Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

Splunk Enterprise Security version 4.6.x is available only to Splunk Cloud subscribers.
This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Creating new content in Splunk Enterprise Security

Create new content on Content Management.

Create a correlation search

See Create a correlation search in Splunk Enterprise Security Tutorials.

Create a key indicator search

Create a key indicator search to create a key indicator that you can add to a dashboard or glass table as a security metric.

  1. From the Enterprise Security menu bar, select Configure > Content Management.
  2. Click Create New Content and select Key Indicator Search.
  3. Type a key indicator name.
    In order for the key indicator to show up in the list of security metrics on glass table, type a category or security domain at the beginning of the key indicator name followed by a hyphen. For example, APT - Example Key Indicator or Access - Sample Key Indicator.
  4. Type a search, and other details.
    The key indicators that come with Enterprise Security use data models to accelerate the return of results.
  5. (Optional) Select Schedule to use data model acceleration for your custom key indicator.
  6. Type the name of the field that corresponds to the value of the key indicator in the Value field.
  7. Type the name of the field that corresponds to the change in the key indicator in the Delta field.
  8. (Optional) Type a Threshold for the key indicator. The threshold controls whether the key indicator changes color. You can also set the threshold in dashboards and on glass tables.
  9. Type a Value Suffix to indicate units or another word to follow the key indicator.
  10. Select the Invert check box to invert the colors of the key indicator. Select this check box to indicate that a high value is good and a low value is bad.
  11. Click Save.

Create a new saved search or scheduled report

Create a saved search, also called a scheduled report, in Splunk Enterprise Security.

  1. From the Enterprise Security menu bar, select Configure > Content Management.
  2. Click Create New Content and select Saved Search.
  3. Create a saved search, also called a scheduled report, following the instructions in the Splunk platform documentation.
  4. Modify the permissions of the report to share it with Enterprise Security so that you can view and manage the search in Enterprise Security, following the instructions in the Splunk platform documentation.

Create a search-driven lookup

See Create a search-driven lookup.

Create a swim lane search

Create a swim lane search to create a swim lane that you can add to the Asset Investigator or Identity Investigator dashboard. Swim lanes on the investigator dashboards help you profile activity by a specific asset or identity over time.

  1. From the Enterprise Security menu bar, select Configure > Content Management.
  2. Click Create New Content and select Swim Lane Search.
  3. Type a Search Name.
  4. Select a Destination App.
  5. Type a Title for the swim lane that appears on the dashboard.
  6. Type a Search that populates the swim lane.
  7. Type a Drilldown Search that runs when a user clicks a swim lane item. By default, the swim lane item drilldown shows the raw events.
  8. Select a color.
  9. Select an Entity Type of Asset or Identity.
  10. Type Constraint Fields. Type a field to specify constraints on the search. Your search must contain where $constraints$ to use these constraint fields in the search. Only specific constraints are valid for each type of swim lane search.
    For example, an Asset Investigator swim lane search using the Malware data model and the Malware_Attacks data model dataset could specify the Malware_Attacks.user field as a constraint.
  11. Click Save.

For example, create a swim lane to identify all authentication events involving a specific asset.

  1. Type a Search Name of Authentication by Asset - Example
  2. Select a Destination App of DA-ESS-AccessProtection.
  3. Type a Title for the swim lane that appears on the dashboard. All Authentication.
  4. Type a Search that populates the swim lane.

    | tstats `summariesonly` values(Authentication.action) as action,values(Authentication.app) as app,values(Authentication.src) as src,values(Authentication.dest) as dest,values(Authentication.user) as user,count from datamodel=Authentication.Authentication where $constraints$ by _time span=$span$

  5. Type a Drilldown Search.

    | `datamodel("Authentication","Authentication")` | search $constraints$

  6. Select the color Purple.
  7. Select an entity type of Asset because you want to investigate all authentication events by asset and be able to add this swim lane to the Asset Investigator dashboard. With this specified, all constraints specified as constraint fields perform a reverse lookup against the other fields that identify an asset.
  8. Type constraint fields of Authentication.src and Authentication.dest to identify authentications originating from or targeting a specific asset.

Assuming an asset lookup entry with an IP address of 1.2.3.4, dns of server.example.com, and nt_host of server1, the search for this swim lane searches for all authentication events where the source or destination of the authentication event is 1.2.3.4, server.example.com, or server1.

... Authentication.src=1.2.3.4 OR Authentication.src=server.example.com OR Authentication.src=server1 OR Authentication.dest=1.2.3.4 OR Authentication.dest=server.example.com OR Authentication.dest=server1

Create a new view or dashboard

Create a new view or dashboard using Simple XML from Content Management.

Prerequisite

Creating new views and dashboards from Content Management requires familiarity with Simple XML. For an overview of building and editing dashboards, including working with Simple XML, see the Splunk platform documentation.

  • For Splunk Enterprise, see Dashboard overview in Splunk Enterprise Dashboards and Visualizations.
  • For Splunk Enterprise, see Dashboard overview in Splunk Enterprise Dashboards and Visualizations.

Task

  1. From the Enterprise Security menu bar, select Configure > Content Management.
  2. Click Create New Content and select View.
  3. Create a new dashboard with Simple XML.
  4. Modify the permissions to share the new view with Enterprise Security so that you can view and manage it in Enterprise Security.
    1. From the Splunk bar, select Settings > User interface > Views.
    2. Locate the View name that you created.
    3. Click Permissions and modify the permissions to share the view with Enterprise Security.
    4. Click Save.

You can also create a new dashboard with the interactive dashboard editor. Select Search > Dashboards to open the Dashboards page. You can find information about the Dashboard Editor in the Splunk platform documentation.

Use the Navigation editor to change which dashboards are visible on the menu in your deployment. For more information, see Navigation in this manual.

PREVIOUS
Key indicators
  NEXT
Create a glass table

This documentation applies to the following versions of Splunk® Enterprise Security: 4.6.0 Cloud only


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters