The Enterprise Security app contains a number of pre-defined key indicators, each with a use-case based upon the security domain dashboards included with the app. A key indicator is a UI object with a specific visual output. It includes a value indicator, a trend amount, a trend indicator, and a threshold to indicate the importance or priority of the value count.
Key indicators are populated by searches that represent an event count over time. The key indicator searches run against the data models defined in the Enterprise Security app, or the data models defined in the Common Information Model app. A few key indicators run searches against the count of notable events. The relative time span for key indicators defaults to the last 24 hours in the Enterprise Security app.
Key indicators are designed to provide a visual reference for several security related metrics at a glance. Each key indicator displays:
- Description of the metric: A brief descriptor of the security related metric.
- Value indicator: Displays the current count of events. If a threshold is set, the numbers will change color.
- Trend amount: Displays the change in the event count over time.
- Trend indicator: Displays a directional arrow to indicate the direction of the Trend amount. The arrow will change colors to indicate direction.
- Drilldown link: The Value indicator is also a link to a search.
Dashboards with key indicators
Key indicators are pre-configured on these dashboards:
- Security Posture
- Security Domains: Access: Access Center
- Security Domains: Endpoint: Malware Center
- Security Domains: Endpoint: Update Center
- Security Domains: Network: Traffic Center
- Security Domains: Network: Intrusion Center
- Security Domains: Network: Vulnerability Center
- Security Domains: Network: Web Center
- Advanced Threat: HTTP Category Analysis
- Advanced Threat: HTTP User Agent Analysis
- Advanced Threat: Traffic Size Analysis
- Advanced Threat: URL Length Analysis
Edit key indicators
The Enterprise Security app includes pre-configured key indicators. A dashboard key indictor row includes an editor that allows simple, visual related changes to be made directly to the key indicators without leaving the dashboard. Additionally, advanced changes can be made through the Enterprise Security app’s Custom Searches page.
Choose the pencil icon named Edit on the top left of the indicator bar. The editing tools are displayed above the indicators.
Arrange key indicators
Drag and drop the indicators to arrange them in a preferred order. There are 5 indicators to a row, and there can be multiple indicator rows.
Remove key indicators
To remove an indicator, click the X on the top right of that indicator. Removing the indicator from a dashboard does not remove the key indicator configuration from Enterprise Security.
Add key indicators
To add key indicators, click the plus icon in the editor tab to open the Add indicators panel. There are more than 60 pre-defined key indicators. Click the checkmark icon to save.
Set a threshold
You can set a threshold value for each key indicator. A threshold is an acceptable value for the event count in an indicator. After the threshold is set, the value indicator will change colors to show if the event count is normal or notable. If no threshold is set, the value indicator numbers will remain black. If the threshold is larger than the count in a value indicator, the numbers will change to green. If the threshold is smaller than the count, the numbers will change to red.
Configure key indicators
The key indicator configurations can be found in the Enterprise Security app, under Configure > General > Custom Searches
The Custom Searches page
The Custom Searches page is a status page used to display all correlation, key indicator, and swim lane searches. For key indicators, the option to Accelerate the search can be enabled directly on the Custom Searches page, or in the Edit Key Indicator Search page.
Use the Actions column on the Custom Searches page to:
- Accelerate a key indicator search
- Selecting the Accelerate link on the Custom Searches page allows you to enable acceleration and set a basic schedule for the scheduled report Refresh Frequency. After key indicator is accelerated, the Next Scheduled Time is populated on the Custom Searches page, and the lightning bolt for that indicator changes from grey to yellow.
Edit Key Indicator Search page
Browse to Configure > General > Custom Searches and select a Key Indicator search to view the Edit Key Indicator Search page. This page allows you to change the advanced options for a key indicator. A Preview button is also available to provide a visual review of the changes made to the configuration before saving.
The Edit Key Indicator Search configuration page defines a number of fields:
- Search Name: A brief descriptor of the indicator search.
- Destination App: The name of the app that contains the search.
- Title: The title text that will appear above the indicator on a dashboard.
- Sub-title: The text that will appear below the title that is used to describe the count type.
- Search: The search string to run.
- Drilldown URL: This field is used to override the default behavior of the link embedded in a key indicator. If the field is left empty, using the key indicator link will take you to the search results that generate the data displayed in the key indicator. Insert a new search url into the Drilldown URL field to redirect the users to a custom search when the link is chosen.
Key indicators are accelerated through scheduling. An accelerated key indicator search runs as a scheduled report. The scheduled report results are cached, speeding up the rendering of the indicator on the dashboard. After the cached search results are available, the loading time of a key indicator will improve.
- Schedule: The checkbox enables acceleration for a key indicator search.
- Cron Schedule: Edit or change the schedule frequency using standard cron notation.
If key indicator is accelerated, the Next Scheduled Time is populated on the Custom Searches page, and the lightning bolt for that indicator changes from grey to yellow.
- Threshold: A number that determines the color assigned to the value indicator. If no threshold number is set, the value indicator numbers will remain black. If the threshold number is larger than the count in a value indicator, the value indicator numbers will change color to green. If the threshold number is smaller than the count, the value indicator numbers will change color to red. The trend indicator arrow changes direction with the threshold. The color behavior can be changed using the Invert option.
- Value suffix: An optional, descriptive name for the value indicator. The Value suffix will be placed between the Value Indicator and the Trend Indicator.
- Invert: The checkbox enables the invert option, changing the default behavior of the trend indicator threshold. If the threshold number is larger than the count in a value indicator, the value indicator numbers will change color to red. If the threshold number is smaller than the count, the value indicator numbers will change color to green.
- Preview: A button used to preview changes made to the key indicator rendering options before saving.
Create custom key indicators
A new key indicator can be added through the Custom Searches page in the Enterprise Security app, under Configure > General > Custom Searches. Choose New and Key Indicator Search. The Key Indicator Search page is where you define the key indicator name, the search, and other details. In the pre-configured key indicators, accelerated data models are used to speed the return of results, but are not required.
A key indicator will have a corresponding entry in the savedsearches.conf of the app they were created in. Here is a sample of a custom key indicator as found in a
The search used to populate the key indicator must include a count. To make use of the other UI elements in a key indicator, the search must also provide a count differential to drive the change value and direction indicator. The sample search above is comprised of two searches. The first search returns the
current_count, and the second search uses the
appendcols command to return the
historical_count. From there, the
`get_delta` macro is used to compute the difference between the
The threshold value determines the colors used on the count differential, and an invert option is available to flip the arrow direction and color behavior as needed.
Security Posture dashboard
This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1, 3.2.2