Splunk® Enterprise Security

Use Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Advanced Threat dashboards

Use the Advanced Threat dashboards to identify potential and persistent threats in your environment.

HTTP Category Analysis dashboard

The HTTP Category Analysis dashboard looks at categories of traffic data. Any traffic data, such as firewall, router, switch, or network flows, can be summarized and viewed in this dashboard.

  • Compare statistical data to identify traffic outliers, or traffic different from what is typically found in your environment.
  • Look for category counts that fall outside of the norm (small or large) that may indicate a possible threat.
  • Find low volume traffic activity and drill down from the summarized data to investigate events.
  • Use sparklines to identify suspicious patterns of activity by category.

Unknown traffic categories

Use the "Show only unknown categories" filter on the HTTP Category Analysis dashboard to filter and view unknown categories of web traffic.

Before you can filter unknown traffic, you need to define which categories are unknown using tags.conf. For instance, to specify the category "undetected" as an unknown category, create the following local/tags.conf configuration.

## TA-websense/local/tags.conf
[category=undetected]
unknown = enabled

This stanza can be created in any add-on or in DA-ESS-NetworkProtection.

Dashboard filters

Filters can help refine the HTTP category list.

Filter by Description Action
Time Range Select the time range to represent. Drop-down: select to filter by
Advanced Filter Click to see the list of category events that can be filtered for this dashboard. See "Advanced Filter" in this manual for information. In Filter Results from Panel, click an item to whitelist it and remove it from the dashboard view. Click Update to return to the dashboard and refresh the view.

Dashboard panels

Click chart elements or table rows to display raw events. See dashboard drilldown for more information on this feature. The following table describes the panels for this dashboard.

Panel Description
Key Indicators Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See "Key indicators" in this manual.
Category Distribution Displays category counts as a scatter plot, with count as the x-axis and src_count as the y-axis. The chart updates when you change filters or the time range. Hover over an item to see details.
Category Details Displays details of the HTTP categories, including a sparkline that represents the activity for that HTTP category over the last 24 hours.

HTTP User Agent Analysis dashboard

Use the HTTP User Agent Analysis dashboard to investigate user agent strings in your proxy data and determine if there is a possible threat to your environment.

  • A bad user agent string, where the browser name is misspelled (like Mozzila) or the version number is completely wrong (v666), can indicate an attacker or threat.
  • Long user agent strings are often an indicator of malicious access.
  • User agent strings that fall outside of the normal size (small or large) may indicate a possible threat that should be looked at and evaluated.

The Advanced Filter can be used to whitelist or blacklist specific user agents. Use the statistical information to visually identify outliers. In the summarized data, you can evaluate user agents for command and control (C&C) activity, and find unexpected HTTP communication activity.

Dashboard filters

The dashboard includes a number of filters that can help refine the user agent list.

Filter by Description Action
Standard Deviation Index The percentage (%) shows the amount of data that will be filtered out if that number of standard deviations is selected. Choose a higher number of deviations to see fewer user agent strings, or choose a lower number of deviations to see a greater number of user agent strings. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by
Advanced Filter Click to see the list of category events that can be filtered for this dashboard. See "Advanced Filter" in this manual for information. In Filter Results from Panel, click an item to whitelist it and remove it from the dashboard view. Click Update to return to the dashboard and refresh the view.

Dashboard panels

Click chart elements or table rows to display raw events. See dashboard drilldown for more information on this feature. The following table describes the panels for this dashboard.

Panel Description
Key Indicators Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See "Key indicators" in this manual.
User Agent Distribution Displays user agent strings as a scatter plot, with length as the x-axis and count as the y-axis. The chart updates when you change the filters or the time range. Hover over an item to see details about the raw data.
User Agent Details Displays details of the user agents in your environment, including the string value of the user agent and a sparkline that represents the activity for that user agent string over the last 24 hours.

New Domain Analysis dashboard

The New Domain Analysis dashboard shows any new domains that appear in your environment. These domains can be newly registered, or simply newly seen by ES. Panels display New Domain Activity events, New Domain Activity by Age, New Domain Activity by Top Level Domain (TLD), and Registration Details for these domains.

  • View hosts talking to recently registered domains.
  • Discover outlier activity directed to newly registered domains in the New Domain Activity by Age panel.
  • Identify unexpected top level domain activity in the New Domain Activity by TLD panel.
  • Investigate high counts of new domains to find out if your network has an active Trojan, botnet, or other malicious entity.

Dashboard filters

The dashboard includes a number of filters to refine the list of domains displayed.

Filter by Description Action
Domain Enter the domain (Access, Endpoint, Network). Text field. Empty by default. Wildcard strings with an asterisk (*)
New Domain Type Select Newly Registered or Newly Seen to filter the types of domains to be viewed. Drop-down: select to filter by
Maximum Age (days) The time range for the newly seen or newly registered domains. The default is 30 days. Text field.
Time Range Select the time range to represent. Drop-down: select to filter by
Advanced Filter Click to see the list of category events that can be filtered for this dashboard. See "Advanced Filter" in this manual for information. In Filter Results from Panel, click an item to whitelist it and remove it from the dashboard view. Click Update to return to the dashboard and refresh the view.

Dashboard panels

Click chart elements or table rows to display raw events. See dashboard drilldown for more information on this feature. The following table describes the panels for this dashboard.

Panel Description
New Domain Activity Table view of information about new domain activity
New Domain Activity by Age Scatter plot that displays Age as the x-axis and Count as the y-axis. Hover over a square for the exact age and number of new domains.
New Domain Activity by TLD
(Top Level Domain)
A bar chart with Count as the x-axis and TLD as the y-axis. Hover over a bar for the current number of events for a top level domain.
Registration Details A table view of information about new domain registrations. Click a domain in the table to open a search on that domain and view the raw events.


Configure the external API for WHOIS data

To see data in the New Domain Analysis dashboard, you must configure a connection to an external domain lookup data source. The dashboard will only report whether or not a domain is newly seen until this modular input is configured and enabled.

The domain lookup uses the external domain source domaintools.com, which provides a paid API for WHOIS data.

  1. Sign up for a domaintools.com account.
  2. Collect the API host name and your API access credentials from the site. Note that the API access credentials are different from your account email address.

Use the API information to set up a modular input in Splunk Enterprise Security.

  1. Enable the modular input. Navigate to Settings > Data Inputs > Network Queries. Click Enable next to whois_domaintools.
  2. Click the name of the modular input to add the API hostname and username used to access the domaintools API.
  3. Save the API credentials on the Credential Management dashboard.

Note: Until you enable the modular input, domains processed by the input will not be queued. This prevents the checkpoint directory from filling up with files.

After enabling the modular input, enable the outputcheckpoint_whois macro to create checkpoint data.

  1. Navigate to Configure > General > General Settings.
  2. Change the Domain Analysis setting from noop to outputcheckpoint modinput=whois.

The modular input stores information in the whois_tracker.csv lookup file. After a file exists in the $SPLUNK_HOME/var/lib/splunk/modinputs/whois directory, the whois index will begin to populate with data. After they are processed, checkpoint files will be deleted.

Traffic Size Analysis dashboard

Use the Traffic Size Analysis dashboard to compare traffic data with statistical data to find outliers, traffic that differs from what is normal in your environment. Any traffic data, such as firewall, router, switch, or network flows, can be summarized and viewed on this dashboard.

  • Investigate traffic data byte lengths to find connections with large byte counts per request, or that are making a high number of connection attempts with small byte count sizes.
  • Use the graph to spot suspicious patterns of data being sent.
  • Drill down into the summarized data to look for anomalous source/destination traffic.

Dashboard filters

Use the filters to refine the traffic size events list on the dashboard.

Filter by Description Action
Standard Deviation Index The percentage (%) shows the amount of data that will be filtered out if that number of standard deviations is selected. Choose a higher number of deviations to see fewer user agent strings, or choose a lower number of deviations to see a greater number of user agent strings. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by
Advanced Filter Click to see the list of category events that can be filtered for this dashboard. See "Advanced Filter" in this manual for information. In Filter Results from Panel, click an item to whitelist it and remove it from the dashboard view. Click Update to return to the dashboard and refresh the view.

Dashboard panels

Click chart elements or table rows to display raw events. See dashboard drilldown for more information on this feature. The following table describes the panels for this dashboard.

Panel Description
Key Indicators Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See "Key indicators" in this manual.
Traffic Size Anomalies Over Time The chart displays a count of anomalous traffic size in your environment over time. It displays traffic volume greater than the number of standard deviations selected in the filter (2 by default) displayed in a line graph with time as the x-axis and count as the y-axis.
Traffic Size Details Table that displays each of the traffic events and related details such as the size of the traffic event in bytes. If there is more that one event from a source IP address, the count column shows how many events are seen. In the bytes column, the minimum, maximum, and average number of bytes for the traffic event are shown. Z indicates the standard deviations for the traffic event.

URL Length Analysis dashboard

The URL Length Analysis dashboard looks at any proxy or HTTP data that includes URL string information. Any traffic data containing URL string or path information, such as firewall, router, switch, or network flows, can be summarized and viewed in this dashboard.

  • Compare each URL statistically to identify outliers.
  • Investigate long URLs that have no referrer.
  • Look for abnormal length URLs that contain embedded SQL commands for SQL injections, cross-site scripting (XSS), embedded command and control (C&C) instructions, or other malicious content.
  • Use the details table to see how many assets are communicating with the URL.

Use the key indicators to compare each new URL and to identify outlier URL strings, ones that are different from what is typically found in your environment. URLs that fall outside of the normal size (small or large) may indicate a possible threat. Unusually long URL paths from unfamiliar sources and/or to unfamiliar destinations are often indicators of malicious access and should be examined.

Dashboard filters

Use the filters to refine the URL length events represented on the dashboard.

Filter by Description Action
Standard Deviation Index The percentage (%) shows the amount of data that will be filtered out if that number of standard deviations is selected. Choose a higher number of deviations to see fewer user agent strings, or choose a lower number of deviations to see a greater number of user agent strings. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by
Advanced Filter Click to see the list of category events that can be filtered for this dashboard. See "Advanced Filter" in this manual for information. In Filter Results from Panel, click an item to whitelist it and remove it from the dashboard view. Click Update to return to the dashboard and refresh the view.

Dashboard panels

Click chart elements or table rows to display raw events. See dashboard drilldown for more information on this feature. The following table describes the panels for this dashboard.

Panel Description
Key Indicators Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See "Key indicators" in this manual.
URL Length Anomalies Over Time The chart displays a count of URL length anomalies across time. It displays URL lengths greater than the number of standard deviations selected in the filter (2 by default) displayed in a line graph with time as the x-axis and count as the y-axis.
URL Length Details Table that displays the URL strings and details such as the full URI string. If there is more that one event from a source IP address, the count column shows how many events are seen. Z indicates the standard deviations for the URL length.
Last modified on 11 June, 2016
Configure threat intelligence sources   Network dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters