Splunk® Enterprise Security

Use Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Audit dashboards

The Audit domain helps to validate the security of the data within Enterprise Security. Audit and data protection includes resources for ensuring that forwarders are functioning, that data has not been tampered with, that data is secured in transmission, and that the incidents detected by the rules are being reviewed.

Incident Review Audit

The Incident Review Audit dashboard provides an overview of incident review activity. The panels display how many incidents are being reviewed and by which user, along with a list of the most recently reviewed events. The metrics on this dashboard allow security managers to review the activities of analysts.

ES31-IncidentReviewAuditDB.png


Selecting a chart element or table row on a panel will drill-down to an event. See dashboard drilldown in this manual.

Incident Review Audit dashboard panels
Panel Description
Review Activity by Reviewer Displays the numbers of events reviewed by each user. This panel is useful for determining which user is performing the incident reviews and if the total number of incidents reviewed is changing over time.
Notable Events by Status Displays the total notable events by all statuses. This panel is useful for determining if the incident review users are keeping up with incidents, or whether a backlog of unreviewed incidents is forming.
Top Reviewers Displays the top users that have performed incident reviews. The panel includes details for each user, including the date they first performed an incident review, the date they last performed a review, and the number of incidents reviewed.
Recent Review Activity Shows the most recent incident review changes performed.

Suppression Audit

The Suppression Audit dashboard provides an overview of notable event suppression activity. This dashboard shows how many events are being suppressed and by whom so that notable event suppression can be audited and reported on.

Es-SuppressionAudit dashboard.png

The metrics on this dashboard allow security managers to review the activities of analysts, which is useful for tuning correlation searches. This also provides visibility into the different dimensions of suppression activity within the Incident Review workflow.

Clicking chart elements or table rows displays a listing of the notable events that have been suppressed based on the selected element.

Currently Suppressed Notable Events (Last 24 hours)

Currently suppressed notable events are shown in this panel. These can be displayed by time, by correlation search, by suppression rule, or by urgency.

Es-suppression audit current.png

The following table describes the options for display.

Display option Description
by Time Suppressed Notable Events by time of event
by Correlation Search Suppressed Notable Events by correlation search
by Suppression Suppressed Notable Events by suppression rule
by Urgency Suppressed Notable Events by urgency

Suppressed Notable Event History

This panel displays the history of suppressed notable events. The time range for results can be selected from the drop-down menu. The following table describes the options for display of the results.

Display option Description
Time range Select from drop-down menu
by Time Suppressed Notable Event History by time
by Correlation Search Suppressed Notable Event History by correlation search
by Suppression Suppressed Notable Event History by suppression rule
by Urgency Suppressed Notable Event History by urgency

Suppression Management Activity

This panel shows suppression management activity for the selected time period.

Es-suppression audit mgmt.png

The following table describes the fields in this panel.

Field Description
Time range Select from drop-down menu
_time Time that the suppression took place
suppression Name of the rule being suppressed
action Options: create, disable, enable
status Options: success, failure
user Options: unassigned, admin, esadmin, esanalyst

For more information about an event, click on the item.

Expired Suppressions

When a suppression rule is created, an expiration date is defined. This panel shows the history of expired suppressions that occurred during selected time period. The fields displayed in this panel are described in the following table.

Field Description
Time range Select from drop-down menu
_time Time that the rule expired
suppression Name of the expired rule
action Options: create, disable, enable
status Options: success, failure
user Options: unassigned, admin, esadmin, esanalyst

For more information about an expired suppression, click on the item.

Data Model Audit

The Data Model Audit dashboard displays information about the data models available in your environment.

This dashboard is available by default under the Audit domain menu.

ES-Data Model Audit dashboard.png

The following table describes the panels for this dashboard.

Panel Description
Top Accelerations By Size A descending view of the accelerated data models by MB on disk
Top Accelerations By Run Duration A descending view of the accelerated data models by time to run acceleration
Accelerations Details A table view of the accelerated data models that provides additional information

Forwarder Audit

The Forwarder Audit dashboard helps ensure that hosts are properly forwarding data to Splunk. Forwarder Auditing detects forwarders that have failed and helps diagnose the cause of the failure, such as excessive resource utilization or forwarders not configured to start up when the host starts. This dashboard does not audit all forwarding activity, only that of systems that are configured as expected hosts in Enterprise Security. To see all forwarding activity, the Deployment Monitor app may be a good choice.

Es-ForwarderAuditDashboard.png

What is an expected host?

Expected hosts are denoted by a value of "is_expected=true" in the Asset table. The main search controls contain a filtering option to include/exclude these hosts.

Click on chart elements or table rows on this page to display a listing of event review activity. See dashboard drilldown for more information.

The following table describes the panels for this dashboard.

Panel Description
Dashboard filters Restricts the view on the current dashboard to assets that match the selected criteria. Selections apply to the current dashboard only. The following domain-specific options are available for this dashboard:
  • host: Filters by hostname
  • Show only the expected hosts?: Yes restricts view to hosts with a value of is_expected=true in the Asset List. No shows all hosts. Set up the Asset list in order to use this field; see the Splunk App for Enterprise Security Installation and Configuration Manual for more information.
    See descriptions of the standard filter options.
    Note: Text values in the filters must be lowercase text.
Hosts Not Reporting Shows hosts that ought to be sending events to Splunk but are not; this may mean that the forwarder is down and needs troubleshooting.
Splunk Resource Utilization Shows the resource utilization of each instance of the Splunk daemon (splunkd) that is sending events to Splunk. This is useful for detecting forwarders that are overtaxing their hosts. These forwarders are likely to forward events improperly and, and may drop events or submit them with a delay.
Splunk Anomalous StartMode Shows hosts that that are forwarding events to Splunk using splunkd but that are not configured to have splunkd to start on boot. These forwarders will not function when the host is rebooted unless splunkd is manually started each time and are likely to experience an outage when the host is rebooted.

Per-Panel Filter Audit

The Per-Panel Filter Audit dashboard provides information about the filters currently in use in your deployment.

Es-per-panel filter audit.png

The following table describes the panels for this dashboard.

Panel Description
Per-Panel By Reviewer Count of updates to per-panel filters by user
Top Users Shows users, sparkline for trends, number of views, and first and last time viewed.
Recent Filter Activity Activity by time, user, action, and filename

Search Audit

The Search Audit dashboard provides information about the searches being executed in Splunk. This dashboard is useful for identifying longer-running searches and tracking search activity over time and by user. Internal searches used by Enterprise Security are set to "user=unknown".

Ess-SearchAuditDashboard.png

Clicking chart elements or table rows on this page displays the raw events that are generating the items represented. See dashboard drilldown for more information.

The following table describes the panels for this dashboard.

Panel Description
Dashboard filters Restricts the view on the current dashboard to assets that match the selected criteria. Selections apply to the current dashboard only. See descriptions of the standard filter options.
Search Activity by Type Shows the number of searches executed over time by type (ad-hoc, scheduled, or real-time). Helps determine whether Splunk's performance is being affected by excessive number of searches.
Search Activity by User Shows the number of searches executed by each user. Helps determine when a particular user is executing an excessive number of searches.

Note: splunk-system-user is the name of the account used to execute scheduled searches.

Top Searches by User Lists the searches most commonly executed by the user selected in the Search Activity by User panel (see above). If no user is selected in the Search Activity by User panel, this panel is empty.
Search Activity by Expense Lists the most expensive searches in terms of duration. Helps to identify specific searches that may be adversely affecting Splunk performance.

View Audit

The View Audit dashboard provides information about the frequency at which the Enterprise Security views are being accessed. View Audit enables tracking whether or not selected views are being reviewed on a daily basis and helps to identify any errors triggered when users access the views. Availability of views can be managed through Enterprise Security Configuration.

Ess-ViewAuditingDashboard.png

Clicking chart elements or table rows on this dashboard displays a listing of event review activity. See dashboard drilldown for more information.

The following table describes the panels for this dashboard.

Panel Description
Splunk App for Enterprise Security View Activity Shows which Enterprise Security views have been accessed over time. Helps you see which views are most commonly used or whether Enterprise Security usage has increased.
Expected View Activity Lists the views set up in the Expected View list -- these are views that you want to review on a daily basis for your deployment. Select a dashboard to see details in the Expected View Scorecard panel below.

Use Configure > Lists and Lookups > Expected Views for setting up the Expected View list.

Expected View Scorecard Shows whether the dashboard selected in the Expected View Activity has been reviewed daily. A red icon indicates that the dashboard has not been reviewed on the given day; a green icon indicates that the dashboard was reviewed.
Ess-expectedViewScorecard.png
Recent Web Service Errors Lists errors that occurred while rendering the web interface. Helps identify custom views that contain errors or an underlying issue that need to be escalated to Splunk.

Threat List Audit

The Threat List Audit dashboard tracks and displays the current status of all threat lists. As an analyst, you can review this dashboard to determine if the threat lists are being kept current, and troubleshoot connection issues.

ES31 ThreatL Audit Top.png

Panel Description
Enabled Threat Lists Displays the status of all enabled threat lists
Local Threat Lists Displays the status of locally created and customized threat lists.
Disabled Threat Lists Displays all disabled threat lists.
Threat list Download Events Displays the python_modular_input_log events applicable to threat list downloads.

A correlation search is available to create a notable event if a threat lists download fails. Browse to Configure > General > Custom Searches to review the Failed Threat List Download search.

Last modified on 07 March, 2015
Additional Network dashboards   Create new correlation searches

This documentation applies to the following versions of Splunk® Enterprise Security: 3.2, 3.2.1, 3.2.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters