This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.
Dashboard requirements matrix
The Enterprise Security dashboards rely on events that conform to the Common Information Model (CIM), and are accelerated using the data model acceleration feature of Splunk Enterprise. The tables break out the Enterprise Security app dashboard to the data models being referenced.
Dashboard to data model
A - E
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| Access Center | Access Over Time By Action | Authentication | Authentication.action |
| Access Over Time By App | Authentication.app | ||
| Top Access By Source | Authentication.src | ||
| Top Access By Unique User | Authentication.user,.src | ||
| Access Search | Authentication.action, .app, src, .dest, .user, src_user | ||
| Access Tracker | First Time Access - Last 7 days | None. Calls access_tracker lookup | |
| Inactive Account Usage - Last 90 days | |||
| Completely Inactive Accounts - Last 90 days | |||
| Account Usage For Expired Identities - Last 7 days | Authentication | Authentication.dest | |
| Account Management | Account Management Over Time | Change Analysis | All_Changes.Account_Management, .action |
| Account Lockouts | All_Changes.Account_Management, .result | ||
| Account Management By Source User | All_Changes.Account_Management, .src_user | ||
| Top Account Management Events | All_Changes.Account_Management, .action | ||
| Asset Center | Assets By Priority | Assets And Identities | All_Assets. |
| Assets By Business Unit | All_Assets. | ||
| Assets By Category | All_Assets. | ||
| Asset Information | All_Assets. | ||
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| Default Account Activity | Default Account Usage Over Time By App | Authentication | Authentication.Default_Authentication, .action, .app |
| Default Accounts In Use | Authentication.user_category, .dest, .user | ||
| Default Local Accounts | None. Calls useraccounts_tracker lookup | ||
| DNS Activity | Top Reply Codes By Unique Sources | Network Resolution DNS | DNS.message_type, DNS.reply_code |
| Top DNS Query Sources | DNS.message_type, DNS.src | ||
| Top DNS Queries | DNS.message_type, DNS.query | ||
| Queries Per Domain | DNS.message_type, DNS.query | ||
| Recent DNS Queries | DNS.message_type | ||
| DNS Search | DNS.message_type, DNS.reply_code, DNS.dest, DNS.src ,DNS.query_type, DNS.query, DNS.answer | ||
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| Email Activity | Top Email Sources | All_Email.src | |
| Large Emails | All_Email.size, src, .src_user, .dest | ||
| Rarely Seen Senders | All_Email.protocol, .src, .src_user, .recipient | ||
| Rarely Seen Receivers | All_Email.protocol, .src, .recipient | ||
| Email Search | All_Email.protocol, .recipient, .src, .src_user, .dest | ||
| Endpoint Changes | Endpoint Changes By Action | Change Analysis | All_Changes.Endpoint_Changes, .action |
| Endpoint Changes By Type | All_Changes.Endpoint_Changes, .object_category | ||
| Endpoint Changes By System | All_Changes.Endpoint_Changes, .object_category, .dest | ||
F - M
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| Forwarder Audit | Event Count Over Time By Host | None | |
| Hosts By Last Report Time | |||
| Splunkd Process Utilization | Application State | All_Application_State.Processes.cpu_load_percent, .mem_used, .process, All_Application_State.dest | |
| Splunk Service Start Mode | All_Application_State.Services.start_mode, .status, .service | ||
| HTTP Category Analysis | Category Distribution | Web | Web.src, .category |
| Category Details | Web.src, .dest, .category, | ||
| HTTP User Agent Analysis | User Agent Distribution | Web | Web.http_user_agent_length, .http_user_agent |
| User Agent Details | (Web.http_user_agent_length, .src, .dest, .http_user_agent |
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| Identity Center | Identities By Priority | Assets and Identities | Identity_Management.All_Identities |
| Identities By Business Unit | |||
| Identities By Category | |||
| Identity Information | |||
| Incident Review Audit | Review Activity By Reviewer | None. Calls incident_review_lookup | |
| Notable Events By Status | |||
| Top Reviewers | |||
| Recent Review Activity | |||
| Intrusion Center | Attacks Over Time By Severity | Intrusion Detection | IDS_Attacks.severity |
| Top Attacks | IDS_Attacks.dest, .src, .signature | ||
| Scanning Activity (Many Attacks) | IDS_Attacks.signature | ||
| New Attacks | IDS_Attacks.ids_type | ||
| Intrusion Search | IDS_Attacks.severity, .category, .signature, .src, .dest | ||
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| Malware Center | Malware Activity Over Time By Action | Malware | Malware_Attacks.action |
| Malware Activity Over Time By Signature | Malware_Attacks.signature | ||
| Top Infections | Malware_Attacks.signature, .dest | ||
| New Malware - Last 30 Days | None. Calls malware_tracker lookup. | ||
| Malware Operations | Clients By Product Version | None. Calls malware_operations_tracker lookup. | |
| Clients By Signature Version | |||
| Oldest Infections | |||
| Repeat Infections | Malware | Malware_Attacks.action, .signature, .dest | |
| Malware Search | Malware_Attacks.action, .file_name, .user, .signature, .dest | ||
N - S
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| Network Changes | Network Changes By Action | Change Analysis | All_Changes.Network_Changes, .action |
| Network Changes By Device | All_Changes.Network_Changes, .dvc | ||
| New Domain Analysis | New Domain Activity | Web | Web.dest |
| New Domain Activity By Age | |||
| New Domain Activity By TLD | |||
| Registration Details | None |
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| Port & Protocol Tracker | Prohibited Or Insecure Traffic Over Time - Last 24 Hours | Network Traffic | All_Traffic.src_category, .dest_category, .src, .dest, .transport, .dest_port |
| Prohibited Traffic Details - Last 24 Hours | All_Traffic.src_category, .dest_category, .src, .dest, .transport, .dest_port | ||
| Protocol Center | Connections By Protocol | Network Traffic | All_Traffic.app |
| Usage By Protocol | All_Traffic.app, .bytes | ||
| Top Connection Sources | All_Traffic.src | ||
| Risk Analysis | Risk Modifiers Over Time | Risk Analysis | All_Risk.risk_score |
| Risk Score By Object | All_Risk.risk_score | ||
| Most Active Sources | All_Risk.risk_score, .risk_object | ||
| Recent Risk Modifiers | All_Risk.* |
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| Security Posture | Notable Events By Urgency | None. Calls es_notable_events lookup. | |
| Notable Events Over Time | |||
| Top Notable Events | |||
| Top Notable Event Sources | |||
| Session Center | Sessions Over Time | Network Sessions | All_Sessions.Session_* |
| Session Details | All_Sessions.* | ||
| SSL Activity | SSL Activity By Common Name | Certificates | All_Certificates.SSL.ssl_subject_common_name |
| SSL Cloud Sessions | All_Certificates.SSL.ssl_subject_common_name, .src, | ||
| Recent SSL Sessions | |||
| SSL Search | All_Certificates.src, .dest, .ssl_subject_common_name, .ssl_subject_email, .ssl_issuer_common_name, .ssl_issuer_organization, .ssl_start_time, .ssl_end_time, .ssl_validity_window, .ssl_is_valid | ||
| System Center | Operating Systems | None. Calls system_version_tracker lookup. | |
| Top-Average CPU Load By System | Performance | All_Performance.CPU.cpu_load_percent, All_Performance.dest | |
| Services By System Count | Application State | All_Application_State.Services | |
| Ports By System Count | All_Application_State.Ports | ||
T - Z
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| Threat List Activity | Threat List Activity Over Time | Intrusion Detection, Network Traffic, or Web. | |
| Most Active Threats | |||
| Most Active Threat Lists | |||
| Recent Threat List Activity | |||
| Time Center | Time Synchronization Failures | Performance | All_Performance.OS.Timesync, All_Performance.dest, .dest_should_timesync, OS.Timesync.action |
| Systems Not Time Synching | All_Performance.OS.Timesync, All_Performance.dest, .dest_should_timesync, OS.Timesync.action | ||
| Indexing Time Delay | None | ||
| Time Service Start Mode Anomalies | Application State | All_Application_State.Services.start_mode, .Services.status, .dest_should_timesync, .tag, .dest | |
| Traffic Center | Traffic Over Time By Action | Network Traffic | All_Traffic.action |
| Traffic Over Time By Protocol | All_Traffic.transport | ||
| Scanning Activity (Many Systems) | All_Traffic.dest, .src | ||
| Top Sources | All_Traffic.src | ||
| Traffic Search | All_Traffic.action, .src_port, .src, .dest, .transport, .dest_port | ||
| Traffic Size Analysis | Traffic Size Anomalies Over Time | Network Traffic | All_Traffic.transport, .src |
| Traffic Size Details | All_Traffic.bytes, .dest, .src | ||
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| Update Center | Top Systems Needing Updates | Updates | Updates.status, .dest, .signature_id, .vendor_product |
| Top Updates Needed | Updates.status, .dest, .signature_id, .vendor_product | ||
| Systems Not Updating - Greater Than 30 Days | Updates.dest_should_update, .dest, .signature_id, .vendor_product, .status | ||
| Update Service Start Mode Anomalies | Application State | All_Application_State.Services.start_mode, .Services.status, .Services.service, .tag | |
| Update Search | Updates | Updates.dest_should_update, .status, .dest, .signature_id, .vendor_product | |
| URL Length Analysis | URL Length Anomalies Over Time | Web | Web.http_method, .url |
| URL Length Details | Web.url_length, .src, .dest, .url | ||
| Dashboard Name | Panel Title | Data Model | Data Model Object |
|---|---|---|---|
| Vulnerability Center | Top Vulnerabilities | Vulnerabilities | Vulnerabilities.signature, .dest |
| Most Vulnerable Hosts | Vulnerabilities.signature, .severity, .dest | ||
| Vulnerabilities By Severity | Vulnerabilities.signature, .severity, .dest | ||
| New Vulnerabilities | Calls vuln_signature_reference lookup | ||
| Vulnerability Operations | Scan Activity Over Time | Vulnerabilities | Vulnerabilities.dest |
| Vulnerabilities By Age | Vulnerabilities.severity, .signature, .dest | ||
| Delinquent Scanning | Vulnerabilities.dest | ||
| Vulnerability Search | Vulnerabilities.category, .signature, .dest, .severity, .cve, | ||
| Web Center | Events Over Time By Method | Web | Web.http_method |
| Events Over Time By Status | Web.status | ||
| Top Sources | Web.dest, .src | ||
| Top Destinations | Web.dest, .src | ||
| Web Search | Web.http_method, .status, .src, .dest, .url | ||
Dashboards to Add-on
These dashboards are included in the Splunk App for Enterprise Security. Use the Navigation editor to add or rearrange dashboards and menus.
To view entire the list of dashboards in the application, go to Search > Dashboards.
| Dashboard name | Security Domain | Part of Add-on |
|---|---|---|
| Access Center | Access | DA-ESS-AccessProtection |
| Access Search | Access | DA-ESS-AccessProtection |
| Access Tracker | Access | DA-ESS-AccessProtection |
| Account Management | Access | DA-ESS-AccessProtection |
| Asset Center | Asset | SA-IdentityManagement |
| Asset Investigator | Asset | SA-ESS-IdentityManagement |
| Data Model Audit | Audit | Splunk_SA_CIM |
| Default Account Activity | Access | DA-ESS-AccessProtection |
| DNS Activity | Network | DA-ESS-NetworkProtection |
| DNS Search | Network | DA-ESS-NetworkProtection |
| Email Activity | Network | DA-ESS-NetworkProtection |
| Email Search | Network | DA-ESS-NetworkProtection |
| Endpoint Changes | Endpoint | DA-ESS-EndpointProtection |
| Forwarder Audit | Audit | SA-AuditAndDataProtection |
| HTTP Category Analysis | Network | DA-ESS-NetworkProtection |
| HTTP User Agent Analysis | Network | DA-ESS-NetworkProtection |
| Identity Center | Identity | SA-IdentityManagement |
| Identity_investigator | Identity | SA-IdentityManagement |
| Incident Review | Threat | SA-ThreatIntelligence |
| Incident Review Audit | Threat | SA-ThreatIntelligence |
| Intrusion Center | Network | DA-ESS-NetworkProtection |
| Intrusion Search | Network | DA-ESS-NetworkProtection |
| Malware Center | Endpoint | DA-ESS-EndpointProtection |
| Malware Operations | Endpoint | DA-ESS-EndpointProtection |
| Malware Search | Endpoint | DA-ESS-EndpointProtection |
| Network Changes | Network | DA-ESS-NetworkProtection |
| New Domain Analysis | Network | DA-ESS-NetworkProtection |
| Per-Panel Filter Audit | Audit | SA-Utils |
| Port & Protocol Tracker | Network | DA-ESS-NetworkProtection |
| Predictive Analytics | Splunk_SA_CIM | |
| Protocol Center | Network | DA-ESS-NetworkProtection |
| REST Audit | Audit | SA-Utils |
| Risk Analysis | Threat | SA-ThreatIntelligence |
| Search Audit | Audit | SA-AuditAndDataProtection |
| Security Posture | SplunkEnterpriseSecuritySuite | |
| Session Center | Identity | SA-IdentityManagement |
| SSL Activity | Network | DA-ESS-NetworkProtection |
| SSL Search | Network | DA-ESS-NetworkProtection |
| Suppression Audit | Threat | SA-ThreatIntelligence |
| System Center | Endpoint | DA-ESS-EndpointProtection |
| Threat List Activity | Threat | SA-ThreatIntelligence |
| Time Center | Endpoint | DA-ESS-EndpointProtection |
| Traffic Center | Network | DA-ESS-NetworkProtection |
| Traffic Search | Network | DA-ESS-NetworkProtection |
| Traffic Size Analysis | Network | DA-ESS-NetworkProtection |
| Update Center | Endpoint | DA-ESS-EndpointProtection |
| Update Search | Endpoint | DA-ESS-EndpointProtection |
| URL Length Analysis | Network | DA-ESS-NetworkProtection |
| View Audit | Audit | SplunkEnterpriseSecuritySuite |
| Vulnerability Center | Network | DA-ESS-NetworkProtection |
| Vulnerability Operations | Network | DA-ESS-NetworkProtection |
| Vulnerability Search | Network | DA-ESS-NetworkProtection |
| Web Center | Network | DA-ESS-NetworkProtection |
| Web Search | Network | DA-ESS-NetworkProtection |
Splunk App for Enterprise Security file structure
The Splunk App for Enterprise Security is composed of a series of underlying apps, each of which is implemented as a subdirectory of the $SPLUNK_HOME/etc/apps/ (*Nix) or $SPLUNK_HOME\etc\apps (Windows) directory in Splunk.
The following table shows the location of the Enterprise Security files within the Splunk directory structure.
| Path under $SPLUNK_HOME | Description |
|---|---|
| etc/apps/SplunkEnterpriseSecuritySuite etc\apps\SplunkEnterpriseSecuritySuite |
Contains the core components of the Spunk App for Enterprise Security |
| etc/apps/DA-* etc\apps\DA-* |
Each DA directory provides the underlying functionality for one of the domains in Splunk for Enterprise Security, including the saved searches, macros, and lookups. For example, the "DA-EndpointProtection" directory contains the functionality for the Endpoint protection domain. |
| etc/apps/SA- etc\apps\SA-* |
Each SA directory provides the underlying support modules for a specific area of knowledge used by the domains in Splunk for Enterprise Security. |
| etc/apps/TA-* etc\apps\TA-* |
Each TA directory contains the files for a specific technology supported by Splunk for Enterprise Security. These files include the content necessary to optimize, normalize, and categorize data inputs. |
Last modified on 26 January, 2015
| FAQ | Data models in the Enterprise Security app |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.2
Download manual
Feedback submitted, thanks!