Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

Splunk Enterprise Security version 4.6.x is available only to Splunk Cloud subscribers.
This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Dashboard overview

Splunk Enterprise Security includes more than 100 dashboards to identify and investigate security incidents, reveal insights in your events, accelerate incident investigations, monitor the status of various security domains, and audit your incident investigations and your Enterprise Security deployment.

The specific dashboards that will be most useful to you depend on how you plan to use Splunk Enterprise Security.

Identify and investigate security incidents

You can identify and investigate security incidents with a suite of dashboards and workflows. Splunk Enterprise Security uses correlation searches to identify notable events in your environment that represent security incidents.

  • Security Posture provides a high-level overview of the notable events in your environment over the last 24 hours. Identify the security domains with the most incidents, and the most recent activity. See Security Posture dashboard.
  • Incident Review shows the details of all notable events identified in your environment. Triage, assign, and review the details of notable events from this dashboard. Incident Review.
  • My Investigations shows all investigations in your environment. Open and work investigations to track your progress and activity while investigating multiple related security incidents. My Investigations.

Accelerate your investigations with security intelligence

A set of security intelligence dashboards allow you to investigate incidents with specific types of intelligence.

  • Risk analysis allows you to assess the risk scores of systems and users across your network and identify particularly risky devices and users posing a threat to your environment. Risk Analysis.
  • Protocol intelligence dashboards use packet capture data from stream capture apps to provide network insights that are relevant to your security investigations. Identify suspicious traffic, DNS activity, email activity, and review the connections and protocols in use in your network traffic. Protocol Intelligence dashboards.
  • Threat intelligence dashboards use the threat intelligence sources included in Splunk Enterprise Security and custom sources that you configure to provide context to your security incidents and identify known malicious actors in your environment. Threat Intelligence dashboards.
  • User intelligence dashboards allow you to investigate and monitor the activity of users and assets in your environment. Asset and Identity Investigator dashboards and User Activity Monitoring.
  • Web intelligence dashboards help you analyze web traffic in your network and identify notable HTTP categories, user agents, new domains, and long URLs. Web Intelligence dashboards.

Monitor security domain activity

Domain dashboards provided with Splunk Enterprise Security allow you to monitor the events and status of important security domains. You can review the data summarized on the main dashboards, and use the search dashboards for specific domains to investigate the raw events.

  • Access domain dashboards display authentication and access-related data, such as login attempts, access control events, and default account activity. Access dashboards.
  • Endpoint domain dashboards display endpoint data relating to malware infections, patch history, system configurations, and time synchronization information. Endpoint dashboards.
  • Network domain dashboards display network traffic data provided by devices such as firewalls, routers, network intrusion detection systems, network vulnerability scanners, proxy servers, and hosts. Network dashboards and Web Center and Network Changes dashboards and Port & Protocol Tracker dashboard.
  • Identity domain dashboards display data from your asset and identity lists, as well as the types of sessions in use.Asset and Identity dashboards.

Visualize security metrics

Create a glass table to visualize security metrics in your environment. Monitor threat activity in your environment, assess the state of your Splunk Enterprise Security deployment, or map out the pathway that an attacker took through your network to monitor future intrusion attempts by an attacker in the future. See Create a glass table.

Audit activity in Splunk Enterprise Security

The audit dashboards provide insight into background processes and tasks performed by Splunk Enterprise Security. Some audit dashboards allow you to review actions taken by users in Splunk Enterprise Security, while others provide insight into your deployment and the status of your data models and content use. Audit dashboards.

Customize dashboards to fit your use cases

You can make changes to dashboards and the searches behind dashboard panels to make them more relevant to your organization, environment, or security use cases. View the search behind a dashboard panel with the panel editor to see where the data is coming from. Edit the title of a panel, the search behind a panel, and even the visualization.

Switch between dashboards and events

Dig deeper into data on dashboards by drilling down to raw events, and use workflow actions to move from raw events to investigating specific fields on dashboards, or performing other actions outside of the Splunk platform.

You can drill down to raw events from charts and tables in dashboards. You can find information about the drilldown behavior in the Splunk platform documentation.

You can take action on raw events with workflow actions. You can also create custom workflow actions. You can find information about workflow actions in the Splunk platform documentation.

PREVIOUS
Protocol Intelligence dashboards
  NEXT
Advanced Filter

This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0 Cloud only


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters