Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Dashboard requirements matrix for Splunk Enterprise Security

The Enterprise Security dashboards rely on events that conform to the Common Information Model (CIM), and are populated from data model accelerations unless otherwise noted.

Dashboard panel to data model

A - E

Dashboard Name Panel Title Data Model Data Model Dataset
Access Anomalies Geographically Improbable Accesses Relies on the gia_summary summary index, which is populated by the Access - Geographically Improbable Access - Summary Gen search. That search references the Authentication data model. Authentication.app, .src, .user
Concurrent Application Accesses Authentication Authentication.app, .src, .user
Access Center Access Over Time By Action Authentication Authentication.action
Access Over Time By App Authentication.app
Top Access By Source Authentication.src
Top Access By Unique User Authentication.user,.src
Access Search Authentication.action, .app, src, .dest, .user, src_user
Access Tracker First Time Access - Last 7 days None. Calls access_tracker lookup
Inactive Account Usage - Last 90 days
Completely Inactive Accounts - Last 90 days
Account Usage For Expired Identities - Last 7 days Authentication Authentication.dest
Account Management Account Management Over Time Change Analysis All_Changes.Account_Management, .action
Account Lockouts All_Changes.Account_Management, .result
Account Management By Source User All_Changes.Account_Management, .src_user
Top Account Management Events All_Changes.Account_Management, .action
Asset Center Assets By Priority Assets And Identities All_Assets.priority, .bunit, .category, .owner
Assets By Business Unit
Assets By Category
Asset Information
Asset Investigator Asset Investigator Based on swim lane selection
Dashboard Name Panel Title Data Model Data Model Dataset
Data Protection Data Integrity Control By Index Incident Management
Sensitive Data None. Calls a REST search on indexes checking for data integrity controls.
Default Account Activity Default Account Usage Over Time By App Authentication Authentication.Default_Authentication, .action, .app
Default Accounts In Use Authentication.user_category, .dest, .user
Default Local Accounts None. Calls useraccounts_tracker lookup
DNS Activity Top Reply Codes By Unique Sources Network Resolution DNS DNS.message_type, DNS.reply_code
Top DNS Query Sources DNS.message_type, DNS.src
Top DNS Queries DNS.message_type, DNS.query
Queries Per Domain DNS.message_type, DNS.query
Recent DNS Queries DNS.message_type
DNS Search DNS.message_type, DNS.reply_code, DNS.dest, DNS.src ,DNS.query_type, DNS.query, DNS.answer
Dashboard Name Panel Title Data Model Data Model Dataset
Email Activity Top Email Sources Email All_Email.src
Large Emails All_Email.size, src, .src_user, .dest
Rarely Seen Senders All_Email.protocol, .src, .src_user, .recipient
Rarely Seen Receivers All_Email.protocol, .src, .recipient
Email Search All_Email.protocol, .recipient, .src, .src_user, .dest
Endpoint Changes Endpoint Changes By Action Change Analysis All_Changes.Endpoint_Changes, .action
Endpoint Changes By Type All_Changes.Endpoint_Changes, .object_category
Endpoint Changes By System All_Changes.Endpoint_Changes, .object_category, .dest

F - M

Dashboard Name Panel Title Data Model Data Model Dataset
Forwarder Audit Event Count Over Time By Host None. Calls host_eventcount macro and search.
Hosts By Last Report Time
Splunkd Process Utilization Application State All_Application_State.Processes.cpu_load_percent, .mem_used, .process, All_Application_State.dest
Splunk Service Start Mode All_Application_State.Services.start_mode, .status, .service
HTTP Category Analysis Category Distribution Web Web.src, .category
Category Details Web.src, .dest, .category,
HTTP User Agent Analysis User Agent Distribution Web Web.http_user_agent_length, .http_user_agent
User Agent Details Web.http_user_agent_length, .src, .dest, .http_user_agent
Dashboard Name Panel Title Data Model Data Model Dataset
Identity Center Identities By Priority Assets and Identities All_Identities.priority, .bunit, .category
Identities By Business Unit
Identities By Category
Identity Information
Identity Investigator Identity Investigator Based on swim lane selection
Incident Review Audit Review Activity By Reviewer None. Calls a search over the es_notable_events KV Store collection.
Top Reviewers
Notable Events By Status - Last 48 hours
Notable Events By Owner - Last 24 hours
Recent Review Activity
Indexing Audit Events Per Day Over Time None. Calls a search over the licensing_epd KV Store collection.
Events Per Day
Events Per Index (Last Day)
Intrusion Center Attacks Over Time By Severity Intrusion Detection IDS_Attacks.severity
Top Attacks IDS_Attacks.dest, .src, .signature
Scanning Activity (Many Attacks) IDS_Attacks.signature
New Attacks IDS_Attacks.ids_type
Intrusion Search IDS_Attacks.severity, .category, .signature, .src, .dest
Investigations Investigations None. Calls a search over the investigation KV Store collection.
Investigation timelines None. Calls a search over the investigation_event KV Store collection.
Investigation note attachments None. Calls a search over the investigation_attachment KV Store collection.
Action history None. Calls one of five different searches. See Manage investigations in Splunk Enterprise Security.
Investigation workbench artifacts None. Calls a search over the investigation_leads KV Store collection.
Investigation workbench Authentication Data Authentication Authentication.app, .action, .src, .src_user, .dest, .user
Certificate Activity Certificates Certificates.SSL, .src, .src_port, .dest, .dest_port, .ssl_is_valid, .ssl_validity_window, .ssl_hash, .ssl_serial, .ssl_subject, .ssl_start_time, .ssl_end_time
Computer Inventory Inventory Compute_Inventory.All_Inventory, .os, .vendor_product, .user, .dest
DNS Data Network Resolution DNS Network_Resolution.DNS, DNS.dest, .query, .query_count, .message_type, .answer, .reply_code
Email Data Email Email.All_Email, .src, .dest, .src_user, .action, .recipient, .recipient_count, .subject
Filesystem Changes Change Analysis Change_Analysis.All_Changes, .user, .dest, .action, .status, All_Changes.Endpoint_Changes.Filesystem_Changes, .file_name, .file_hash, .file_path, .file_size, .file_create_time, .file_modify_time, .file_access_time
IDS Alerts Intrusion Detection Intrusion_Detection.IDS_Attacks, .user, .src, .dest, .severity, .category, .signature, .ids_type, .vendor_product, .dvc
Latest OS Updates Updates Updates.status, .user, .dest, .signature_id, .signature, .vendor_product
Network Session Data Network Sessions Network_Sessions.All_Sessions, .src_ip, .dest_ip, .dest_nt_host, .tag, .action, .vendor_product
Network Traffic Data Network Traffic Network_Traffic.All_Traffic, .packets, .src_ip, .dest_ip, .user, .transport, .action, .src, .src_port, .dest, .dest_port
Notable Events Incident Management Incident_Management.Notable_Events, .user, .src, .dest, .rule_name, .severity, .urgency, .security_domain, .status_label, .owner, .savedsearch_description
Port Activity Application State Application_State.Ports, .dest, .user, dest_port, .transport, .process_name, .process
Process Activity Application State Application_State.All_Application_State, .dest, .user, .process_name, .process
Registry Activity Change Analysis Change_Analysis_All_Changes, .user, .dest, .action, .status, .object, object_path, .object_attrs, .object_id, .Endpoint_Changes.Registry_Changes
Risk Scores Risk Analysis Risk.All_Risk, .risk_score, .risk_object_type, .risk_object
Service Activity Application State Application_State.Services, .dest, .user, .service, .service_id, .status, .start_mode, .process_name, .process
System Vulnerabilities Vulnerabilities Vulnerabilities.Vulnerabilities, .user, .dest, .severity, .signature, .category, .vendor_product
User Account Changes Change Analysis Change_Analysis.All_Changes, .user, .dest, .action, .status, .object, .object_path, .object_attrs, .object_id, .Account_Management
Web Activity Web Web.Web, .src, .dest, .user, .action, .http_method, .url, .http_referrer, .http_user_agent, .http_content_type, .status
Dashboard Name Panel Title Data Model Data Model Dataset
Malware Center Malware Activity Over Time By Action Malware Malware_Attacks.action
Malware Activity Over Time By Signature Malware_Attacks.signature
Top Infections Malware_Attacks.signature, .dest
New Malware - Last 30 Days None. Calls malware_tracker lookup.
Malware Operations Clients By Product Version None. Calls malware_operations_tracker lookup.
Clients By Signature Version
Oldest Infections
Repeat Infections Malware Malware_Attacks.action, .signature, .dest
Malware Search Malware_Attacks.action, .file_name, .user, .signature, .dest
Modular Action Center Action Invocations Over Time By Name Splunk Audit Logs Modular_Actions.Modular_Action_Invocations, .action_name
Top Actions By Name Modular_Actions.Modular_Action_Invocations, .action_mode, .user, .duration, .search_name, .rid, .sid
Top Actions By Search Modular_Actions.Modular_Action_Invocations, .action_name, .action_mode, .user, .search_name, .rid, .sid

N - S

Dashboard Name Panel Title Data Model Data Model Dataset
Network Changes Network Changes By Action Change Analysis All_Changes.Network_Changes, .action
Network Changes By Device All_Changes.Network_Changes, .dvc
New Domain Analysis New Domain Activity Web Web.dest
New Domain Activity By Age
New Domain Activity By TLD
Registration Details None
Dashboard Name Panel Title Data Model Data Model Dataset
Port & Protocol Tracker Port/Protocol Profiler Network Traffic All_Traffic.transport, .dest_port
Prohibited Or Insecure Traffic Over Time - Last 24 Hours All_Traffic.src_category, .dest_category, .src, .dest, .transport, .dest_port
Prohibited Traffic Details - Last 24 Hours All_Traffic.src_category, .dest_category, .src, .dest, .transport, .dest_port
New Port Activity - Last 7 Days None. Calls the application protocols lookup.
Protocol Center Connections By Protocol Network Traffic All_Traffic.app
Usage By Protocol All_Traffic.app, .bytes
Top Connection Sources All_Traffic.src
Usage For Well Known Ports All_Traffic.bytes, .dest_port
Long Lived Connections All_Traffic.src, .src_port, .duration, .dest, .dest_port, .transport
Risk Analysis Risk Modifiers Over Time Risk Analysis All_Risk.risk_score
Risk Score By Object All_Risk.risk_score
Most Active Sources All_Risk.risk_score, .risk_object
Recent Risk Modifiers All_Risk.*
Dashboard Name Panel Title Data Model Data Model Dataset
Security Posture Notable Events By Urgency None. Calls a search over the es_notable_events KVStore collection.
Notable Events Over Time
Top Notable Events
Top Notable Event Sources
Session Center Sessions Over Time Network Sessions All_Sessions.Session_*
Session Details All_Sessions.*
SSL Activity SSL Activity By Common Name Certificates All_Certificates.SSL.ssl_subject_common_name
SSL Cloud Sessions All_Certificates.SSL.ssl_subject_common_name, .src,
Recent SSL Sessions
SSL Search All_Certificates.src, .dest, .ssl_subject_common_name, .ssl_subject_email, .ssl_issuer_common_name, .ssl_issuer_organization, .ssl_start_time, .ssl_end_time, .ssl_validity_window, .ssl_is_valid
Suppression Audit Suppressed Events Over Time - Last 24 Hours None Calls a macro to search on notable events.
Suppression History Over Time - Last 30 Days Calls a macro and a search on Summary Gen information.
Suppression Management Activity Calls a search by eventtype.
Expired Suppressions Calls a search by eventtype.
System Center Operating Systems None. Calls system_version_tracker lookup.
Top-Average CPU Load By System Performance All_Performance.CPU.cpu_load_percent, All_Performance.dest
Services By System Count Application State All_Application_State.Services
Ports By System Count All_Application_State.Ports

T - Z

Dashboard Name Panel Title Data Model Data Model Dataset
Threat Activity Threat Activity Over Time Intrusion Detection, Network Traffic, and Web. For more details, see Threat Activity Data Sources.
Most Active Threat Collections
Most Active Threat Sources
Threat Activity Details
Threat Artifacts Threat Overview None. Calls the threat intelligence KV Store collections. For a list of threat intelligence collections, see Supported types of threat intelligence in Splunk Enterprise Security.
Endpoint Artifacts
Network Artifacts
Email Artifacts
Certificate Artifacts
Threat Intelligence Audit Threat Intelligence Downloads None. Calls a search by REST endpoint.
Threat Intelligence Audit Events None. Calls a search by eventtype.
Time Center Time Synchronization Failures Performance All_Performance.OS.Timesync, All_Performance.dest, .dest_should_timesync, OS.Timesync.action
Systems Not Time Synching
Indexing Time Delay None. Calls the results of a Summary Gen search.
Time Service Start Mode Anomalies Application State All_Application_State.Services.start_mode, .Services.status, .dest_should_timesync, .tag, .dest
Traffic Center Traffic Over Time By Action Network Traffic All_Traffic.action
Traffic Over Time By Protocol All_Traffic.transport
Scanning Activity (Many Systems) All_Traffic.dest, .src
Top Sources All_Traffic.src
Traffic Search All_Traffic.action, .src_port, .src, .dest, .transport, .dest_port
Traffic Size Analysis Traffic Size Anomalies Over Time Network Traffic All_Traffic.transport, .src
Traffic Size Details All_Traffic.bytes, .dest, .src
Dashboard Name Panel Title Data Model Data Model Dataset
Update Center Top Systems Needing Updates Updates Updates.status, .dest, .signature_id, .vendor_product
Top Updates Needed Updates.status, .dest, .signature_id, .vendor_product
Systems Not Updating - Greater Than 30 Days Updates.dest_should_update, .dest, .signature_id, .vendor_product, .status
Update Service Start Mode Anomalies Application State All_Application_State.Services.start_mode, .Services.status, .Services.service, .tag
Update Search Updates Updates.dest_should_update, .status, .dest, .signature_id, .vendor_product
URL Length Analysis URL Length Anomalies Over Time Web Web.http_method, .url
URL Length Details Web.url_length, .src, .dest, .url
User Activity Users By Risk Scores Risk Analysis All_Risk.risk_object
Non-corporate Web Uploads Web Web.bytes, .user, .http_method, .url
Non-corporate Email Activity Email All_Email.size, .recipient, .src_user,
Watchlisted Site Activity Web Web.src, .url
Remote Access Authentication Authentication.src, .user
Ticket Activity Ticket Management All_Ticket_Management.description, .priority, . severity, .src_user
Dashboard Name Panel Title Data Model Data Model Dataset
View Audit View Activity Over Time Splunk Audit Logs View_Activity.app, .view
Expected View Activity View_Activity.app, .view, .user
Vulnerability Center Top Vulnerabilities Vulnerabilities Vulnerabilities.signature, .dest
Most Vulnerable Hosts Vulnerabilities.signature, .severity, .dest
Vulnerabilities By Severity Vulnerabilities.signature, .severity, .dest
New Vulnerabilities Calls vuln_signature_reference lookup.
Vulnerability Operations Scan Activity Over Time Vulnerabilities Vulnerabilities.dest
Vulnerabilities By Age Calls vulnerability_tracker lookup.
Delinquent Scanning Vulnerabilities Vulnerabilities.dest
Vulnerability Search Vulnerabilities.category, .signature, .dest, .severity, .cve,
Web Center Events Over Time By Method Web Web.http_method
Events Over Time By Status Web.status
Top Sources Web.dest, .src
Top Destinations Web.dest, .src
Web Search Web.http_method, .status, .src, .dest, .url

Dashboards to Add-on

These dashboards are included in Splunk Enterprise Security. Use the navigation editor to add or rearrange dashboards on the menu bar. For more information about using the navigation editor, see Customize the menu bar in Splunk Enterprise Security.

To view the entire list of dashboards in Enterprise Security, select Search > Dashboards. To review the list of dashboards in Enterprise Security by add-on, use the Content Profile dashboard. See Content Profile.

Dashboard name Security Domain Part of Add-on
Access Anomalies Access DA-ESS-AccessProtection
Access Center Access DA-ESS-AccessProtection
Access Search Access DA-ESS-AccessProtection
Access Tracker Access DA-ESS-AccessProtection
Account Management Access DA-ESS-AccessProtection
Asset Center Asset SA-IdentityManagement
Asset Investigator Asset SA-IdentityManagement
Content Profile Audit SplunkEnterpriseSecuritySuite
Data Model Audit Audit Splunk_SA_CIM
Default Account Activity Access DA-ESS-AccessProtection
DNS Activity Network DA-ESS-NetworkProtection
DNS Search Network DA-ESS-NetworkProtection
Email Activity Network DA-ESS-NetworkProtection
Email Search Network DA-ESS-NetworkProtection
Endpoint Changes Endpoint DA-ESS-EndpointProtection
Forwarder Audit Audit SA-AuditAndDataProtection
HTTP Category Analysis Network DA-ESS-NetworkProtection
HTTP User Agent Analysis Network DA-ESS-NetworkProtection
Identity Center Identity SA-IdentityManagement
Identity_investigator Identity SA-IdentityManagement
Incident Review Threat SA-ThreatIntelligence
Incident Review Audit Threat SA-ThreatIntelligence
Indexing Audit Audit SA-AuditAndDataProtection
Intrusion Center Network DA-ESS-NetworkProtection
Intrusion Search Network DA-ESS-NetworkProtection
Malware Center Endpoint DA-ESS-EndpointProtection
Malware Operations Endpoint DA-ESS-EndpointProtection
Malware Search Endpoint DA-ESS-EndpointProtection
Network Changes Network DA-ESS-NetworkProtection
New Domain Analysis Network DA-ESS-NetworkProtection
Per-Panel Filter Audit Audit SA-Utils
Port & Protocol Tracker Network DA-ESS-NetworkProtection
Predictive Analytics Splunk_SA_CIM
Protocol Center Network DA-ESS-NetworkProtection
REST Audit Audit SA-Utils
Risk Analysis Threat SA-ThreatIntelligence
Search Audit Audit SA-AuditAndDataProtection
Security Posture SplunkEnterpriseSecuritySuite
Session Center Identity SA-IdentityManagement
SSL Activity Network DA-ESS-NetworkProtection
SSL Search Network DA-ESS-NetworkProtection
Suppression Audit Threat SA-ThreatIntelligence
System Center Endpoint DA-ESS-EndpointProtection
Threat Activity Threat DA-ESS-ThreatIntelligence
Threat Artifacts Threat DA-ESS-ThreatIntelligence
Threat Intelligence Audit Audit DA-ESS-ThreatIntelligence
Time Center Endpoint DA-ESS-EndpointProtection
Traffic Center Network DA-ESS-NetworkProtection
Traffic Search Network DA-ESS-NetworkProtection
Traffic Size Analysis Network DA-ESS-NetworkProtection
Update Center Endpoint DA-ESS-EndpointProtection
Update Search Endpoint DA-ESS-EndpointProtection
URL Length Analysis Network DA-ESS-NetworkProtection
User Activity Identity DA-ESS-IdentityManagement
View Audit Audit SplunkEnterpriseSecuritySuite
Vulnerability Center Network DA-ESS-NetworkProtection
Vulnerability Operations Network DA-ESS-NetworkProtection
Vulnerability Search Network DA-ESS-NetworkProtection
Web Center Network DA-ESS-NetworkProtection
Web Search Network DA-ESS-NetworkProtection
Last modified on 02 October, 2018
PREVIOUS
Create a Splunk Web message in Splunk Enterprise Security
  NEXT
Troubleshoot script errors in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters