Splunk® Enterprise Security

Use Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Dashboard overview

The Splunk App for Enterprise Security provides a range of dashboards that form a high-level overview of all security threats on your system.

Default dashboards

This section covers the dashboards that are visible by default as part of the Splunk App for Enterprise Security. You can modify which dashboards are displayed and the menus in which they appear.

By default, the Splunk App for Enterprise Security dashboards displayed are:

The Search dashboards contain Dashboards, Reports, Pivot, and Search.

Security Posture and Incident Review dashboards

The Security Posture and Incident Review dashboards provide a high-level overview of the Enterpirse Security deployment. Both these dashboards use notable events, aggregated events that identify specific patterns or security issues that require investigation. Notable events are generated by searches called correlation searches. Initially, you will not see any content in these dashboards; content will appear when the underlying correlation searches have been enabled.

  • Security Posture: "Are things OK?" The primary Enterprise Security dashboard. This provides a high-level visual summary and trend indication of the notable events across all of your deployment in the past 24 hours. This dashboard is continuously updated by real-time searches.
  • Incident Review: "What should we do now?" Shows the details of all notable events identified within your deployment. From this dashboard you can monitor notable event activity, filter events by criteria such as urgency or domain, or manage the status of the notable events.

Domain dashboards

The domain dashboards give visibility into the three primary domains of security: Access protection, Endpoint protection, and Network protection, and provide the following functionality:

  • Access: Provides information about authentication attempts and access control related events (login, logout, access allowed, access failure, use of default accounts, and so on).
  • Endpoint: Includes information about endpoints such as malware infections, system configuration, system state (CPU usage, open ports, uptime, and so on), patch status and history (which updates have been applied) and time synchronization information.
  • Network: Includes information about network traffic provided from devices such as firewalls, routers, network-based intrusion detection systems, network vulnerability scanners, proxy servers, and hosts.

Each domain includes summary dashboards that give an overview of important security areas along with search dashboards that allow you to drill down into more detailed information. Dashboards are categorized as centers, profilers, or search dashboards.

  • Centers (for example, "Malware Center", "Asset Center", and so on): Provide an overview of the security events for a given domain. These overview dashboards identify significant trends or show relevant issues that may require attention.
  • Profilers (for example, "Patch / Update Profiler", "Vulnerability Profiler"): Provide information about a particular user or object. For example, the patch /update profiler provides information about which devices have been updated with a particular patch or software update.
  • Analysis (for example, "Traffic Size Analysis", "HTTP User Agent Analysis"): Provide statistical information about data and events being monitored. Using a variety of custom filters, you can locate and identify anomalous events to investigate.
  • Search dashboards (for example, "Proxy Search", "Vulnerability Search"): Search dashboards provide rapid access to domain-specific search tools, without requiring advanced knowledge of the Splunk search language.

Some Splunk App for Enterprise Security dashboard panels are populated by saved searches or time-independent searches.

This behavior applies these dashboard panels:

  • Access Center > Notable Access Events (saved search)
  • Malware Center > Key Malware Statistics (time-independent)
  • Traffic Center > Port and Protocol Profiler (saved search)

For informational purposes, these panels ignore top-level filters.

Supporting dashboards

Additional Splunk App for Enterprise Security dashboards help monitor and investigate the security of the infrastructure. These dashboards provide the following functionality:

  • Identity: Review identities associated with the network and their associated activities. Also review asset lists and see a summary of all network sessions. (To get optimal functionality from Enterprise Security, create or import an asset list and an identities list associated with the network. See the Enterprise Security Installation and Configuration Manual for more information.)
  • Audit (for example, "Incident Review Audit", "Suppression Audit", "Forwarder Audit", "Index Audit", and so on): Provide information about Splunk's own operational data including: forwarder auditing, index auditing, and search auditing. Use this dashboard to track resource consumption, organizational activity, and analyst effectiveness. These are potentially critical components to a security organization.

Common dashboard features

The domain dashboards include a number of features that are common to many of the dashboards.

Dashboard filters

Many dashboards have a filter bar to restrict the view on the current dashboard to events that match the selected criteria. Selections apply to the current dashboard only and do not affect other dashboards in Enterprise Security. Dashboard filters may not apply to all panels within a dashboard.

ES32 DB Dash Filters.png

To use the filter, make selections and/or enter the desired text, use wildcards for strings if needed, adjust the time span, and search. For instance, many dashboards support selection of Business Unit or Category, which allows security managers and analysts to compare posture and patterns between different organizational units.

Action Filter behavior
Source based actions success: The source of the action successfully completed the action (for example, successfully authenticated to the destination device)

failure: The source of the action did not successfully complete the action (for example, failed to authenticate to the destination device)

Device based actions allowed: The device allowed the action

blocked: The device blocked the action

Endpoint or Malware based actions allowed: The malicious executable was allowed to exist.

blocked: The malicious executable was prevented from performing the action.
deferred: The malicious executable could not be fully remediated but will be remediated at a future time. This is common when a file cannot be cleaned until the system is rebooted, causing it to be deferred until the next reboot cycle.

Business Unit Filter behavior
Business Unit Filter based on the business unit of the host. Enter a string to match the business unit. Use the asterisk (*) wildcard to match any number of characters. Match is case-insensitive, and all text values must be lowercase.

Note: Business Unit is a free form field implemented using the Splunk for Enterprise Security asset list and identities list. To use this filter, the asset list must be configured for the deployment. See the Enterprise Security Installation and Configuration Manual for more information.

Category Filter behavior
Category Filter based on the categories to which the host belongs. The category names represent functional categories: such as server, workstation, and domain_controller; or compliance and security standards such as PCI. It is possible to filter on multiple categories by selecting each category to include in the results. The Enterprise Security app must have a category list and an asset list established to use the Category filter.

Dashboard drilldowns

The tables and charts that comprise an Enterprise Security dashboard presents a consolidated view of the events. To see a detailed breakout of the events, click a point or segment on any chart, or a row in a table. The drilldown launches a detailed search that is driven by captured values from the location of the click.


ES32 DB View Drilldown.png


Panel Editor

Use the Panel Editor to access and view details of the search that drives the data in a panel. A number of options are available from icons that become visible when you mouse-over a panel:

  • Open the search in the Search app.
  • Export the results of the search in several formats.
  • View the search in the Search Job Inspector.
  • Refresh the search.

ES32 DB View Actions.png

Workflow actions

Workflow actions enable you to set up interactions between specific fields in your data and other applications or web resources. A simple example of a workflow action uses any source event containing a field with an IP address. When the action is chosen, an external WHOIS search based on the IP address value is initiated.

The Event Action and Action menus contains the relevant workflow actions, and are available on any dashboard that displays the source events. Use a drilldown from a dashboard panel to view source events.

ES32 DB WF Actions.png

Implement new workflow actions

For more information and examples on building workflow actions, see "Control workflow action appearance in field and event menus" in the Splunk Enterprise Knowledge Manager Manual.

Last modified on 15 December, 2014
Overview   Extreme Search

This documentation applies to the following versions of Splunk® Enterprise Security: 3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters