Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Dashboard requirements matrix for Splunk Enterprise Security

The Enterprise Security dashboards rely on events that conform to the Common Information Model (CIM), and are populated from data model accelerations unless otherwise noted.

Dashboard panel to data model

A - E

Dashboard Name Panel Title Data Model Data Model Dataset
Access Anomalies Geographically Improbable Accesses Relies on the gia_summary summary index, which is populated by the Access - Geographically Improbable Access - Summary Gen search. That search references the Authentication data model. Authentication.app, .src, .user
Concurrent Application Accesses Authentication Authentication.app, .src, .user
Access Center Access Over Time By Action Authentication Authentication.action
Access Over Time By App Authentication.app
Top Access By Source Authentication.src
Top Access By Unique User Authentication.user,.src
Access Search Authentication.action, .app, src, .dest, .user, src_user
Access Tracker First Time Access - Last 7 days None. Calls access_tracker lookup
Inactive Account Usage - Last 90 days
Completely Inactive Accounts - Last 90 days
Account Usage For Expired Identities - Last 7 days Authentication Authentication.dest
Account Management Account Management Over Time Change All_Changes.Account_Management, .action
Account Lockouts All_Changes.Account_Management, .result
Account Management By Source User All_Changes.Account_Management, .src_user
Top Account Management Events All_Changes.Account_Management, .action
Adaptive Response Action Center Action Invocations Over Time By Name Splunk Audit Logs Modular_Actions.action_name, .action_status, .sid, .rid
Top Actions By Name Modular_Actions.action_status, .search_name, .duration, .action_mode, .action_name, .user
Top Actions By Search Modular_Actions.action_status, .search_name, .action_mode, .action_name, .sid, .rid, .user
Recent Adaptive Response Actions "Splunk_Audit"."Modular_Actions"
Asset Center Assets By Priority Assets And Identities All_Assets.priority, .bunit, .category, .owner
Assets By Business Unit
Assets By Category
Asset Information
Asset Investigator Asset Investigator Based on swim lane selection
Dashboard Name Panel Title Data Model Data Model Dataset
Data Protection Data Integrity Control By Index Incident Management
Sensitive Data None. Calls a REST search on indexes checking for data integrity controls.
Default Account Activity Default Account Usage Over Time By App Authentication Authentication.Default_Authentication, .action, .app
Default Accounts In Use Authentication.user_category, .dest, .user
Default Local Accounts None. Calls useraccounts_tracker lookup
DNS Activity Top Reply Codes By Unique Sources Network Resolution DNS DNS.message_type, DNS.reply_code
Top DNS Query Sources DNS.message_type, DNS.src
Top DNS Queries DNS.message_type, DNS.query
Queries Per Domain DNS.message_type, DNS.query
Recent DNS Queries DNS.message_type
DNS Search DNS.message_type, DNS.reply_code, DNS.dest, DNS.src ,DNS.query_type, DNS.query, DNS.answer
Dashboard Name Panel Title Data Model Data Model Dataset
Email Activity Top Email Sources Email All_Email.src
Large Emails All_Email.size, src, .src_user, .dest
Rarely Seen Senders All_Email.protocol, .src, .src_user, .recipient
Rarely Seen Receivers All_Email.protocol, .src, .recipient
Email Search All_Email.protocol, .recipient, .src, .src_user, .dest
Endpoint Changes Endpoint Changes By Action Change All_Changes.Endpoint_Changes, .action
Endpoint Changes By Type All_Changes.Endpoint_Changes, .object_category
Endpoint Changes By System All_Changes.Endpoint_Changes, .object_category, .dest

F - M

Dashboard Name Panel Title Data Model Data Model Dataset
Forwarder Audit Event Count Over Time By Host None. Calls host_eventcount macro and search.
Hosts By Last Report Time
Splunkd Process Utilization Endpoint Endpoint.Processes.cpu_load_percent, .mem_used, .process_exec, Endpoint_Ports_

fillnull_dest.dest

Splunk Service Start Mode All_Application_State.Services.start_mode, .status, .service
HTTP Category Analysis Category Distribution Web Web.src, .category
Category Details Web.src, .dest, .category,
HTTP User Agent Analysis User Agent Distribution Web Web.http_user_agent_length, .http_user_agent
User Agent Details Web.http_user_agent_length, .src, .dest, .http_user_agent
Dashboard Name Panel Title Data Model Data Model Dataset
Identity Center Identities By Priority Assets and Identities All_Identities.priority, .bunit, .category
Identities By Business Unit
Identities By Category
Identity Information
Identity Investigator Identity Investigator Based on swim lane selection
Incident Review Audit Review Activity By Reviewer None. Calls a search over the es_notable_events KV Store collection.
Top Reviewers
Notable Events By Status - Last 48 hours
Notable Events By Owner - Last 24 hours
Recent Review Activity
Indexing Audit Events Per Day Over Time None. Calls a search over the licensing_epd KV Store collection.
Events Per Day
Events Per Index (Last Day)
Intrusion Center Attacks Over Time By Severity Intrusion Detection IDS_Attacks.severity
Top Attacks IDS_Attacks.dest, .src, .signature
Scanning Activity (Many Attacks) IDS_Attacks.signature
New Attacks IDS_Attacks.ids_type
Intrusion Search IDS_Attacks.severity, .category, .signature, .src, .dest
Investigations Investigations None. Calls a search over the investigation KV Store collection.
Investigation timelines None. Calls a search over the investigation_event KV Store collection.
Investigation note attachments None. Calls a search over the investigation_attachment KV Store collection.
Action history None. Calls one of five different searches. See Manage investigations in Splunk Enterprise Security.
Investigation workbench artifacts None. Calls a search over the investigation_leads KV Store collection.
Investigation workbench Authentication Data Authentication Authentication.app, .action, .src, .src_user, .dest, .user
Certificate Activity Certificates Certificates.SSL, .src, .src_port, .dest, .dest_port, .ssl_is_valid, .ssl_validity_window, .ssl_hash, .ssl_serial, .ssl_subject, .ssl_start_time, .ssl_end_time
Computer Inventory Inventory Compute_Inventory.All_Inventory, .os, .vendor_product, .user, .dest
DNS Data Network Resolution DNS Network_Resolution.DNS, DNS.dest, .query, .query_count, .message_type, .answer, .reply_code
Email Data Email Email.All_Email, .src, .dest, .src_user, .action, .recipient, .recipient_count, .subject
Filesystem Changes Endpoint Endpoint.Filesystem, .file_create_time, .file_modify_time, .file_access_time, .dest, .action, .file_name, .file_hash, .file_path, .file_size
IDS Alerts Intrusion Detection Intrusion_Detection.IDS_Attacks, .user, .src, .dest, .severity, .category, .signature, .ids_type, .vendor_product, .dvc
Latest OS Updates Updates Updates.status, .dest, .signature_id, .signature, .vendor_product
Network Session Data Network Sessions Network_Sessions.All_Sessions, .src_ip, .dest_ip, .dest_nt_host, .tag, .action, .vendor_product
Network Traffic Data Network Traffic Network_Traffic.All_Traffic, .packets, .src_ip, .dest_ip, .user, .transport, .action, .src, .src_port, .dest, .dest_port
Notable Events Incident Management Incident_Management.Notable_Events, .user, .src, .dest, .rule_name, .severity, .urgency, .security_domain, .status_label, .owner, .savedsearch_description
Port Activity Endpoint Endpoint.Ports, .dest_port, .transport, .process_id
Process Activity Endpoint Endpoint_Application_State, .dest, .user, .process_name, .process
Registry Activity Endpoint Endpoint.Registry, .registry_hive, .registry_value_data, .registry_value_text, .dest, .action, .registry_path, .registry_key_name, .registry_value_name, .registry_value_type
Risk Scores Risk Analysis Risk.All_Risk, .risk_score, .risk_object_type, .risk_object
Service Activity Endpoint Endpoint.Processes, .user_id, .process_exec, .process_id
System Vulnerabilities Vulnerabilities Vulnerabilities.Vulnerabilities, .user, .dest, .severity, .signature, .category, .vendor_product
User Account Changes Change Change.All_Changes, .user, .dest, .action, .status, .object, .object_path, .object_attrs, .object_id, .Account_Management
Web Activity Web Web.Web, .src, .dest, .user, .action, .http_method, .url, .http_referrer, .http_user_agent, .http_content_type, .status
Dashboard Name Panel Title Data Model Data Model Dataset
Malware Center Malware Activity Over Time By Action Malware Malware_Attacks.action
Malware Activity Over Time By Signature Malware_Attacks.signature
Top Infections Malware_Attacks.signature, .dest
New Malware - Last 30 Days None. Calls malware_tracker lookup.
Malware Operations Clients By Product Version None. Calls malware_operations_tracker lookup.
Clients By Signature Version
Oldest Infections
Repeat Infections Malware Malware_Attacks.action, .signature, .dest
Malware Search Malware_Attacks.action, .file_name, .user, .signature, .dest
Managed Lookups Audit Lookups None. Calls | rest /services/data/transforms/managed_lookups

N - S

Dashboard Name Panel Title Data Model Data Model Dataset
Network Changes Network Changes By Action Change All_Changes.Network_Changes, .action
Network Changes By Device All_Changes.Network_Changes, .dvc
New Domain Analysis New Domain Activity Web Web.dest
New Domain Activity By Age
New Domain Activity By TLD
Registration Details None
Dashboard Name Panel Title Data Model Data Model Dataset
Port & Protocol Tracker Port/Protocol Profiler Network Traffic All_Traffic.transport, .dest_port
Prohibited Or Insecure Traffic Over Time - Last 24 Hours All_Traffic.src_category, .dest_category, .src, .dest, .transport, .dest_port
Prohibited Traffic Details - Last 24 Hours All_Traffic.src_category, .dest_category, .src, .dest, .transport, .dest_port
New Port Activity - Last 7 Days None. Calls the application protocols lookup.
Protocol Center Connections By Protocol Network Traffic All_Traffic.app
Usage By Protocol All_Traffic.app, .bytes
Top Connection Sources All_Traffic.src
Usage For Well Known Ports All_Traffic.bytes, .dest_port
Long Lived Connections All_Traffic.src, .src_port, .duration, .dest, .dest_port, .transport
Risk Analysis Risk Modifiers Over Time Risk Analysis All_Risk.risk_score
Risk Score By Object All_Risk.risk_score
Most Active Sources All_Risk.risk_score, .risk_object
Recent Risk Modifiers All_Risk.*
Dashboard Name Panel Title Data Model Data Model Dataset
Security Posture Notable Events By Urgency None. Calls a search over the es_notable_events KVStore collection.
Notable Events Over Time
Top Notable Events
Top Notable Event Sources
Session Center Sessions Over Time Network Sessions All_Sessions.Session_*
Session Details All_Sessions.*
SSL Activity SSL Activity By Common Name Certificates All_Certificates.SSL.ssl_subject_common_name
SSL Cloud Sessions All_Certificates.SSL.ssl_subject_common_name, .src,
Recent SSL Sessions
SSL Search All_Certificates.src, .dest, .ssl_subject_common_name, .ssl_subject_email, .ssl_issuer_common_name, .ssl_issuer_organization, .ssl_start_time, .ssl_end_time, .ssl_validity_window, .ssl_is_valid
Suppression Audit Suppressed Events Over Time - Last 24 Hours None Calls a macro to search on notable events.
Suppression History Over Time - Last 30 Days Calls a macro and a search on Summary Gen information.
Suppression Management Activity Calls a search by eventtype.
Expired Suppressions Calls a search by eventtype.
System Center Operating Systems None. Calls system_version_tracker lookup.
Top-Average CPU Load By System Performance All_Performance.CPU.cpu_load_percent, All_Performance.dest
Services By System Count Endpoint Endpoint.Services
Ports By System Count Endpoint.Ports

T - Z

Dashboard Name Panel Title Data Model Data Model Dataset
Threat Activity Threat Activity Over Time Intrusion Detection, Network Traffic, and Web. For more details, see Threat Activity Data Sources.
Most Active Threat Collections
Most Active Threat Sources
Threat Activity Details
Threat Artifacts Threat Overview None. Calls the threat intelligence KV Store collections. For a list of threat intelligence collections, see Supported types of threat intelligence in Splunk Enterprise Security.
Endpoint Artifacts
Network Artifacts
Email Artifacts
Certificate Artifacts
Threat Intelligence Audit Threat Intelligence Downloads None. Calls a search by REST endpoint.
Threat Intelligence Audit Events None. Calls a search by eventtype.
Time Center Time Synchronization Failures Performance All_Performance.OS.Timesync, All_Performance.dest, .dest_should_timesync, OS.Timesync.action
Systems Not Time Synching
Indexing Time Delay None. Calls the results of a Summary Gen search.
Time Service Start Mode Anomalies Endpoint Endpoint_Services_fillnull_start_mode, Endpoint_Services_fillnull_status, Endpoint_Services_fillnull_dest .dest_should_timesync, .tag
Traffic Center Traffic Over Time By Action Network Traffic All_Traffic.action
Traffic Over Time By Protocol All_Traffic.transport
Scanning Activity (Many Systems) All_Traffic.dest, .src
Top Sources All_Traffic.src
Traffic Search All_Traffic.action, .src_port, .src, .dest, .transport, .dest_port
Traffic Size Analysis Traffic Size Anomalies Over Time Network Traffic All_Traffic.transport, .src
Traffic Size Details All_Traffic.bytes, .dest, .src
Dashboard Name Panel Title Data Model Data Model Dataset
Update Center Top Systems Needing Updates Updates Updates.status, .dest, .signature_id, .vendor_product
Top Updates Needed Updates.status, .dest, .signature_id, .vendor_product
Systems Not Updating - Greater Than 30 Days Updates.dest_should_update, .dest, .signature_id, .vendor_product, .status
Update Service Start Mode Anomalies Endpoint Endpoint_Services_fillnull_start_mode, Endpoint_Services_fillnull_status, .Services.service_exec, .tag
Update Search Updates Updates.dest_should_update, .status, .dest, .signature_id, .vendor_product
URL Length Analysis URL Length Anomalies Over Time Web Web.http_method, .url
URL Length Details Web.url_length, .src, .dest, .url
User Activity Users By Risk Scores Risk Analysis All_Risk.risk_object
Non-corporate Web Uploads Web Web.bytes, .user, .http_method, .url
Non-corporate Email Activity Email All_Email.size, .recipient, .src_user,
Watchlisted Site Activity Web Web.src, .url
Remote Access Authentication Authentication.src, .user
Ticket Activity Ticket Management All_Ticket_Management.description, .priority, . severity, .src_user
Dashboard Name Panel Title Data Model Data Model Dataset
View Audit View Activity Over Time Splunk Audit Logs View_Activity.app, .view
Expected View Activity View_Activity.app, .view, .user
Vulnerability Center Top Vulnerabilities Vulnerabilities Vulnerabilities.signature, .dest
Most Vulnerable Hosts Vulnerabilities.signature, .severity, .dest
Vulnerabilities By Severity Vulnerabilities.signature, .severity, .dest
New Vulnerabilities Calls vuln_signature_reference lookup.
Vulnerability Operations Scan Activity Over Time Vulnerabilities Vulnerabilities.dest
Vulnerabilities By Age Calls vulnerability_tracker lookup.
Delinquent Scanning Vulnerabilities Vulnerabilities.dest
Vulnerability Search Vulnerabilities.category, .signature, .dest, .severity, .cve,
Web Center Events Over Time By Method Web Web.http_method
Events Over Time By Status Web.status
Top Sources Web.dest, .src
Top Destinations Web.dest, .src
Web Search Web.http_method, .status, .src, .dest, .url

Dashboards to Add-on

Add-on dashboards are included in Splunk Enterprise Security. Use the navigation editor to add or rearrange dashboards on the menu bar. For more information about using the navigation editor, see Customize the menu bar in Splunk Enterprise Security.

To view the entire list of dashboards in Enterprise Security, select Search > Dashboards.

To review the list of dashboards in Enterprise Security by add-on, use Content Management and filter by app or data model. See Expand Content Management searches to view dependency and usage information in Splunk Enterprise Security.

Last modified on 22 November, 2021
Create a Splunk Web message in Splunk Enterprise Security   Troubleshoot script errors in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters