Dashboard requirements matrix
The Enterprise Security dashboards rely on events that conform to the Common Information Model (CIM), and are populated from data model accelerations unless otherwise noted.
Dashboard panel to data model
A - E
| Dashboard Name
|
Panel Title
|
Data Model
|
Data Model Dataset
|
| Access Anomalies
|
Geographically Improbable Accesses
|
Authentication
|
Authentication.app, .src, .user_bunit
|
| Concurrent Application Accesses
|
Authentication.app, .src, .user
|
| Access Center
|
Access Over Time By Action
|
Authentication
|
Authentication.action
|
| Access Over Time By App
|
Authentication.app
|
| Top Access By Source
|
Authentication.src
|
| Top Access By Unique User
|
Authentication.user,.src
|
| Access Search
|
Authentication.action, .app, src, .dest, .user, src_user
|
| Access Tracker
|
First Time Access - Last 7 days
|
None. Calls access_tracker lookup
|
| Inactive Account Usage - Last 90 days
|
| Completely Inactive Accounts - Last 90 days
|
| Account Usage For Expired Identities - Last 7 days
|
Authentication
|
Authentication.dest
|
| Account Management
|
Account Management Over Time
|
Change Analysis
|
All_Changes.Account_Management, .action
|
| Account Lockouts
|
All_Changes.Account_Management, .result
|
| Account Management By Source User
|
All_Changes.Account_Management, .src_user
|
| Top Account Management Events
|
All_Changes.Account_Management, .action
|
| Asset Center
|
Assets By Priority
|
Assets And Identities
|
All_Assets.priority, .bunit, .category, .owner
|
| Assets By Business Unit
|
| Assets By Category
|
| Asset Information
|
| Asset Investigator |
Asset Investigator
|
Based on swim lane selection
|
| Dashboard Name
|
Panel Title
|
Data Model
|
Data Model Dataset
|
| Data Protection
|
Data Integrity Control By Index
|
Incident Management
|
| Sensitive Data
|
None. Calls a REST search on indexes checking for data integrity controls.
|
| Default Account Activity
|
Default Account Usage Over Time By App
|
Authentication
|
Authentication.Default_Authentication, .action, .app
|
| Default Accounts In Use
|
Authentication.user_category, .dest, .user
|
| Default Local Accounts
|
None. Calls useraccounts_tracker lookup
|
| DNS Activity
|
Top Reply Codes By Unique Sources
|
Network Resolution DNS
|
DNS.message_type, DNS.reply_code
|
| Top DNS Query Sources
|
DNS.message_type, DNS.src
|
| Top DNS Queries
|
DNS.message_type, DNS.query
|
| Queries Per Domain
|
DNS.message_type, DNS.query
|
| Recent DNS Queries
|
DNS.message_type
|
| DNS Search
|
DNS.message_type, DNS.reply_code, DNS.dest, DNS.src ,DNS.query_type, DNS.query, DNS.answer
|
| Dashboard Name
|
Panel Title
|
Data Model
|
Data Model Dataset
|
| Email Activity
|
Top Email Sources
|
Email
|
All_Email.src
|
| Large Emails
|
All_Email.size, src, .src_user, .dest
|
| Rarely Seen Senders
|
All_Email.protocol, .src, .src_user, .recipient
|
| Rarely Seen Receivers
|
All_Email.protocol, .src, .recipient
|
| Email Search
|
All_Email.protocol, .recipient, .src, .src_user, .dest
|
| Endpoint Changes
|
Endpoint Changes By Action
|
Change Analysis
|
All_Changes.Endpoint_Changes, .action
|
| Endpoint Changes By Type
|
All_Changes.Endpoint_Changes, .object_category
|
| Endpoint Changes By System
|
All_Changes.Endpoint_Changes, .object_category, .dest
|
F - M
| Dashboard Name
|
Panel Title
|
Data Model
|
Data Model Dataset
|
| Forwarder Audit
|
Event Count Over Time By Host
|
None. Calls host_eventcount macro and search.
|
| Hosts By Last Report Time
|
| Splunkd Process Utilization
|
Application State
|
All_Application_State.Processes.cpu_load_percent, .mem_used, .process, All_Application_State.dest
|
| Splunk Service Start Mode
|
All_Application_State.Services.start_mode, .status, .service
|
| HTTP Category Analysis
|
Category Distribution
|
Web
|
Web.src, .category
|
| Category Details
|
Web.src, .dest, .category,
|
| HTTP User Agent Analysis
|
User Agent Distribution
|
Web
|
Web.http_user_agent_length, .http_user_agent
|
| User Agent Details
|
Web.http_user_agent_length, .src, .dest, .http_user_agent
|
| Dashboard Name
|
Panel Title
|
Data Model
|
Data Model Dataset
|
| Identity Center
|
Identities By Priority
|
Assets and Identities
|
All_Identities.priority, .bunit, .category
|
| Identities By Business Unit
|
| Identities By Category
|
| Identity Information
|
| Identity Investigator |
Identity Investigator
|
Based on swim lane selection
|
| Incident Review Audit
|
Review Activity By Reviewer
|
None. Calls a search over the es_notable_events KVStore collection.
|
| Top Reviewers
|
| Notable Events By Status - Last 48 hours
|
| Notable Events By Owner - Last 24 hours
|
| Recent Review Activity
|
| Indexing Audit
|
Events Per Day Over Time
|
None. Calls a search over the licensing_epd KVStore collection.
|
| Events Per Day
|
| Events Per Index (Last Day)
|
| Intrusion Center
|
Attacks Over Time By Severity
|
Intrusion Detection
|
IDS_Attacks.severity
|
| Top Attacks
|
IDS_Attacks.dest, .src, .signature
|
| Scanning Activity (Many Attacks)
|
IDS_Attacks.signature
|
| New Attacks
|
IDS_Attacks.ids_type
|
| Intrusion Search
|
IDS_Attacks.severity, .category, .signature, .src, .dest
|
| Investigations
|
Investigations
|
None. Calls a search over the investigation KVStore collection.
|
| Investigation timelines
|
None. Calls a search over the investigation_event KVStore collection.
|
| Investigation attachments
|
None. Calls a search over the investigation_attachment KVStore collection.
|
| Action history
|
None. Calls a search over the action_history KVStore collection.
|
| Dashboard Name
|
Panel Title
|
Data Model
|
Data Model Dataset
|
| Malware Center
|
Malware Activity Over Time By Action
|
Malware
|
Malware_Attacks.action
|
| Malware Activity Over Time By Signature
|
Malware_Attacks.signature
|
| Top Infections
|
Malware_Attacks.signature, .dest
|
| New Malware - Last 30 Days
|
None. Calls malware_tracker lookup.
|
| Malware Operations
|
Clients By Product Version
|
None. Calls malware_operations_tracker lookup.
|
| Clients By Signature Version
|
| Oldest Infections
|
| Repeat Infections
|
Malware
|
Malware_Attacks.action, .signature, .dest
|
| Malware Search
|
Malware_Attacks.action, .file_name, .user, .signature, .dest
|
| Modular Action Center
|
Action Invocations Over Time By Name
|
Splunk Audit Logs
|
Modular_Actions.Modular_Action_Invocations, .action_name
|
| Top Actions By Name
|
Modular_Actions.Modular_Action_Invocations, .action_mode, .user, .duration, .search_name, .rid, .sid
|
| Top Actions By Search
|
Modular_Actions.Modular_Action_Invocations, .action_name, .action_mode, .user, .search_name, .rid, .sid
|
N - S
| Dashboard Name
|
Panel Title
|
Data Model
|
Data Model Dataset
|
| Network Changes
|
Network Changes By Action
|
Change Analysis
|
All_Changes.Network_Changes, .action
|
| Network Changes By Device
|
All_Changes.Network_Changes, .dvc
|
| New Domain Analysis
|
New Domain Activity
|
Web
|
Web.dest
|
| New Domain Activity By Age
|
| New Domain Activity By TLD
|
| Registration Details
|
None
|
| Dashboard Name
|
Panel Title
|
Data Model
|
Data Model Dataset
|
| Port & Protocol Tracker
|
Port/Protocol Profiler
|
Network Traffic
|
All_Traffic.transport, .dest_port
|
| Prohibited Or Insecure Traffic Over Time - Last 24 Hours
|
All_Traffic.src_category, .dest_category, .src, .dest, .transport, .dest_port
|
| Prohibited Traffic Details - Last 24 Hours
|
All_Traffic.src_category, .dest_category, .src, .dest, .transport, .dest_port
|
| New Port Activity - Last 7 Days
|
None. Calls the application protocols lookup.
|
| Protocol Center
|
Connections By Protocol
|
Network Traffic
|
All_Traffic.app
|
| Usage By Protocol
|
All_Traffic.app, .bytes
|
| Top Connection Sources
|
All_Traffic.src
|
| Usage For Well Known Ports
|
All_Traffic.bytes, .dest_port
|
| Long Lived Connections
|
All_Traffic.src, .src_port, .duration, .dest, .dest_port, .transport
|
| Risk Analysis
|
Risk Modifiers Over Time
|
Risk Analysis
|
All_Risk.risk_score
|
| Risk Score By Object
|
All_Risk.risk_score
|
| Most Active Sources
|
All_Risk.risk_score, .risk_object
|
| Recent Risk Modifiers
|
All_Risk.*
|
| Dashboard Name
|
Panel Title
|
Data Model
|
Data Model Dataset
|
| Security Posture
|
Notable Events By Urgency
|
None. Calls a search over the es_notable_events KVStore collection.
|
| Notable Events Over Time
|
| Top Notable Events
|
| Top Notable Event Sources
|
| Session Center
|
Sessions Over Time
|
Network Sessions
|
All_Sessions.Session_*
|
| Session Details
|
All_Sessions.*
|
| SSL Activity
|
SSL Activity By Common Name
|
Certificates
|
All_Certificates.SSL.ssl_subject_common_name
|
| SSL Cloud Sessions
|
All_Certificates.SSL.ssl_subject_common_name, .src,
|
| Recent SSL Sessions
|
|
| SSL Search
|
All_Certificates.src, .dest, .ssl_subject_common_name, .ssl_subject_email, .ssl_issuer_common_name, .ssl_issuer_organization, .ssl_start_time, .ssl_end_time, .ssl_validity_window, .ssl_is_valid
|
| Suppression Audit
|
Suppressed Events Over Time - Last 24 Hours
|
None
|
Calls a macro to search on notable events.
|
| Suppression History Over Time - Last 30 Days
|
Calls a macro and a search on Summary Gen information.
|
| Suppression Management Activity
|
Calls a search by eventtype.
|
| Expired Suppressions
|
Calls a search by eventtype.
|
| System Center
|
Operating Systems
|
None. Calls system_version_tracker lookup.
|
| Top-Average CPU Load By System
|
Performance
|
All_Performance.CPU.cpu_load_percent, All_Performance.dest
|
| Services By System Count
|
Application State
|
All_Application_State.Services
|
| Ports By System Count
|
All_Application_State.Ports
|
T - Z
| Dashboard Name
|
Panel Title
|
Data Model
|
Data Model Dataset
|
| Threat Activity
|
Threat Activity Over Time
|
Intrusion Detection, Network Traffic, and Web. For more details, see Threat Activity Data Sources.
|
| Most Active Threat Collections
|
| Most Active Threat Sources
|
| Threat Activity Details
|
| Threat Artifacts
|
Threat Overview
|
None. Calls the threat intelligence KVStore collections. For more details, see Configure threat intelligence sources.
|
| Endpoint Artifacts
|
| Network Artifacts
|
| Email Artifacts
|
| Certificate Artifacts
|
| Threat Intelligence Audit
|
Threat Intelligence Downloads
|
None. Calls a search by REST endpoint.
|
| Threat Intelligence Audit Events
|
None. Calls a search by eventtype.
|
| Time Center
|
Time Synchronization Failures
|
Performance
|
All_Performance.OS.Timesync, All_Performance.dest, .dest_should_timesync, OS.Timesync.action
|
| Systems Not Time Synching
|
| Indexing Time Delay
|
None. Calls the results of a Summary Gen search.
|
| Time Service Start Mode Anomalies
|
Application State
|
All_Application_State.Services.start_mode, .Services.status, .dest_should_timesync, .tag, .dest
|
| Traffic Center
|
Traffic Over Time By Action
|
Network Traffic
|
All_Traffic.action
|
| Traffic Over Time By Protocol
|
All_Traffic.transport
|
| Scanning Activity (Many Systems)
|
All_Traffic.dest, .src
|
| Top Sources
|
All_Traffic.src
|
| Traffic Search
|
All_Traffic.action, .src_port, .src, .dest, .transport, .dest_port
|
| Traffic Size Analysis
|
Traffic Size Anomalies Over Time
|
Network Traffic
|
All_Traffic.transport, .src
|
| Traffic Size Details
|
All_Traffic.bytes, .dest, .src
|
| Dashboard Name
|
Panel Title
|
Data Model
|
Data Model Dataset
|
| Update Center
|
Top Systems Needing Updates
|
Updates
|
Updates.status, .dest, .signature_id, .vendor_product
|
| Top Updates Needed
|
Updates.status, .dest, .signature_id, .vendor_product
|
| Systems Not Updating - Greater Than 30 Days
|
Updates.dest_should_update, .dest, .signature_id, .vendor_product, .status
|
| Update Service Start Mode Anomalies
|
Application State
|
All_Application_State.Services.start_mode, .Services.status, .Services.service, .tag
|
| Update Search
|
Updates
|
Updates.dest_should_update, .status, .dest, .signature_id, .vendor_product
|
| URL Length Analysis
|
URL Length Anomalies Over Time
|
Web
|
Web.http_method, .url
|
| URL Length Details
|
Web.url_length, .src, .dest, .url
|
| User Activity
|
Users By Risk Scores
|
Risk Analysis
|
All_Risk.risk_object
|
| Non-corporate Web Uploads
|
Web
|
Web.bytes, .user, .http_method, .url
|
| Non-corporate Email Activity
|
Email
|
All_Email.size, .recipient, .src_user,
|
| Watchlisted Site Activity
|
Web
|
Web.src, .url
|
| Remote Access
|
Authentication
|
Authentication.src, .user
|
| Ticket Activity
|
Ticket Management
|
All_Ticket_Management.description, .priority, . severity, .src_user
|
| Dashboard Name
|
Panel Title
|
Data Model
|
Data Model Dataset
|
| View Audit
|
View Activity Over Time
|
Splunk Audit Logs
|
View_Activity.app, .view
|
| Expected View Activity
|
View_Activity.app, .view, .user
|
| Vulnerability Center
|
Top Vulnerabilities
|
Vulnerabilities
|
Vulnerabilities.signature, .dest
|
| Most Vulnerable Hosts
|
Vulnerabilities.signature, .severity, .dest
|
| Vulnerabilities By Severity
|
Vulnerabilities.signature, .severity, .dest
|
| New Vulnerabilities
|
Calls vuln_signature_reference lookup
|
| Vulnerability Operations
|
Scan Activity Over Time
|
Vulnerabilities
|
Vulnerabilities.dest
|
| Vulnerabilities By Age
|
Vulnerabilities.severity, .signature, .dest
|
| Delinquent Scanning
|
Vulnerabilities.dest
|
| Vulnerability Search
|
Vulnerabilities.category, .signature, .dest, .severity, .cve,
|
| Web Center
|
Events Over Time By Method
|
Web
|
Web.http_method
|
| Events Over Time By Status
|
Web.status
|
| Top Sources
|
Web.dest, .src
|
| Top Destinations
|
Web.dest, .src
|
| Web Search
|
Web.http_method, .status, .src, .dest, .url
|
Dashboards to Add-on
These dashboards are included in Splunk Enterprise Security. Use the Navigation editor to add or rearrange dashboards on the menu bar.
To view the entire list of dashboards in Enterprise Security, select Search > Dashboards. To review the list of dashboards in Enterprise Security by add-on, see the Content Profile dashboard. See Content Profile.
| Dashboard name
|
Security Domain
|
Part of Add-on
|
| Access Anomalies
|
Access
|
DA-ESS-AccessProtection
|
| Access Center
|
Access
|
DA-ESS-AccessProtection
|
| Access Search
|
Access
|
DA-ESS-AccessProtection
|
| Access Tracker
|
Access
|
DA-ESS-AccessProtection
|
| Account Management
|
Access
|
DA-ESS-AccessProtection
|
| Asset Center
|
Asset
|
SA-IdentityManagement
|
| Asset Investigator
|
Asset
|
SA-IdentityManagement
|
| Content Profile
|
Audit
|
SplunkEnterpriseSecuritySuite
|
| Data Model Audit
|
Audit
|
Splunk_SA_CIM
|
| Default Account Activity
|
Access
|
DA-ESS-AccessProtection
|
| DNS Activity
|
Network
|
DA-ESS-NetworkProtection
|
| DNS Search
|
Network
|
DA-ESS-NetworkProtection
|
| Email Activity
|
Network
|
DA-ESS-NetworkProtection
|
| Email Search
|
Network
|
DA-ESS-NetworkProtection
|
| Endpoint Changes
|
Endpoint
|
DA-ESS-EndpointProtection
|
| Forwarder Audit
|
Audit
|
SA-AuditAndDataProtection
|
| HTTP Category Analysis
|
Network
|
DA-ESS-NetworkProtection
|
| HTTP User Agent Analysis
|
Network
|
DA-ESS-NetworkProtection
|
| Identity Center
|
Identity
|
SA-IdentityManagement
|
| Identity_investigator
|
Identity
|
SA-IdentityManagement
|
| Incident Review
|
Threat
|
SA-ThreatIntelligence
|
| Incident Review Audit
|
Threat
|
SA-ThreatIntelligence
|
| Indexing Audit
|
Audit
|
SA-AuditAndDataProtection
|
| Intrusion Center
|
Network
|
DA-ESS-NetworkProtection
|
| Intrusion Search
|
Network
|
DA-ESS-NetworkProtection
|
| Malware Center
|
Endpoint
|
DA-ESS-EndpointProtection
|
| Malware Operations
|
Endpoint
|
DA-ESS-EndpointProtection
|
| Malware Search
|
Endpoint
|
DA-ESS-EndpointProtection
|
| Network Changes
|
Network
|
DA-ESS-NetworkProtection
|
| New Domain Analysis
|
Network
|
DA-ESS-NetworkProtection
|
| Per-Panel Filter Audit
|
Audit
|
SA-Utils
|
| Port & Protocol Tracker
|
Network
|
DA-ESS-NetworkProtection
|
| Predictive Analytics
|
|
Splunk_SA_CIM
|
| Protocol Center
|
Network
|
DA-ESS-NetworkProtection
|
| REST Audit
|
Audit
|
SA-Utils
|
| Risk Analysis
|
Threat
|
SA-ThreatIntelligence
|
| Search Audit
|
Audit
|
SA-AuditAndDataProtection
|
| Security Posture
|
|
SplunkEnterpriseSecuritySuite
|
| Session Center
|
Identity
|
SA-IdentityManagement
|
| SSL Activity
|
Network
|
DA-ESS-NetworkProtection
|
| SSL Search
|
Network
|
DA-ESS-NetworkProtection
|
| Suppression Audit
|
Threat
|
SA-ThreatIntelligence
|
| System Center
|
Endpoint
|
DA-ESS-EndpointProtection
|
| Threat Activity
|
Threat
|
DA-ESS-ThreatIntelligence
|
| Threat Artifacts
|
Threat
|
DA-ESS-ThreatIntelligence
|
| Threat Intelligence Audit
|
Audit
|
DA-ESS-ThreatIntelligence
|
| Time Center
|
Endpoint
|
DA-ESS-EndpointProtection
|
| Traffic Center
|
Network
|
DA-ESS-NetworkProtection
|
| Traffic Search
|
Network
|
DA-ESS-NetworkProtection
|
| Traffic Size Analysis
|
Network
|
DA-ESS-NetworkProtection
|
| Update Center
|
Endpoint
|
DA-ESS-EndpointProtection
|
| Update Search
|
Endpoint
|
DA-ESS-EndpointProtection
|
| URL Length Analysis
|
Network
|
DA-ESS-NetworkProtection
|
| User Activity
|
Identity
|
DA-ESS-IdentityManagement
|
| View Audit
|
Audit
|
SplunkEnterpriseSecuritySuite
|
| Vulnerability Center
|
Network
|
DA-ESS-NetworkProtection
|
| Vulnerability Operations
|
Network
|
DA-ESS-NetworkProtection
|
| Vulnerability Search
|
Network
|
DA-ESS-NetworkProtection
|
| Web Center
|
Network
|
DA-ESS-NetworkProtection
|
| Web Search
|
Network
|
DA-ESS-NetworkProtection
|
Download manual
Feedback submitted, thanks!