Dashboard requirements matrix
In order to be displayed in the Enterprise Security dashboards, data must conform to the requirements specified in these tables. The tags, fields, and source types required by each dashboard and panel are shown. When certain fields are omitted, they are automatically replaced with default values (such as unknown
). The rest of the data must still meet the source type and tag requirements for the dashboards.
Note: By default, the tags in the "Tags" column use an AND unless specifically defined.
Access Protection
Access Protection provides information about authentication attempts and access-control related events (login, logout, access allowed, access failure, use of default accounts, and so on).
Access Center
Panel
|
Tags
|
Fields
|
Notes
|
Access Over Time
|
authentication
|
action, app, src, src_user, dest, user
|
|
Notable Access Events
|
notable
|
action, app, src, src_user, dest, user
|
|
Top Access
|
authentication
|
action, app, src, src_user, dest, user
|
|
Unique Access
|
authentication
|
action, app, src, src_user, dest, user
|
|
Access Tracker
Panel
|
Tags
|
Fields
|
Notes
|
First Time Account Access
|
authentication
|
action, app, src, src_user, dest, user
|
success (action=success)
|
Inactive Account Usage
|
authentication
|
action, app, src, src_user, dest, user
|
The action field must be success (action=success)
|
Completely Inactive Accounts
|
authentication
|
action, app, src, src_user, dest, user
|
The local field must be true (local=true)
|
Account Usage for Expired Identities
|
authentication
|
user, dest
|
|
Access Search
Panel
|
Tags
|
Fields
|
Notes
|
timeline
|
authentication
|
action, app, src, src_user, dest, user
|
|
Account Management
Panel
|
Tags
|
Fields
|
Notes
|
Management Events by Time
|
account AND (management OR lockout)
|
signature, src, src_nt_domain, src_user, dest, dest_nt_domain, user
|
|
Account Lockouts
|
account AND (management OR lockout)
|
signature, src, src_nt_domain, src_user, dest, dest_nt_domain, user
|
|
Account Management by Source User
|
account AND (management OR lockout)
|
src_user
|
|
Top Account Management Events
|
account AND (management OR lockout)
|
signature
|
|
Recent Account Management
|
account AND (management OR lockout)
|
|
|
Default Account Activity
Panel
|
Tags
|
Fields
|
Notes
|
Default Account Usage by Time
|
account AND (default OR privileged)
|
action,app,src, src_user, dest, user,bunit,category,
|
The action field must be "success" (action=success)
|
Default Accounts in Use
|
account AND (default OR privileged)
|
user,user_category,dest_count
|
|
Default Local Accounts
|
account AND local AND (default OR privileged)
|
user,user_category,dest_count
|
|
Endpoint Protection
Endpoint Protection includes information about endpoints such as malware infections, system configuration, system state (CPU usage, open ports, uptime, and so on), system update history (which updates have been applied), and time synchronization information.
Malware Center
Panel
|
Tags
|
Fields
|
Notes
|
Malware Activity Over Time
|
malware AND attack
|
action
|
|
Top Infections
|
malware AND attack
|
action, signature, dest
|
|
Malware Activity by Domain
|
malware AND attack
|
action, dest_nt_domain
|
|
Key Malware Statistics
|
malware AND attack
|
action, signature, dest, dest_nt_domain, vendor_product
|
|
First Time Infections
|
malware AND attack
|
action, signature, dest
|
|
Recent Malware
|
malware AND attack
|
|
|
Malware Search
Panel
|
Tags
|
Fields
|
Notes
|
timeline
|
malware AND attack
|
action, signature, dest, src, dest_nt_domain, user, file_name, file_path, file_hash
|
|
Malware Operations
Panel
|
Tags
|
Fields
|
Notes
|
Average Infection Length by Time
|
malware AND attack
|
action
|
|
Anomalous Malware Infections
|
malware AND attack
|
dest, signature
|
|
Malware Client Distribution
|
endpoint AND application AND report AND version
|
dest, product_version, signature_version
|
|
Malware Signature Update Tracking
|
endpoint AND application AND report AND version
|
dest, product_version
|
|
Endpoint Application Errors
|
endpoint AND application AND error
|
|
|
System Center
Panel
|
Source type
|
Tags
|
Fields
|
Notes
|
Operating Systems
|
|
os AND report AND version AND listening port
|
os
|
|
Resource Utilization (cpu time)
|
*:CPUTime
|
os AND report AND version AND listening port
|
PercentSystemTime, PercentUserTime
|
|
Resource Utilization (memory)
|
*:Memory
|
os AND report AND version AND listening port
|
UsedBytes, FreeMBytes, TotalMBytes
|
|
Resource Utilization (disk)
|
*:FreeDiskSpace
|
os AND report AND version AND listening port
|
FreeMegabytes, PercentFreeSpace, TotalMBytes, UsedMBytes
|
|
System Uptime
|
*:Uptime
|
os AND report AND version AND listening port
|
SystemUpTime
|
|
System Configurations (SSHD Config)
|
*:SSHDConfig
|
os AND report AND version AND listening port
|
dest, sshd_protocol,
|
|
System Configurations (SE Linux config)
|
*:SELinuxConfig
|
os AND report AND version AND listening port
|
dest, selinux
|
|
Processes/Services (processes)
|
*:LocalProcesses
|
os AND report AND version AND listening port
|
app
|
|
Processes/Services (services)
|
*:Service
|
os AND report AND version AND listening port
|
app
|
|
Ports/Users (ports)
|
*:UserAccounts
|
os AND report AND version AND listening port
|
transport, dest, dest_port, user
|
|
Time Center
Panel
|
Source type
|
Tags
|
Fields
|
Notes
|
Systems Not Time Synching
|
|
time AND synchronize AND failure
|
dest
|
|
Indexing Time Delay
|
|
time AND synchronize AND failure
|
host, should_time_sync
|
|
NTP Anomalous StartMode
|
*:Service
|
time AND synchronize AND failure
|
StartMode
|
|
Recent Time Synchronization Failure
|
|
time AND synchronize AND failure
|
|
|
Endpoint Changes
Panel
|
Source type
|
Tags
|
Fields
|
Notes
|
Endpoint Changes by Action
|
|
fs_notification OR WinRegistry
|
dest, change_type, action, path, isdir, size, gid, uid, modtime, mode, hash
|
|
Endpoint Changes by Type
|
|
fs_notification OR WinRegistry
|
dest, change_type, action, path, isdir, size, gid, uid, modtime, mode, hash
|
|
Top Changes by System
|
|
fs_notification OR WinRegistry
|
dest, change_type, action, path, isdir, size, gid, uid, modtime, mode, hash
|
|
Recent Endpoint Changes
|
|
fs_notification OR WinRegistry
|
|
|
Patch / Update Center
Panel
|
Source type
|
Tags
|
Fields
|
Notes
|
Updates by Status
|
|
os AND update AND status
|
status AND (HotFixID OR package)
|
|
Systems Not Updating
|
|
os AND update AND status
|
status AND (HotFixID OR package)
|
|
Automatic Update Anomalous StartMode
|
*:Service
|
os AND update AND status
|
dest, app, start_mode
|
|
Anomalous System Uptime
|
*:Uptime
|
os AND update AND status
|
SystemUpTime, should_update, dest
|
|
Recent Update Errors
|
|
os AND update AND status
|
|
|
Successful Updates
|
|
os AND update AND status
|
status AND (HotFixID OR package)
|
|
Patch / Update Profiler
Panel
|
Source type
|
Tags
|
Fields
|
Notes
|
Patches / Updates
|
|
os AND update AND status(HotFixID OR package)
|
dest, app, signature, status
|
|
Network Protection
Network Protection includes information about network traffic provided from devices such as firewalls, routers, and network-based intrusion detection systems.
Traffic Center
Panel
|
Tags
|
Fields
|
Notes
|
Network Traffic Over Time
|
network AND communicate
|
action, bytes, bytes_in, bytes_out, dvc, transport, src, dest, src_port, dest_port
|
|
Top Network Traffic
|
network AND communicate
|
action, bytes, bytes_in, bytes_out, dvc, transport, src, dest, src_port, dest_port
|
|
Network Scanning Activity (port scanners)
|
network AND communicate
|
dest_port, src
|
|
Network Scanning Activity (system scanners)
|
network AND communicate
|
dest, src
|
|
Traffic Search
Panel
|
Tags
|
Fields
|
Notes
|
timeline
|
network AND communicate
|
action, bytes, bytes_in, bytes_out, dvc, transport, src, dest, src_port, dest_port, vendor, product
|
|
Intrusion Center
Panel
|
Tags
|
Fields
|
Notes
|
IDS Activity by Category/Severity
|
ids AND attack
|
category, severity
|
|
IDS Scanning Activity
|
ids AND attack
|
signature, src
|
|
IDS Activity Over Time
|
ids AND attack
|
dvc, category, signature, severity, src, dest, user, vendor_product, is_network, is_wireless, is_host, is_application
|
is_network, is_wireless, is_host, is_application are derived by ES and do not need to be extracted
|
|
Top Attacks
|
ids AND attack
|
dvc, category, signature, severity, src, dest, user, vendor_product, is_network, is_wireless, is_host, is_application
|
is_network, is_wireless, is_host, is_application are derived by ES and do not need to be extracted
|
|
First Time Attacks
|
ids AND attack
|
signature, dest
|
|
Intrusion Search
Panel
|
Tags
|
Fields
|
Notes
|
timeline
|
ids AND attack
|
category, dest, dest_port, dvc, severity, signature, src, src_port, usr, vendor_product
|
|
Vulnerability Center
Panel
|
Tags
|
Fields
|
Notes
|
Top Vulnerabilities
|
vulnerability AND report
|
signature
|
|
Most Vulnerable Hosts
|
vulnerability AND report
|
signature, severity
|
|
Vulnerabilities by Category/Severity
|
vulnerability AND report
|
category, severity, signature, dest
|
|
First Time Vulnerabilities
|
vulnerability AND report
|
category, severity, signature, dest
|
|
Vulnerability Operations
Panel
|
Tags
|
Fields
|
Notes
|
Vulnerability Scan Activity
|
vulnerability AND dvc AND report
|
severity, business unit, category, time
|
|
Vulnerabilities by Age
|
vulnerability AND dvc AND report
|
signature, dest
|
|
Delinquent Scanning
|
vulnerability AND dvc AND report
|
category, severity, signature, dest, os
|
|
Vulnerability Profiler
Panel
|
Tags
|
Fields
|
Notes
|
Vulnerability Profiler
|
vulnerability
|
category, severity, signature, cve, dest
|
|
Web Center
Panel
|
Tags
|
Fields
|
Notes
|
Proxy Events
|
web AND proxy
|
status, action, http_method, http_content_type, http_user_agent, src, dest
|
Proxy Events (note that the client machine is the dest and the server is the src)
|
Events Over Time By Method
|
web AND proxy
|
status, action, http_method, http_content_type, http_user_agent
|
Proxy Events Over Time
|
Events Over Time By Status
|
web AND proxy
|
status, action, http_method, http_content_type, http_user_agent
|
Proxy Events Over Time
|
Top Source/Destination
|
web AND proxy
|
src, dest, bytes_in, bytes_out
|
Top Source/Destination
|
Proxy Search
Panel
|
Tags
|
Fields
|
Notes
|
timeline
|
web AND proxy
|
bytes_in, bytes_out, action, status, src, dest, http_content_type, http_method, http_referrer, http_user_agent, url, user
|
|
Network Changes
Panel
|
Tags
|
Fields
|
Notes
|
Network Changes by Action
|
network AND change
|
dvc, action, user, command
|
|
Network Changes by Device
|
network AND change
|
dvc, action, user, command
|
|
Recent Network Changes
|
network AND change
|
dvc, action, user, command
|
|
Port & Protocol Tracker
Panel
|
Tags
|
Fields
|
Notes
|
First Time Port Activity
|
network AND communicate
|
dvc, transport, dest_port
|
The action field value must be "allowed" (action=allowed) and the dest_port must be greater than 0
|
Port Activity by Status
|
network AND communicate
|
transport, dest_port
|
The action field value must be "allowed" (action=allowed) and the dest_port must be greater than 0
|
Port Status by Time
|
network AND communicate
|
transport, dest_port
|
The action field value must be "allowed" (action=allowed) and the dest_port must be greater than 0
|
Identity
Identity correlation includes views that summarize the asset and identity lists and network sessions (DHCP, VPN).
Asset Center
The Asset Center contents are based on the asset list lookup files (for example assets.csv
).
Identity Center
The Identity Center contents are based upon the identity list lookup files (for example identities.csv
).
Asset and Identity Search
The Asset and Identity Search dashboard is a timeline that uses information from the various asset and identity lists.
Panel
|
Tags
|
Fields
|
Notes
|
timeline
|
|
Fields are from the asset and identity files
|
Data comes from the available asset and identity lists (like assets.csv and identities.csv )
|
Session Center
Panel
|
Tags
|
Fields
|
Notes
|
Sessions Over Time
|
network AND session (start OR end)
|
key, ip, mac, nt_host, dns, user, startTime, endTime
|
|
Sessions Length Distribution
|
network AND session (start OR end)
|
key, ip, mac, nt_host, dns, user, startTime, endTime
|
|
Sessions
|
network AND session (start OR end)
|
ip, mac, nt_host, dns, user, startTime, endTime
|
|
Audit
Incident Review Audit
Panel
|
Tags
|
Fields
|
Notes
|
Review Activity by Reviewer over Time
|
default OR privileged
|
app, view, user
|
|
Notable Events by Status
|
default OR privileged
|
app, view, user
|
|
Top Reviewers
|
default OR privileged
|
app, view, user
|
|
Recent Review Activity
|
default OR privileged
|
app, view, user
|
|
Suppression Audit
Panel
|
Tags
|
Fields
|
Notes
|
Currently Suppressed Events (Last 24 hours)
|
action AND status AND user
|
rule_id, source, suppression, urgency
|
|
Suppressed Notable Event History
|
action AND status AND user
|
rule_id, source, suppression, urgency
|
|
Suppression Management Activity
|
action AND status AND user
|
rule_id, source, suppression, urgency
|
|
Expired Suppressions
|
action AND status AND user
|
rule_id, source, suppression, urgency
|
|
Forwarder Audit
Panel
|
Tags
|
Fields
|
Notes
|
Host Event Count over Time
|
host AND app
|
_time, app, view, user, host
|
|
Hosts Not Reporting
|
host AND app
|
host, user
|
|
Splunkd Resource Utilization
|
host AND app
|
_time, host
|
|
Splunkd Anomalous StartMode
|
host AND app
|
anomalous, avail, check, default, os, privileged, process, report, should_timesync, should_update
|
|
Search Audit
The Search Audit dashboard uses audit data, collected automatically from the audit index during normal operation (base search: index=_audit).
Panel
|
Tags
|
Fields
|
Notes
|
Search Activity by Type
|
|
action, app, src, src_user, dest, user
|
uses the `search_activity` search macro
|
Search Activity by user
|
|
action, app, src, src_user, dest, user
|
uses the `search_activity` search macro
|
Search Activity by Expense
|
|
action, app, src, src_user, dest, user
|
uses the `search_activity` search macro
|
View Audit
The View Audit dashboard shows audit data related to view activity; used to verify that a particular view has been visited; typically used to satisfy governance requirements dictating that certain logs or reports must be reviewed on a regular basis (base search: | `expected_views(<app name>)`. Some panels require populating the expected_views.csv
lookup.
Panel
|
Tags
|
Fields
|
Notes
|
Splunk App for Enterprise Security View Activity
|
is_expected
|
action, app, src, src_user, dest, user
|
expected_views.csv needs to be populated
|
Expanded View Activity
|
is_expected AND privileged OR default
|
action, app, src, src_user, dest, user
|
expected_views.csv needs to be populated
|
Expected View Scorecard
|
is_expected
|
action, app, src, src_user, dest, user
|
expected_views.csv needs to be populated
|
Recent Web Service Errors
|
web AND error
|
action, app, src, src_user, dest, user
|
|
Feedback submitted, thanks!