Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Network dashboards

The Network dashboards provide insight into the network and network-based devices, including routers, switches, firewalls, and IDS devices.

Traffic Center

The Traffic Center dashboard profiles overall network traffic, helps detect trends in type and changes in volume of traffic, and helps to isolate the cause (for example, a particular device or source) of those changes.

Es-TrafficCenter dashboard.png

Relevant data sources

Relevant data sources include all the traffic on the network, including overall volume, devices or users generating traffic, per-port traffic, and data from vulnerability scanners on the network.

How to configure this dashboard

1. Index relevant data sources from a device, application, or system in Splunk.

2. Map the data to the Network_Traffic data model. See the Common Information Model Add-on Manual for more information. The Common Information Model fields bunit and category are derived by automatic identity lookup, and do not need to be mapped directly.

3. Tag your data with "network" AND "communicate".

Dashboard description

Traffic Center dashboard data is derived from the Network_Traffic data model and accelerated automatically.

To verify that traffic data is present, use this search:

 | datamodel Network_Traffic All_Traffic search 

To verify that events are being accelerated by the data model correctly, use this search (be careful not to search across all time):

 | tstats summariesonly=true count from datamodel=Network_Traffic by user

For more information on distributed namespaces, see "Tscollect" and "Data Model" in the Splunk Search Reference Manual for more information about data models and namespaces.

Useful searches/Troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that you have data from your network device(s) sourcetype=<your_sourcetype_for_your_data> Returns data from your network device(s).
Verify that traffic data is indexed in Splunk tag=network tag=communicate
or | datamodel Network_Traffic All_Traffic search
Returns all traffic data from your device(s)
Verify that traffic data is normalized to the Common Information Model properly | datamodel Network_Traffic All_Traffic search | table action, dvc, transport, src, dest, src_port, dest_port Returns a list of events and the specific traffic data fields populated from your device(s)

Additional Information

For more information about using the Traffic Center dashboard, see "Traffic Center dashboard" in the Splunk App for Enterprise Security User Manual.

Traffic Search

The Traffic Search dashboard displays an overview of all traffic data, firewall events, and port information.

Es-TrafficSearchDashboard22.png

Use the filters to narrow your search. Click on an item to drill down to the raw data represented.

Relevant data sources

Relevant data sources for the Traffic Search dashboard include data from firewall devices, port data, and log file entries.

How to configure this dashboard

1. Index relevant data sources from a device, application, or system in Splunk.

2. Map the data to the Network Traffic data model. See the Common Information Model Add-on Manual for more information. The Common Information Model fields bunit and category are derived by automatic identity lookup, and do not need to be mapped directly.

3. Tag your data with "network" AND "communicate".

Dashboard description

Traffic Search dashboard data is derived from the Network_Traffic data model and accelerated automatically.

To verify that network data is present, use this search:

 | datamodel Network_Traffic All_Traffic search 

To verify that events are being accelerated by the data model correctly, use this search (be careful not to search across all time):

 | tstats summariesonly=true count from datamodel=Network_Traffic by user

For more information on distributed namespaces, see "Tscollect" and "Data Model" in the Splunk Search Reference Manual for more information about data models and namespaces.

Useful searches/Troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that you have data from your network device(s) sourcetype=<your_sourcetype_for_your_data> Returns data from your network device(s).
Verify that traffic data is indexed in Splunk tag=network tag=communicate or
| datamodel Network_Traffic All_Traffic search
Returns traffic data from your device(s)
Verify that traffic data is normalized to the Common Information Model properly | datamodel Network_Traffic All_Traffic search | table action, dvc, transport, src, dest, src_port, dest_port, vendor, product Returns a list of events and the specific traffic data fields populated from your device(s)

Additional Information

For more information about using the Traffic Search dashboard, see "Traffic Search dashboard" in the Splunk App for Enterprise Security User Manual.

Intrusion Center

The Intrusion Center dashboard provides an overview of all network intrusion events from the Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) on the network that are providing data into Splunk.

Es-IntrusionCenterDashboard22 1.png Es-IntrusionCenterDashboard22 2.png

Relevant data sources

Relevant data sources for the Intrusion Center dashboard include IDS and IPS data from devices in your network.

How to configure this dashboard

1. Index relevant data sources from a device, application, or system in Splunk.

2. Map the data to the Intrusion Detection data model. See the Common Information Model Add-on Manual for more information. The Common Information Model fields bunit and category are derived by automatic identity lookup, and do not need to be mapped directly.

3. Tag your data with "ids" AND "attack".

Dashboard description

Intrusion Center dashboard data is derived from the Intrusion_Detection data model and accelerated automatically.

To verify that intrusion data is present, use this search:

 | datamodel Intrusion_Detection IDS_Attacks search

To verify that events are being accelerated by the data model correctly, use this search (be careful not to search across all time):

 | tstats summariesonly=true count from datamodel=Intrusion_Detection by user

For more information on distributed namespaces, see "Tscollect" and "Data Model" in the Splunk Search Reference Manual for more information about data models and namespaces.

Useful searches/Troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that you have data from your network device(s) sourcetype=<your_sourcetype_for_your_data> Returns data from your network device(s).
Verify that intrusion center data is indexed in Splunk tag=ids tag=attack or
| datamodel Intrusion_Detection IDS_Attacks search
Returns intrusion center data from your device(s)
Verify that intrusion center data is normalized to the Common Information Model properly | datamodel Intrusion_Detection IDS_Attacks search | table dvc signature severity, src dest user vendor_product is_network is_wireless is_host is_application Returns a list of events and the specific intrusion data fields populated from your device(s)

Additional Information

For more information about using the Intrusion Center dashboard, see "Intrusion Center dashboard" in the Splunk App for Enterprise Security User Manual.

Intrusion Search

The Intrusion Search dashboard helps you to search for IDS-related or IPS-related events such as attacks or unusual activity.

IntrusionSearchDashboard22.png

Use the filters at the top of the dashboard to narrow your search. Click on an item to view the raw data.

Relevant data sources

Relevant data sources for the Intrusion Search dashboard include IDS and IPS data from devices in your network and data indexed in Splunk.

How to configure this dashboard

1. Index relevant data sources from a device, application, or system in Splunk.

2. Map the data to the Intrusion Detection data model. See the Common Information Model Add-on Manual for more information. The Common Information Model fields bunit and category are derived by automatic identity lookup, and do not need to be mapped directly.

3. Tag your data with "ids" AND "attack".

Dashboard description

Intrusion Search dashboard data is derived from the Intrusion_Detection data model and accelerated automatically.

To verify that intrusion data is present, use this search:

 | datamodel Intrusion_Detection IDS_Attacks search

To verify that events are being accelerated by the data model correctly, use this search (be careful not to search across all time):

 | tstats summariesonly=true count from datamodel=Intrusion_Detection by user

For more information on distributed namespaces, see "Tscollect" and "Data Model" in the Splunk Search Reference Manual for more information about data models and namespaces.

Useful searches/Troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that you have data from your network device(s) sourcetype=<your_sourcetype_for_your_data> Returns data from your network device(s).
Verify that intrusion search data is indexed in Splunk tag=ids tag=attack or
| datamodel Intrusion_Detection IDS_Attacks search
Returns local intrusion search data from your device(s)
Verify that intrusion search data is normalized to the Common Information Model properly | datamodel Intrusion_Detection IDS_Attacks search | table dvc signature severity, src dest user vendor_product is_network is_wireless is_host is_application Returns a list of events and the specific intrusion search data fields populated from your device(s)

Additional Information

For more information about using the Intrusion Search dashboard, see "Intrusion Search dashboard" in the Splunk App for Enterprise Security User Manual.

Vulnerability Center

The Vulnerability Center provides an overview of the events detected by vulnerability scanners, which proactively identify issues that may be used to gain unauthorized access to the IT systems.

Es-VulnerabilityCenterDashboard.png

Relevant data sources

Relevant data sources for the Vulnerability Center dashboard include data from any vulnerability management systems in your network, along with host and user data indexed by Splunk.

How to configure this dashboard

1. Index relevant data sources from a device, application, or system in Splunk.

2. Map the data to the Vulnerabilities data model. See the Common Information Model Add-on Manual for more information. The Common Information Model fields bunit and category are derived by automatic identity lookup, and do not need to be mapped directly.

3. Tag your data with "vulnerability" AND "report".

Dashboard description

Vulnerability Center dashboard data is derived from the Vulnerabilites data model and accelerated automatically.

To verify that vulnerability data is present, use this search:

 | datamodel Vulnerabilites search

To verify that events are being accelerated by the data model correctly, use this search (be careful not to search across all time):

 | tstats summariesonly=true count from datamodel=Vulnerabilites by user

For more information on distributed namespaces, see "Tscollect" and "Data Model" in the Splunk Search Reference Manual for more information about data models and namespaces.

Useful searches/Troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that you have data from your network device(s) sourcetype=<your_sourcetype_for_your_data> Returns data from your network device(s).
Verify that vulnerabilty data is indexed in Splunk tag=vulnerability tag=report or
| datamodel Vulnerabilites search
Returns all vulnerability data from your device(s)
Verify that vulnerability data is normalized to the Common Information Model properly | datamodel Vulnerabilites search | table category severity signature dest Returns a list of events and the specific vulnerability data fields populated from your device(s)

Additional Information

For more information about using the Vulnerability Center dashboard, see "Vulnerability Center dashboard" in the Splunk App for Enterprise Security User Manual.

Vulnerability Operations

The Vulnerability Operations dashboard tracks the status and activity of the vulnerability detection products deployed in your environment.

Es-VulnerabilityOperationsDashboard.png

Use the fields at the top of the dashboard to narrow your search. Click on an item to drill down to the raw data.

Relevant data sources

Relevant data sources for the Vulnerability Operations dashboard include data from any IDS or IPS tracking device in your network, along with host and user data indexed in Splunk.

How to configure this dashboard

1. Index relevant data sources from a device, application, or system in Splunk.

2. Map the data to the Vulnerabilities data model. See the Common Information Model Add-on Manual for more information. The Common Information Model fields bunit and category are derived by automatic identity lookup, and do not need to be mapped directly.

3. Tag your data with "vulnerability" AND "dvc" AND "report".

Dashboard description

Vulnerability Operations dashboard data is derived from the Vulnerabilities data model and accelerated automatically.

To verify that vulnerability data is present, use this search:

 | datamodel Vulnerabilities search

To verify that events are being accelerated by the data model correctly, use this search (be careful not to search across all time):

 | tstats summariesonly=true count from datamodel=Vulnerabilities by user

For more information on distributed namespaces, see "Tscollect" and "Data Model" in the Splunk Search Reference Manual for more information about data models and namespaces.

Useful searches/Troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that you have data from your network device(s) sourcetype=<your_sourcetype_for_your_data> Returns data from your network device(s).
Verify that access data is indexed in Splunk tag=vulnerability tag=dvc tag=report or
| datamodel Vulnerabilities search
Returns all vulnerability data from your device(s)
Verify that vulnerability data is normalized to the Common Information Model properly | datamodel Vulnerabilities search | table severity category business_unit time Returns a list of events and the specific vulnerability data fields populated from your device(s)

Additional Information

For more information about using the Vulnerability Operations dashboard, see "Vulnerability Operations dashboard" in the Splunk App for Enterprise Security User Manual.

Vulnerability Profiler

The Vulnerability Profiler helps you to search for all vulnerability-related events in your environment.

Es-VulnerabilityProfilerDashboard.png

Use the fields to filter results and narrow your search. Click an item to drill down to the raw data.

Relevant data sources

Relevant data sources for the Vulnerability Profiler dashboard include data from any IDS or IPS tracking device in your network, along with host and user data indexed by Splunk.

How to configure this dashboard

1. Index relevant data sources from a device, application, or system in Splunk.

2. Map the data to the Vulnerabilities data model. See the Common Information Model Add-on Manual for more information. The Common Information Model fields bunit and category are derived by automatic identity lookup, and do not need to be mapped directly.

3. Tag your data with "vulnerability".

Dashboard description

Vulnerability Profiler dashboard data is derived from the Vulnerabilities data model and accelerated automatically.

To verify that vulnerability data is present, use this search:

 | datamodel Vulnerabilities search

To verify that events are being accelerated by the data model correctly, use this search (be careful not to search across all time):

 | tstats summariesonly=true count from datamodel=Vulnerabilities by user

For more information on distributed namespaces, see "Tscollect" and "Data Model" in the Splunk Search Reference Manual for more information about data models and namespaces.

Useful searches/Troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that you have data from your network device(s) sourcetype=<your_sourcetype_for_your_data> Returns data from your network device(s).
Verify that access data is indexed in Splunk tag=vulnerability or
| datamodel Vulnerabilities search
Returns all vulnerability data from your device(s)
Verify that vulnerability data is normalized to the Common Information Model properly | datamodel Vulnerabilities search | table severity category signature cve dest Returns a list of events and the specific vulnerability data fields populated from your device(s)

Additional Information

For more information about using the Vulnerability Profiler dashboard, see "Vulnerability Profiler dashboard" in the Splunk App for Enterprise Security User Manual.[[[Category:V:ES:3.2.2]]

Last modified on 03 June, 2015
Endpoint dashboards   More Network dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters