Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Key indicators

The Enterprise Security app contains a number of pre-defined key indicators, each with a use-case based upon the security domain dashboards included with the app. A key indicator is a UI object with a specific visual output. It includes a value indicator, a trend amount, a trend indicator, and a threshold to indicate the importance or priority of the value count.

Key indicators are populated by searches that represent an event count over time. The key indicator searches run against the data models defined in the Enterprise Security app, or the data models defined in the Common Information Model app. A few key indicators run searches against the count of notable events. The relative time span for key indicators defaults to the last 24 hours in the Enterprise Security app.

Key indicators are designed to provide a visual reference for several security related metrics at a glance. Each key indicator displays:

  • Description of the metric: A brief descriptor of the security related metric.
  • Value indicator: Displays the current count of events. If a threshold is set, the numbers will change color.
  • Trend amount: Displays the change in the event count over time.
  • Trend indicator: Displays a directional arrow to indicate the direction of the Trend amount. The arrow will change colors to indicate direction.
  • Drilldown link: The Value indicator is also a link to a search.

KSI rad with notes.jpg

Edit key indicators

The Enterprise Security app includes pre-configured key indicators. A dashboard key indictor row includes an editor that allows simple, visual related changes to be made directly to the key indicators without leaving the dashboard. Additionally, advanced changes can be made through the Enterprise Security app’s Custom Searches page.

Dashboard editing

Choose the pencil icon named Edit on the top left of the indicator bar. The editing tools are displayed above the indicators.

KSI rad dash edit.jpg

Arrange key indicators

Drag and drop the indicators to arrange them in a preferred order. There are 5 indicators to a row, and there can be multiple indicator rows.

Remove key indicators

To remove an indicator, click the X on the top right of that indicator. Removing the indicator from a dashboard does not remove the key indicator configuration from Enterprise Security.

Add key indicators

To add key indicators, click the plus icon in the editor tab to open the Add indicators panel. There are more than 60 pre-defined key indicators. Click the checkmark icon to save.

Set a threshold

You can set a threshold value for each key indicator. A threshold is an acceptable value for the event count in an indicator. After the threshold is set, the value indicator will change colors to show if the event count is normal or notable. If no threshold is set, the value indicator numbers will remain black. If the threshold is larger than the count in a value indicator, the numbers will change to green. If the threshold is smaller than the count, the numbers will change to red.

Configure key indicators

The key indicator configurations can be found in the Enterprise Security app, under Configure > General > Custom Searches

The Custom Searches page

The Custom Searches page is a status page used to display all correlation, key indicator, and swim lane searches. For key indicators, the option to Accelerate the search can be enabled directly on the Custom Searches page, or in the Edit Key Indicator Search page.

Actions

Use the Actions column on the Custom Searches page to:

  • Accelerate a key indicator search
Selecting the Accelerate link on the Custom Searches page allows you to enable acceleration and set a basic schedule for the scheduled report Refresh Frequency. After key indicator is accelerated, the Next Scheduled Time is populated on the Custom Searches page, and the lightning bolt for that indicator changes from grey to yellow.

Edit Key Indicator Search page

Browse to Configure > General > Custom Searches and select a Key Indicator search to view the Edit Key Indicator Search page. This page allows you to change the advanced options for a key indicator. A Preview button is also available to provide a visual review of the changes made to the configuration before saving.

The Edit Key Indicator Search configuration page defines a number of fields:

  • Search Name: A brief descriptor of the indicator search.
  • Destination App: The name of the app that contains the search.
  • Title: The title text that will appear above the indicator on a dashboard.
  • Sub-title: The text that will appear below the title that is used to describe the count type.
  • Search: The search string to run.
  • Drilldown URL: This field is used to override the default behavior of the link embedded in a key indicator. If the field is left empty, using the key indicator link will take you to the search results that generate the data displayed in the key indicator. Insert a new search url into the Drilldown URL field to redirect the users to a custom search when the link is chosen.

Acceleration

Key indicators are accelerated through scheduling. An accelerated key indicator search runs as a scheduled report. The scheduled report results are cached, speeding up the rendering of the indicator on the dashboard. After the cached search results are available, the loading time of a key indicator will improve.

  • Schedule: The checkbox enables acceleration for a key indicator search.

If key indicator is accelerated, the Next Scheduled Time is populated on the Custom Searches page, and the lightning bolt for that indicator changes from grey to yellow.

Rendering Options

  • Threshold: A number that determines the color assigned to the value indicator. If no threshold number is set, the value indicator numbers will remain black. If the threshold number is larger than the count in a value indicator, the value indicator numbers will change color to green. If the threshold number is smaller than the count, the value indicator numbers will change color to red. The trend indicator arrow changes direction with the threshold. The color behavior can be changed using the Invert option.
  • Value suffix: An optional, descriptive name for the value indicator. The Value suffix will be placed between the Value Indicator and the Trend Indicator.
  • Invert: The checkbox enables the invert option, changing the default behavior of the trend indicator threshold. If the threshold number is larger than the count in a value indicator, the value indicator numbers will change color to red. If the threshold number is smaller than the count, the value indicator numbers will change color to green.
  • Preview: A button used to preview changes made to the key indicator rendering options before saving.

Create custom key indicators

A new key indicator can be added through the Custom Searches page in the Enterprise Security app, under Configure > General > Custom Searches. Choose New and Key Indicator Search. The Key Indicator Search page is where you define the key indicator name, the search, and other details. In the pre-configured key indicators, accelerated data models are used to speed the return of results, but are not required.

A key indicator will have a corresponding entry in the savedsearches.conf of the app they were created in. Here is a sample of a custom key indicator as found in a ../local/savedsearches.conf file:

[AWS Account Deletion Events]

action.email.reportServerEnabled = 0
action.keyindicator = 1
action.keyindicator.invert = 0
action.keyindicator.subtitle = Accounts
action.keyindicator.threshold = 10
action.keyindicator.title = AWS Account Deletions
action.keyindicator.value = current_count
action.keyindicator.delta = delta
action.keyindicator.value_suffix = attempts
action.keyindicator.drilldown_uri = search?q=search%20tag%3Daccount%20tag%3Dmanagement%20action%3Ddeleted%20sourcetype%3Daws%3Acloudtrail%20earliest%3D-24h%40h%20latest%3D%2B0s
alert.track = 0
search = | tstats `summariesonly` count as current_count from datamodel=Change_Analysis where nodename="All_Changes.Account_Management.Accounts_Deleted" earliest=-24h@h latest=+0s sourcetype=aws:cloudtrail | appendcols [| tstats `summariesonly` count as historical_count from datamodel=Change_Analysis where nodename="All_Changes.Account_Management.Accounts_Deleted" earliest=-48h@h latest=-24h@h sourcetype=aws:cloudtrail] | `get_delta`

The search used to populate the key indicator must include a count. To make use of the other UI elements in a key indicator, the search must also provide a count differential to drive the change value and direction indicator. The sample search above is comprised of two searches. The first search returns the current_count, and the second search uses the appendcols command to return the historical_count. From there, the `get_delta` macro is used to compute the difference between the current_count and historical_count. The threshold value determines the colors used on the count differential, and an invert option is available to flip the arrow direction and color behavior as needed.

PREVIOUS
Extreme Search
  NEXT
General Settings

This documentation applies to the following versions of Splunk® Enterprise Security: 3.3.0, 3.3.1, 3.3.2, 3.3.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters