Create and manage swim lane searches in Splunk Enterprise Security
Create a swim lane search to create a swim lane that you can add to the Asset Investigator or Identity Investigator dashboard. Swim lanes on the investigator dashboards help you profile activity by a specific asset or identity over time.
- From the Enterprise Security menu bar, select Configure > Content > Content Management.
- Click Create New Content and select Swim Lane Search.
- Type a Search Name.
- Select a Destination App.
- Type a Title for the swim lane that appears on the dashboard.
- Type a Search that populates the swim lane.
- Type a Drilldown Search that runs when a user clicks a swim lane item. By default, the swim lane item drilldown shows the raw events.
- Select a color.
- Select an Entity Type of Asset or Identity.
- Type Constraint Fields. Type a field to specify constraints on the search. Your search must contain
where $constraints$
to use these constraint fields in the search. Only specific constraints are valid for each type of swim lane search.
For example, an Asset Investigator swim lane search using the Malware data model and the Malware_Attacks data model dataset could specify theMalware_Attacks.user
field as a constraint. - Click Save.
Example
For example, create a swim lane to identify all authentication events involving a specific asset.
- Type a Search Name of Authentication by Asset - Example
- Select a Destination App of DA-ESS-AccessProtection.
- Type a Title for the swim lane that appears on the dashboard. All Authentication.
- Type a Search that populates the swim lane.
| tstats `summariesonly` values(Authentication.action) as action,values(Authentication.app) as app,values(Authentication.src) as src,values(Authentication.dest) as dest,values(Authentication.user) as user,count from datamodel=Authentication.Authentication where $constraints$ by _time span=$span$
- Type a Drilldown Search.
| `datamodel("Authentication","Authentication")` | search $constraints$
- Select the color Purple.
- Select an entity type of Asset because you want to investigate all authentication events by asset and be able to add this swim lane to the Asset Investigator dashboard. With this specified, all constraints specified as constraint fields perform a reverse lookup against the other fields that identify an asset.
- Type constraint fields of Authentication.src and Authentication.dest to identify authentications originating from or targeting a specific asset.
Assuming an asset lookup entry with an IP address of 1.2.3.4
, dns
of server.example.com
, and nt_host
of server1
, the search for this swim lane searches for all authentication events where the source or destination of the authentication event is 1.2.3.4, server.example.com, or server1.
... Authentication.src=1.2.3.4 OR Authentication.src=server.example.com OR Authentication.src=server1 OR Authentication.dest=1.2.3.4 OR Authentication.dest=server.example.com OR Authentication.dest=server1
Create and manage search-driven lookups in Splunk Enterprise Security | Create and manage views in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0
Feedback submitted, thanks!