Threat Intelligence dashboards
Threat Activity
The Threat Activity dashboard provides information on threat activity by matching threat intelligence source content to events in Splunk Enterprise.
Dashboard filters
Use the available dashboard filters to refine the results displayed on the dashboard panels. The filters do not apply to key security indicators.
| Filter by | Description | Action |
|---|---|---|
| Threat Group | A named group or entity representing a known threat, such as a malware domain. | Drop-down: select to filter by |
| Threat Category | A category of threat, such as advanced persistent threat, financial threat, or backdoor. | Drop-down: select to filter by |
| Search | Used for searching on a value related to fields: Destination, Sourcetype, Source, Threat Collection, Threat Collection Key, Threat Key, Threat Match Field, and Threat Match Value. | Drop-down: select to filter by, and a free-form text field. |
| Time Range | Select the time range to represent. | Drop-down: select to filter by |
Dashboard panels
| Panel | Description |
|---|---|
| Key Indicators | Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information, and appear at the top of the dashboard. See "Key indicators" in this manual. |
| Threat Activity Over Time | Displays the count of events by all threat collections over the selected time. The drilldown opens a search with the selected threat collection and scoped to the selected time frame. To review the threat collections, see "Supported threat intelligence groups" in this manual. |
| Most Active Threat Collections | Displays the top threat collections by event matches over the selected time, with a sparkline representing peak event matches. The drilldown opens a search with the selected threat collection. |
| Most Active Threat Sources | Displays the top threat sources over the selected time by event count matches. The drilldown opens a search with the selected threat source. |
| Threat Activity Details | Displays a breakout of the most recent threat matches. Use the event selection box Threat Activity Details with the Advanced Filter option to:
|
Data sources
The reports in the Threat Activity dashboard use fields in the Threat_Intelligence data model. Relevant data sources include threat source event matches in the threat_activity index along with the associated threat artifacts. See "Dashboard Troubleshooting" in this manual.
Threat Artifacts
The Threat Artifacts dashboard provides a single location to explore and review threat content sourced from all configured threat download sources. It provides additional context by showing all threat artifacts related to a user-specified threat source or artifact.
The dashboard offers multiple selection filters and tabs to isolate the threat content.
Begin by changing the Threat Artifact to select from available threat artifact types.
| Filter by | Description |
|---|---|
| Threat Artifact | A collection of objects grouped by the threat collection, such as network, file, and service. |
Other available filters will change depending on your selection.
| Threat Artifact selection | Filter by Text: (*) wildcard defaulted | Filter by Drop-down |
|---|---|---|
| Threat ID | Malware Alias, Intel Source ID, and Intel Source Path | Threat Category, Threat Group |
| Network | IP, Domain | HTTP. Select from: Referrer: User Agent, Cookie, Header, Data, or URL and add a string to search. |
| File | File Name, File Extension, File Path, and File Hash | |
| Registry | Hive, Path, Key Name, Value Name, Value Type, and Value Text | |
| Service | Name, Descriptive Name:, Description:, and Type | |
| User | User, Full Name, Group Name, and Description | |
| Process | Process, Process Arguments, Handle Names, and Handle Type | |
| Certificate | Serial Number, Subject, Issuer, Validity Not After, and Validity Not Before | |
| Address, Subject, and Body | ||
Use the tabs to review threat source context:
| Tab | Panels |
|---|---|
| Threat Overview | Endpoint Artifacts, Network Artifacts, Email Artifacts, Certificate Artifacts |
| Network | HTTP Intelligence, IP Intelligence, Domain Intelligence |
| Endpoint | File Intelligence, Registry Intelligence, Process Intelligence, Service Intelligence, User Intelligence |
| Certificate | Certificate Intelligence |
| Email Intelligence |
Data sources
The Threat Artifacts dashboard references fields in the threat collection KVStore. Relevant data sources include threat sources such as STIX and OpenIOC documents.
Troubleshooting
This dashboard references data from the Threat Intelligence KVStore collections. Without the applicable data, the dashboard panels will remain empty. To determine why data is not displaying in the dashboard, follow these troubleshooting steps.
- Confirm that the inputs are properly configured in the Threat Intelligence Downloads and Threat Intelligence Manager pages. Those inputs are responsible for ingesting data from the threat sources and placing it into the KVStore collections.
- Use the Threat Intelligence Audit dashboard panel Threat Intelligence Audit Events to review log entries created by the modular inputs.
See "Dashboard Troubleshooting" in this manual for more.
| Configure risk scoring | Configure threat intelligence sources |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.2.0 Cloud only, 4.2.1 Cloud only, 4.2.2 Cloud only
Download manual
Feedback submitted, thanks!