Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Dashboard requirements matrix

The Enterprise Security dashboards rely on events that conform to the Common Information Model (CIM), and are accelerated using the data model acceleration feature of Splunk Enterprise. The tables break out the Enterprise Security app dashboard to the data models being referenced.

Dashboard to data model

A - E

Dashboard Name Panel Title Data Model Data Model Object
Access Center Access Over Time By Action Authentication Authentication.action
Access Over Time By App Authentication.app
Top Access By Source Authentication.src
Top Access By Unique User Authentication.user,.src
Access Search Authentication.action, .app, src, .dest, .user, src_user
Access Tracker First Time Access - Last 7 days None. Calls access_tracker lookup
Inactive Account Usage - Last 90 days
Completely Inactive Accounts - Last 90 days
Account Usage For Expired Identities - Last 7 days Authentication Authentication.dest
Account Management Account Management Over Time Change Analysis All_Changes.Account_Management, .action
Account Lockouts All_Changes.Account_Management, .result
Account Management By Source User All_Changes.Account_Management, .src_user
Top Account Management Events All_Changes.Account_Management, .action
Asset Center Assets By Priority Assets And Identities All_Assets.
Assets By Business Unit All_Assets.
Assets By Category All_Assets.
Asset Information All_Assets.
Dashboard Name Panel Title Data Model Data Model Object
Default Account Activity Default Account Usage Over Time By App Authentication Authentication.Default_Authentication, .action, .app
Default Accounts In Use Authentication.user_category, .dest, .user
Default Local Accounts None. Calls useraccounts_tracker lookup
DNS Activity Top Reply Codes By Unique Sources Network Resolution DNS DNS.message_type, DNS.reply_code
Top DNS Query Sources DNS.message_type, DNS.src
Top DNS Queries DNS.message_type, DNS.query
Queries Per Domain DNS.message_type, DNS.query
Recent DNS Queries DNS.message_type
DNS Search DNS.message_type, DNS.reply_code, DNS.dest, DNS.src ,DNS.query_type, DNS.query, DNS.answer
Dashboard Name Panel Title Data Model Data Model Object
Email Activity Top Email Sources Email All_Email.src
Large Emails All_Email.size, src, .src_user, .dest
Rarely Seen Senders All_Email.protocol, .src, .src_user, .recipient
Rarely Seen Receivers All_Email.protocol, .src, .recipient
Email Search All_Email.protocol, .recipient, .src, .src_user, .dest
Endpoint Changes Endpoint Changes By Action Change Analysis All_Changes.Endpoint_Changes, .action
Endpoint Changes By Type All_Changes.Endpoint_Changes, .object_category
Endpoint Changes By System All_Changes.Endpoint_Changes, .object_category, .dest

F - M

Dashboard Name Panel Title Data Model Data Model Object
Forwarder Audit Event Count Over Time By Host None
Hosts By Last Report Time
Splunkd Process Utilization Application State All_Application_State.Processes.cpu_load_percent, .mem_used, .process, All_Application_State.dest
Splunk Service Start Mode All_Application_State.Services.start_mode, .status, .service
HTTP Category Analysis Category Distribution Web Web.src, .category
Category Details Web.src, .dest, .category,
HTTP User Agent Analysis User Agent Distribution Web Web.http_user_agent_length, .http_user_agent
User Agent Details (Web.http_user_agent_length, .src, .dest, .http_user_agent
Dashboard Name Panel Title Data Model Data Model Object
Identity Center Identities By Priority Assets and Identities Identity_Management.All_Identities
Identities By Business Unit
Identities By Category
Identity Information
Incident Review Audit Review Activity By Reviewer None. Calls incident_review_lookup
Notable Events By Status
Top Reviewers
Recent Review Activity
Intrusion Center Attacks Over Time By Severity Intrusion Detection IDS_Attacks.severity
Top Attacks IDS_Attacks.dest, .src, .signature
Scanning Activity (Many Attacks) IDS_Attacks.signature
New Attacks IDS_Attacks.ids_type
Intrusion Search IDS_Attacks.severity, .category, .signature, .src, .dest
Dashboard Name Panel Title Data Model Data Model Object
Malware Center Malware Activity Over Time By Action Malware Malware_Attacks.action
Malware Activity Over Time By Signature Malware_Attacks.signature
Top Infections Malware_Attacks.signature, .dest
New Malware - Last 30 Days None. Calls malware_tracker lookup.
Malware Operations Clients By Product Version None. Calls malware_operations_tracker lookup.
Clients By Signature Version
Oldest Infections
Repeat Infections Malware Malware_Attacks.action, .signature, .dest
Malware Search Malware_Attacks.action, .file_name, .user, .signature, .dest

N - S

Dashboard Name Panel Title Data Model Data Model Object
Network Changes Network Changes By Action Change Analysis All_Changes.Network_Changes, .action
Network Changes By Device All_Changes.Network_Changes, .dvc
New Domain Analysis New Domain Activity Web Web.dest
New Domain Activity By Age
New Domain Activity By TLD
Registration Details None
Dashboard Name Panel Title Data Model Data Model Object
Port & Protocol Tracker Prohibited Or Insecure Traffic Over Time - Last 24 Hours Network Traffic All_Traffic.src_category, .dest_category, .src, .dest, .transport, .dest_port
Prohibited Traffic Details - Last 24 Hours All_Traffic.src_category, .dest_category, .src, .dest, .transport, .dest_port
Protocol Center Connections By Protocol Network Traffic All_Traffic.app
Usage By Protocol All_Traffic.app, .bytes
Top Connection Sources All_Traffic.src
Risk Analysis Risk Modifiers Over Time Risk Analysis All_Risk.risk_score
Risk Score By Object All_Risk.risk_score
Most Active Sources All_Risk.risk_score, .risk_object
Recent Risk Modifiers All_Risk.*
Dashboard Name Panel Title Data Model Data Model Object
Security Posture Notable Events By Urgency None. Calls es_notable_events lookup.
Notable Events Over Time
Top Notable Events
Top Notable Event Sources
Session Center Sessions Over Time Network Sessions All_Sessions.Session_*
Session Details All_Sessions.*
SSL Activity SSL Activity By Common Name Certificates All_Certificates.SSL.ssl_subject_common_name
SSL Cloud Sessions All_Certificates.SSL.ssl_subject_common_name, .src,
Recent SSL Sessions
SSL Search All_Certificates.src, .dest, .ssl_subject_common_name, .ssl_subject_email, .ssl_issuer_common_name, .ssl_issuer_organization, .ssl_start_time, .ssl_end_time, .ssl_validity_window, .ssl_is_valid
System Center Operating Systems None. Calls system_version_tracker lookup.
Top-Average CPU Load By System Performance All_Performance.CPU.cpu_load_percent, All_Performance.dest
Services By System Count Application State All_Application_State.Services
Ports By System Count All_Application_State.Ports

T - Z

Dashboard Name Panel Title Data Model Data Model Object
Threat List Activity Threat List Activity Over Time Intrusion Detection, Network Traffic, or Web.
Most Active Threats
Most Active Threat Lists
Recent Threat List Activity
Time Center Time Synchronization Failures Performance All_Performance.OS.Timesync, All_Performance.dest, .dest_should_timesync, OS.Timesync.action
Systems Not Time Synching All_Performance.OS.Timesync, All_Performance.dest, .dest_should_timesync, OS.Timesync.action
Indexing Time Delay None
Time Service Start Mode Anomalies Application State All_Application_State.Services.start_mode, .Services.status, .dest_should_timesync, .tag, .dest
Traffic Center Traffic Over Time By Action Network Traffic All_Traffic.action
Traffic Over Time By Protocol All_Traffic.transport
Scanning Activity (Many Systems) All_Traffic.dest, .src
Top Sources All_Traffic.src
Traffic Search All_Traffic.action, .src_port, .src, .dest, .transport, .dest_port
Traffic Size Analysis Traffic Size Anomalies Over Time Network Traffic All_Traffic.transport, .src
Traffic Size Details All_Traffic.bytes, .dest, .src
Dashboard Name Panel Title Data Model Data Model Object
Update Center Top Systems Needing Updates Updates Updates.status, .dest, .signature_id, .vendor_product
Top Updates Needed Updates.status, .dest, .signature_id, .vendor_product
Systems Not Updating - Greater Than 30 Days Updates.dest_should_update, .dest, .signature_id, .vendor_product, .status
Update Service Start Mode Anomalies Application State All_Application_State.Services.start_mode, .Services.status, .Services.service, .tag
Update Search Updates Updates.dest_should_update, .status, .dest, .signature_id, .vendor_product
URL Length Analysis URL Length Anomalies Over Time Web Web.http_method, .url
URL Length Details Web.url_length, .src, .dest, .url
Dashboard Name Panel Title Data Model Data Model Object
Vulnerability Center Top Vulnerabilities Vulnerabilities Vulnerabilities.signature, .dest
Most Vulnerable Hosts Vulnerabilities.signature, .severity, .dest
Vulnerabilities By Severity Vulnerabilities.signature, .severity, .dest
New Vulnerabilities Calls vuln_signature_reference lookup
Vulnerability Operations Scan Activity Over Time Vulnerabilities Vulnerabilities.dest
Vulnerabilities By Age Vulnerabilities.severity, .signature, .dest
Delinquent Scanning Vulnerabilities.dest
Vulnerability Search Vulnerabilities.category, .signature, .dest, .severity, .cve,
Web Center Events Over Time By Method Web Web.http_method
Events Over Time By Status Web.status
Top Sources Web.dest, .src
Top Destinations Web.dest, .src
Web Search Web.http_method, .status, .src, .dest, .url

Dashboards to Add-on

These dashboards are included in the Splunk App for Enterprise Security. Use the Navigation editor to add or rearrange dashboards on the menu bar.

To view entire the list of dashboards in the application, go to Search > Dashboards.

Dashboard name Security Domain Part of Add-on
Access Center Access DA-ESS-AccessProtection
Access Search Access DA-ESS-AccessProtection
Access Tracker Access DA-ESS-AccessProtection
Account Management Access DA-ESS-AccessProtection
Asset Center Asset SA-IdentityManagement
Asset Investigator Asset SA-ESS-IdentityManagement
Data Model Audit Audit Splunk_SA_CIM
Default Account Activity Access DA-ESS-AccessProtection
DNS Activity Network DA-ESS-NetworkProtection
DNS Search Network DA-ESS-NetworkProtection
Email Activity Network DA-ESS-NetworkProtection
Email Search Network DA-ESS-NetworkProtection
Endpoint Changes Endpoint DA-ESS-EndpointProtection
Forwarder Audit Audit SA-AuditAndDataProtection
HTTP Category Analysis Network DA-ESS-NetworkProtection
HTTP User Agent Analysis Network DA-ESS-NetworkProtection
Identity Center Identity SA-IdentityManagement
Identity_investigator Identity SA-IdentityManagement
Incident Review Threat SA-ThreatIntelligence
Incident Review Audit Threat SA-ThreatIntelligence
Intrusion Center Network DA-ESS-NetworkProtection
Intrusion Search Network DA-ESS-NetworkProtection
Malware Center Endpoint DA-ESS-EndpointProtection
Malware Operations Endpoint DA-ESS-EndpointProtection
Malware Search Endpoint DA-ESS-EndpointProtection
Network Changes Network DA-ESS-NetworkProtection
New Domain Analysis Network DA-ESS-NetworkProtection
Per-Panel Filter Audit Audit SA-Utils
Port & Protocol Tracker Network DA-ESS-NetworkProtection
Predictive Analytics Splunk_SA_CIM
Protocol Center Network DA-ESS-NetworkProtection
REST Audit Audit SA-Utils
Risk Analysis Threat SA-ThreatIntelligence
Search Audit Audit SA-AuditAndDataProtection
Security Posture SplunkEnterpriseSecuritySuite
Session Center Identity SA-IdentityManagement
SSL Activity Network DA-ESS-NetworkProtection
SSL Search Network DA-ESS-NetworkProtection
Suppression Audit Threat SA-ThreatIntelligence
System Center Endpoint DA-ESS-EndpointProtection
Threat List Activity Threat SA-ThreatIntelligence
Time Center Endpoint DA-ESS-EndpointProtection
Traffic Center Network DA-ESS-NetworkProtection
Traffic Search Network DA-ESS-NetworkProtection
Traffic Size Analysis Network DA-ESS-NetworkProtection
Update Center Endpoint DA-ESS-EndpointProtection
Update Search Endpoint DA-ESS-EndpointProtection
URL Length Analysis Network DA-ESS-NetworkProtection
View Audit Audit SplunkEnterpriseSecuritySuite
Vulnerability Center Network DA-ESS-NetworkProtection
Vulnerability Operations Network DA-ESS-NetworkProtection
Vulnerability Search Network DA-ESS-NetworkProtection
Web Center Network DA-ESS-NetworkProtection
Web Search Network DA-ESS-NetworkProtection

Splunk App for Enterprise Security file structure

The Splunk App for Enterprise Security is composed of a series of underlying apps, each of which is implemented as a subdirectory of the $SPLUNK_HOME/etc/apps/ (*Nix) or $SPLUNK_HOME\etc\apps (Windows) directory in Splunk.

The following table shows the location of the Enterprise Security files within the Splunk directory structure.

Path under $SPLUNK_HOME Description
Contains the core components of the Spunk App for Enterprise Security
Each DA directory provides the underlying functionality for one of the domains
in Splunk for Enterprise Security, including the saved searches, macros, and lookups.
For example, the "DA-EndpointProtection" directory contains the functionality for the Endpoint protection domain.
Each SA directory provides the underlying support modules for a specific area of
knowledge used by the domains in Splunk for Enterprise Security.
Each TA directory contains the files for a specific technology supported by Splunk for Enterprise Security. These files include the content necessary to optimize, normalize, and categorize data inputs.
Last modified on 24 April, 2015
Data models in the Enterprise Security app

This documentation applies to the following versions of Splunk® Enterprise Security: 3.2.1, 3.2.2

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters