Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Identity dashboards

The Identity domain dashboards provide information about the assets and identities defined in the Enterprise Security app.

The configuration of identities and assets are treated similarly in the Splunk App for Enterprise Security. For more information about the use of Asset and Identity records, see the section on Asset management in this manual.

Asset Center dashboard

Use the Asset Center dashboard to review and search for objects in the asset data loaded into Splunk App for Enterprise Security. The asset data represents a list of hosts, IP addresses, and subnets within the organization, along with information about each asset. The asset list correlates asset properties to events in Splunk Enterprise, providing context such as asset location and the priority level of an asset.

ES33 Asset Center panels.png

Dashboard filters

Use the available dashboard filters to refine the results displayed on the dashboard panels.

Filter by Description Action
Asset A known or unknown asset Text field. Empty by default. Wildcard strings with an asterisk (*)
Priority Filter by the Priority field in the Asset table Drop-down by Priority.
Business Unit A group or department classification for the asset. Text field. Empty by default. Wildcard strings with an asterisk (*)
Category Filter by the Category field in the Asset table. Drop-down by Category.
Owner Filter by the Owner field in the Asset table. Text field. Empty by default. Wildcard strings with an asterisk (*)
Time Range Select the time range to represent. Drop-down: select to filter by

Dashboard Panels

Panel Description
Assets by Priority Displays the number of assets by priority level. The drilldown redirects the page to a search with the selected priority level.
Assets by Business Unit Displays the relative amount of assets by business unit. The drilldown redirects the page to a search with the selected business unit.
Assets by Category Displays the relative amount of assets by category. The drilldown redirects the page to a search with the selected category.
Asset Information Shows all assets that match the current dashboard filters. The drilldown redirects the page to the "Asset Investigator" dashboard if the "ip", "nt_host", "mac", or "dns" fields are selected. Any other field will redirects the page to a search with the selected field.

Data sources

The reports in the Asset Center dashboard reference fields in the Asset and Identities data model. Relevant data sources include lists of assets and identities collected and loaded as lookups, scripted inputs, or search extracted data.

Troubleshooting

For information about troubleshooting, see "Troubleshooting Identity dashboards" in this topic.

Identity Center dashboard

Use the Identity Center dashboard to review and search for objects in the identities data loaded into Splunk App for Enterprise Security. An identities data represents a list of account names, legal names, nicknames, and alternate names, along with other associated information about each identity. The identities data is used to correlate user information to events in Splunk Enterprise, providing additional context.

ES33 Identity Center panels.png

Filtering Identities in Identity Center

The filter for the Identity Center dashboard uses a search field that needs key=value pairs to be specified in this filter to work correctly, not text. You need to enter a key=value pair into the filter, instead of a name or text string.

Sample key=value pairs would be email=*acmetech.com, nick=a_nickname


Dashboard filters

Use the available dashboard filters to refine the results displayed on the dashboard panels.

Filter by Description Action
Username A known or unknown user Text field. Empty by default. Wildcard strings with an asterisk (*)
Priority Filter by the Priority field in the Identities table Drop-down by Priority.
Business Unit A group or department classification for the identity. Text field. Empty by default. Wildcard strings with an asterisk (*)
Category Filter by the Category field in the Identitites table. Drop-down by Category.
Watchlisted Identities Only Filter by the identities tagged as "watchlist" in the Identities table. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by

Dashboard Panels

Panel Description
Identities by Priority Displays the number of Identities by priority level. The drilldown redirects the page to a search with the selected priority level.
Identities by Business Unit Displays the relative amount of Identities by business unit. The drilldown redirects the page to a search with the selected business unit.
Identities by Category Displays the relative amount of Identities by category. The drilldown redirects the page to a search with the selected category.
Identity Information Shows all assets that match the current dashboard filters. The drilldown redirects the page to the "Identity Investigator" dashboard if the "identity" field is selected. Any other field will redirects the page to a search with the selected field.

Data sources

The reports in the Identity Center dashboard reference fields in the Asset and Identities data model. Relevant data sources include lists of assets and identities collected and loaded as lookups, scripted inputs, or search extracted data.

Troubleshooting

For information about troubleshooting, see "Troubleshooting Identity dashboards" in this topic.

Session Center dashboard

The Session Center dashboard provides an overview of network sessions. Network sessions are used to correlate network activity to a user using session data provided by DHCP or VPN servers. Use the Session Center to review the session logs and identify the user or machine associated with an IP address used during a session.

ES33 Session Center panels.png

Dashboard Panels

Panel Description
Sessions Over Time Displays the total count of network sessions over time. The drilldown redirects the page to a search with the selected session and time range.
Session Details Displays the top 1000 network sessions that have been most recently opened, based on the session start time. The drilldown redirects the page to a search with the selected session details.

Troubleshooting

For information about troubleshooting, see "Troubleshooting Identity dashboards" in this topic.

Troubleshooting Identity dashboards

1. The dashboards references data from various data models. Without the applicable data, the panels will remain empty.

2. Use the Open in Search link available in the lower left corner of a panel view to perform a direct search against the data model. The New Search dashboard also exposes the search commands and objects used to populate the view.

3. Determine if any data required for a dashboard is available in the data model.

a. Determine the data model objects used by a dashboard:
Dashboard Name Panel Title Data Model Data Model Object
Asset Center Assets By Priority Assets And Identities All_Assets.priority, .bunit, .category, .owner
Assets By Business Unit
Assets By Category
Asset Information
Identity Center Identities By Priority Assets and Identities All_Identities.priority, .bunit, .category
Identities By Business Unit
Identities By Category
Identity Information
Session Center Sessions Over Time Network Sessions All_Sessions.Session_*
Session Details All_Sessions.*
b. Use the data model and data model object to search for events in the data model:
Action Search Expected Result
Verify the data is normalized to the Common Information Model | datamodel data_model_name root_object_name search | table _time, sourcetype, root_object_name.*

Example: | datamodel Network_Traffic All_Traffic search | dedup sourcetype | table _time, sourcetype, All_Traffic.*

Returns a list of sourcetypes and the data model objects and fields populated by that sourcetype.

4. Validate the data model is being accelerated.

In the Splunk App for Enterprise Security, browse to Audit > Data Model Audit. Review the Acceleration Details panel for information about the data model acceleration status.
Note: For more information about data model acceleration and the Enterprise Security App, see "Data models in the Enterprise Security app" in the Installation and Configuration Manual.
PREVIOUS
More Network dashboards
  NEXT
Additional Network dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 3.3.0, 3.3.1, 3.3.2, 3.3.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters