Advanced Threat dashboards
Use the Advanced Threat dashboards to identify potential and persistent threats in your environment.
HTTP Category Analysis dashboard
The HTTP Category Analysis dashboard looks at categories of traffic data. Any traffic data, such as firewall, router, switch, or network flows, can be summarized and viewed in this dashboard.
- Compare statistical data to identify traffic outliers, or traffic different from what is typically found in your environment.
- Look for category counts that fall outside of the norm (small or large) that may indicate a possible threat.
- Find low volume traffic activity and drill down from the summarized data to investigate events.
- Use sparklines to identify suspicious patterns of activity by category.
Unknown traffic categories
Use the "Show only unknown categories" filter on the HTTP Category Analysis dashboard to filter and view unknown categories of web traffic.
Before you can filter unknown traffic, define which categories are unknown.
- Select Settings > Tags.
- Click List by tag name.
- Select an App context of DA-ESS-NetworkProtection or a related network add-on, such as TA-websense.
- Click New.
- Type a Tag name of
unknown
. - Type a Field value pair to define as unknown traffic.
For example,category=undetected
. - Click Save.
Dashboard filters
Filters can help refine the HTTP category list.
Filter by | Description | Action |
---|---|---|
Time Range | Select the time range to represent. | Drop-down: select to filter by |
Advanced Filter | Click to see the list of category events that can be filtered for this dashboard. See "Advanced Filter" in this manual for information. | In Filter Results from Panel, click an item to whitelist it and remove it from the dashboard view. Click Update to return to the dashboard and refresh the view. |
Dashboard panels
Click chart elements or table rows to display raw events. See dashboard drilldown for more information on this feature. The following table describes the panels for this dashboard.
Panel | Description |
---|---|
Key Indicators | Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See "Key indicators" in this manual. |
Category Distribution | Displays category counts as a scatter plot, with count as the x-axis and src_count as the y-axis. The chart updates when you change filters or the time range. Hover over an item to see details.
|
Category Details | Displays details of the HTTP categories, including a sparkline that represents the activity for that HTTP category over the last 24 hours. |
HTTP User Agent Analysis dashboard
Use the HTTP User Agent Analysis dashboard to investigate user agent strings in your proxy data and determine if there is a possible threat to your environment.
- A bad user agent string, where the browser name is misspelled (like Mozzila) or the version number is completely wrong (v666), can indicate an attacker or threat.
- Long user agent strings are often an indicator of malicious access.
- User agent strings that fall outside of the normal size (small or large) may indicate a possible threat that should be looked at and evaluated.
The Advanced Filter can be used to whitelist or blacklist specific user agents. Use the statistical information to visually identify outliers. In the summarized data, you can evaluate user agents for command and control (C&C) activity, and find unexpected HTTP communication activity.
Dashboard filters
The dashboard includes a number of filters that can help refine the user agent list.
Filter by | Description | Action |
---|---|---|
Standard Deviation Index | The percentage (%) shows the amount of data that will be filtered out if that number of standard deviations is selected. Choose a higher number of deviations to see fewer user agent strings, or choose a lower number of deviations to see a greater number of user agent strings. | Drop-down: select to filter by |
Time Range | Select the time range to represent. | Drop-down: select to filter by |
Advanced Filter | Click to see the list of category events that can be filtered for this dashboard. See "Advanced Filter" in this manual for information. | In Filter Results from Panel, click an item to whitelist it and remove it from the dashboard view. Click Update to return to the dashboard and refresh the view. |
Dashboard panels
Click chart elements or table rows to display raw events. See dashboard drilldown for more information on this feature. The following table describes the panels for this dashboard.
Panel | Description |
---|---|
Key Indicators | Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See "Key indicators" in this manual. |
User Agent Distribution | Displays user agent strings as a scatter plot, with length as the x-axis and count as the y-axis. The chart updates when you change the filters or the time range. Hover over an item to see details about the raw data.
|
User Agent Details | Displays details of the user agents in your environment, including the string value of the user agent and a sparkline that represents the activity for that user agent string over the last 24 hours. |
New Domain Analysis dashboard
The New Domain Analysis dashboard shows any new domains that appear in your environment. These domains can be newly registered, or simply newly seen by ES. Panels display New Domain Activity events, New Domain Activity by Age, New Domain Activity by Top Level Domain (TLD), and Registration Details for these domains.
- View hosts talking to recently registered domains.
- Discover outlier activity directed to newly registered domains in the New Domain Activity by Age panel.
- Identify unexpected top level domain activity in the New Domain Activity by TLD panel.
- Investigate high counts of new domains to find out if your network has an active Trojan, botnet, or other malicious entity.
Dashboard filters
The dashboard includes a number of filters to refine the list of domains displayed.
Filter by | Description | Action |
---|---|---|
Domain | Enter the domain (Access, Endpoint, Network). | Text field. Empty by default. Wildcard strings with an asterisk (*) |
New Domain Type | Select Newly Registered or Newly Seen to filter the types of domains to be viewed. | Drop-down: select to filter by |
Maximum Age (days) | The time range for the newly seen or newly registered domains. The default is 30 days. | Text field. |
Time Range | Select the time range to represent. | Drop-down: select to filter by |
Advanced Filter | Click to see the list of category events that can be filtered for this dashboard. See "Advanced Filter" in this manual for information. | In Filter Results from Panel, click an item to whitelist it and remove it from the dashboard view. Click Update to return to the dashboard and refresh the view. |
Dashboard panels
Click chart elements or table rows to display raw events. See dashboard drilldown for more information on this feature. The following table describes the panels for this dashboard.
Panel | Description |
---|---|
New Domain Activity | Table view of information about new domain activity |
New Domain Activity by Age | Scatter plot that displays Age as the x-axis and Count as the y-axis. Hover over a square for the exact age and number of new domains.
|
New Domain Activity by TLD (Top Level Domain) |
A bar chart with Count as the x-axis and TLD as the y-axis. Hover over a bar for the current number of events for a top level domain.
|
Registration Details | A table view of information about new domain registrations. Click a domain in the table to open a search on that domain and view the raw events. |
Configure the external API for WHOIS data
To see data in the New Domain Analysis dashboard, you must configure a connection to an external domain lookup data source. The dashboard will only report whether or not a domain is newly seen until this modular input is configured and enabled.
The domain lookup uses the external domain source domaintools.com, which provides a paid API for WHOIS data.
- Sign up for a domaintools.com account.
- Collect the API host name and your API access credentials from the site. Note that the API access credentials are different from your account email address.
Use the API information to set up a modular input in Splunk Enterprise Security.
- From the ES menu bar, Select Configure > Data Enrichment > WHOIS Management.
- Click Enable next to whois_domaintools.
- Click the name of the modular input to add the API hostname and username used to access the domaintools API.
- Save the API credentials on the Credential Management dashboard.
Note: Until you enable the modular input, domains processed by the input will not be queued. This prevents the checkpoint directory from filling up with files.
After enabling the modular input, enable the outputcheckpoint_whois
macro to create checkpoint data.
- Select Configure > General > General Settings.
- Select Enable for the Domain Analysis setting to enable WHOIS tracking.
The modular input stores information in the whois_tracker.csv
lookup file. After a file exists in the $SPLUNK_HOME/var/lib/splunk/modinputs/whois
directory, the whois
index will begin to populate with data. After they are processed, checkpoint files will be deleted.
Traffic Size Analysis dashboard
Use the Traffic Size Analysis dashboard to compare traffic data with statistical data to find outliers, traffic that differs from what is normal in your environment. Any traffic data, such as firewall, router, switch, or network flows, can be summarized and viewed on this dashboard.
- Investigate traffic data byte lengths to find connections with large byte counts per request, or that are making a high number of connection attempts with small byte count sizes.
- Use the graph to spot suspicious patterns of data being sent.
- Drill down into the summarized data to look for anomalous source/destination traffic.
Dashboard filters
Use the filters to refine the traffic size events list on the dashboard.
Filter by | Description | Action |
---|---|---|
Standard Deviation Index | The percentage (%) shows the amount of data that will be filtered out if that number of standard deviations is selected. Choose a higher number of deviations to see fewer user agent strings, or choose a lower number of deviations to see a greater number of user agent strings. | Drop-down: select to filter by |
Time Range | Select the time range to represent. | Drop-down: select to filter by |
Advanced Filter | Click to see the list of category events that can be filtered for this dashboard. See "Advanced Filter" in this manual for information. | In Filter Results from Panel, click an item to whitelist it and remove it from the dashboard view. Click Update to return to the dashboard and refresh the view. |
Dashboard panels
Click chart elements or table rows to display raw events. See dashboard drilldown for more information on this feature. The following table describes the panels for this dashboard.
Panel | Description |
---|---|
Key Indicators | Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See "Key indicators" in this manual. |
Traffic Size Anomalies Over Time | The chart displays a count of anomalous traffic size in your environment over time. It displays traffic volume greater than the number of standard deviations selected in the filter (2 by default) displayed in a line graph with time as the x-axis and count as the y-axis. |
Traffic Size Details | Table that displays each of the traffic events and related details such as the size of the traffic event in bytes. If there is more that one event from a source IP address, the count column shows how many events are seen. In the bytes column, the minimum, maximum, and average number of bytes for the traffic event are shown. Z indicates the standard deviations for the traffic event.
|
URL Length Analysis dashboard
The URL Length Analysis dashboard looks at any proxy or HTTP data that includes URL string information. Any traffic data containing URL string or path information, such as firewall, router, switch, or network flows, can be summarized and viewed in this dashboard.
- Compare each URL statistically to identify outliers.
- Investigate long URLs that have no referrer.
- Look for abnormal length URLs that contain embedded SQL commands for SQL injections, cross-site scripting (XSS), embedded command and control (C&C) instructions, or other malicious content.
- Use the details table to see how many assets are communicating with the URL.
Use the key indicators to compare each new URL and to identify outlier URL strings, ones that are different from what is typically found in your environment. URLs that fall outside of the normal size (small or large) may indicate a possible threat. Unusually long URL paths from unfamiliar sources and/or to unfamiliar destinations are often indicators of malicious access and should be examined.
Dashboard filters
Use the filters to refine the URL length events represented on the dashboard.
Filter by | Description | Action |
---|---|---|
Standard Deviation Index | The percentage (%) shows the amount of data that will be filtered out if that number of standard deviations is selected. Choose a higher number of deviations to see fewer user agent strings, or choose a lower number of deviations to see a greater number of user agent strings. | Drop-down: select to filter by |
Time Range | Select the time range to represent. | Drop-down: select to filter by |
Advanced Filter | Click to see the list of category events that can be filtered for this dashboard. See "Advanced Filter" in this manual for information. | In Filter Results from Panel, click an item to whitelist it and remove it from the dashboard view. Click Update to return to the dashboard and refresh the view. |
Dashboard panels
Click chart elements or table rows to display raw events. See dashboard drilldown for more information on this feature. The following table describes the panels for this dashboard.
Panel | Description |
---|---|
Key Indicators | Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See "Key indicators" in this manual. |
URL Length Anomalies Over Time | The chart displays a count of URL length anomalies across time. It displays URL lengths greater than the number of standard deviations selected in the filter (2 by default) displayed in a line graph with time as the x-axis and count as the y-axis. |
URL Length Details | Table that displays the URL strings and details such as the full URI string. If there is more that one event from a source IP address, the count column shows how many events are seen. Z indicates the standard deviations for the URL length.
|
Configure threat intelligence sources | Network dashboards |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.2.0 Cloud only, 4.2.1 Cloud only, 4.2.2 Cloud only
Feedback submitted, thanks!