
Last modified on 02 December, 2014
| Identity correlation | Notable events |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1
Download manual
Feedback submitted, thanks!