Splunk® Enterprise Security

Use Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Key indicators in Splunk Enterprise Security

Splunk Enterprise Security includes predefined key indicators that identify key security metrics for the security domains covered by Splunk Enterprise Security. You can view the key indicators on dashboards in Splunk Enterprise Security.

Key indicators provide a visual reference for several security metrics. Key indicator searches populate the security metrics of key indicators.The key indicator searches run against the data models defined in Enterprise Security, or the data models defined in the Common Information Model app. Some key indicator searches run against the count of notable events.

Interpreting key indicators on dashboards

On dashboards, each key indicator includes a value indicator, a trend amount, a trend indicator, and a threshold value used to indicate the importance or priority of the indicator. The key indicator searches default to running over a relative time span of 48 hours.

Field Description
Description Brief description of the security-related metrics:
Access Notables
The total count and trend of notable events from the Access security domain in incident review. These notable events include titles such as Excessive Failed Logins.
Endpoint Notables
The total count and trend of notable events from the Endpoint security domain in incident review. These notable events include titles such as Host With A Recurring Malware Infection.
Network Notables
The total count and trend of notable events from the Network security domain in incident review. These notable events include titles such as Network Change Detected.
Identity Notables
The total count and trend of notable events from the Identity security domain in incident review. These notable events include titles such as Activity from Expired User Identity.
Audit Notables
The total count and trend of notable events from the Audit security domain in incident review. These notable events include titles such as Personally Identifiable Information Detected.
Threat Notables
The total count and trend of notable events from the Threat security domain in incident review. These notable events include titles such as ATT&CK Tactic Threshold Exceeded For Object Over Previous 7 Days.
UBA Notables
The total count and trend of notable events from filtering on UBA in incident review, if you're sending threat data from Splunk UBA to Splunk Enterprise Security (ES). See Investigate threats from Splunk UBA using Splunk Enterprise Security in the Splunk Add-on for Splunk UBA manual.
Value indicator Current count of events. If a threshold is set, the numbers will change color as they cross thresholds. Click the value indicator to drill down into the key indicator search and view the raw events. If the value indicator is wrong, such as a percentage value greater than 100%, there could be missing or wrong data in the data model dataset used by the key indicator search to calculate a value.
Trend amount Displays the change in event count over the time period defined in the key indicator search.
Trend indicator Displays a directional arrow to indicate the direction of the trend. The arrow changes color and direction over time.

Edit key indicators on dashboards

Enterprise Security includes preconfigured key indicators. Each dashboard key indicator row includes an editor that allows simple, visual changes to be made directly to the key indicators without leaving the dashboard. You can make changes to the search generating the key indicator on the Content Management dashboard. See Edit a key indicator search in Administer Splunk Enterprise Security.

  1. Click the Edit pencil icon to the top left of the indicator bar. The editing tools display above the indicators.
    KSI rad dash edit.jpg
  2. Drag and drop the indicators to rearrange them. There can be 5 indicators per row, and multiple indicator rows.
  3. Click the checkmark icon to save.

Remove key indicators from a dashboard

Remove a key indicator from a dashboard.

  1. Click the Edit pencil icon to the top left of the indicator bar. The editing tools display above the indicators.
    KSI rad dash edit.jpg
  2. Click the X to the top right of the indicator.
  3. Click the checkmark icon to save.

Removing the indicator from a dashboard does not remove the key indicator from Enterprise Security.

Add key indicators to a dashboard

Add key indicators to a dashboard.

  1. Click the Edit pencil icon to the top left of the indicator bar. The editing tools display above the indicators.
    KSI rad dash edit.jpg
  2. Click the plus icon to open the Add indicators panel.
  3. Click the checkmark icon to save.

Set a threshold for a key indicator on a dashboard

You can set a threshold for a key indicator on a dashboard to change the color of the key indicator. A threshold defines an acceptable value for the event count of an indicator. An event count above the threshold causes the key indicator to display as red, while an event count below the threshold causes the key indicator to display as green. If the threshold is undefined, the event count remains black.

  1. Click the Edit pencil icon to the top left of the indicator bar. The editing tools display above the indicators.
    KSI rad dash edit.jpg
  2. Type a Threshold for the key indicator.
  3. Click the checkmark icon to save.
Last modified on 22 November, 2021
Customize Splunk Enterprise Security dashboards to fit your use case   Security Posture dashboard

This documentation applies to the following versions of Splunk® Enterprise Security: 6.6.0, 6.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters