Splunk® Enterprise Security

Use Splunk Enterprise Security

Asset and Identity dashboards

The Identity domain dashboards provide information about the assets and identities defined in Splunk Enterprise Security. See Add asset and identity data to Splunk Enterprise Security in Administer Splunk Enterprise Security for instructions on defining assets and identities.

Asset Center dashboard

Use the Asset Center dashboard to review and search for objects in the asset data added to Enterprise Security. The asset data represents a list of hosts, IP addresses, and subnets within the organization, along with information about each asset. The asset list correlates asset properties to indexed events, providing context such as asset location and the priority level of an asset.

Dashboard filters

Use the available dashboard filters to refine the results displayed on the dashboard panels.

Filter by Description
Asset A known or unknown asset
Priority Filter by the Priority field in the Asset table.
Business Unit A group or department classification for the asset.
Category Filter by the Category field in the Asset table.
Owner Filter by the Owner field in the Asset table.
Time Range Select the time range to represent.

Dashboard Panels

Panel Description
Assets by Priority Displays the number of assets by priority level. The drilldown opens a search with the selected priority level.
Assets by Business Unit Displays the relative amount of assets by business unit. The drilldown opens a search with the selected business unit.
Assets by Category Displays the relative amount of assets by category. The drilldown opens a search with the selected category.
Asset Information Shows all assets that match the current dashboard filters. The drilldown opens the Asset Investigator dashboard if the "ip", "nt_host", "mac", or "dns" fields are selected. Any other field will open a search with the selected field.

Data sources

The reports in the Asset Center dashboard reference fields in the Asset and Identities data model. Relevant data sources include lists of assets and identities collected and loaded as lookups, scripted inputs, or search-extracted data.

Identity Center dashboard

Use the Identity Center dashboard to review and search for objects in the identity data added to Enterprise Security. Identity data represents a list of account names, legal names, nicknames, and alternate names, along with other associated information about each identity. The identity data is used to correlate user information to indexed events, providing additional context.

Filtering Identities in Identity Center

The filter for the Identity Center dashboard uses a key=value pair search field. To filter identities, enter a key=value pair instead of a name or text string.

Some sample key=value pairs are email=*acmetech.com or nick=a_nickname.

Use the available dashboard filters to refine the results displayed on the dashboard panels.

Filter by Description
Username A known or unknown user
Priority Filter by the Priority field in the Identities table
Business Unit A group or department classification for the identity.
Category Filter by the Category field in the Identities table.
Watchlisted Identities Only Filter by the identities tagged as "watchlist" in the Identities table.
Time Range Select the time range to represent.

Dashboard Panels

Panel Description
Identities by Priority Displays the count of Identities by priority level. The drilldown opens a search with the selected priority level.
Identities by Business Unit Displays the relative number of Identities by business unit. The drilldown opens a search with the selected business unit.
Identities by Category Displays the relative number of Identities by category. The drilldown opens a search with the selected category.
Identity Information Shows all assets that match the current dashboard filters. The drilldown opens the Identity Investigator dashboard if you select the identity field. Any other field opens a search with the selected field.

Data sources

The reports in the Identity Center dashboard reference fields in the Asset and Identities data model. Relevant data sources include lists of assets and identities collected and loaded as lookups, scripted inputs, or search extracted data.

Session Center dashboard

The Session Center dashboard provides an overview of network sessions. Network sessions are used to correlate network activity to a user using session data provided by DHCP or VPN servers. Use the Session Center to review the session logs and identify the user or machine associated with an IP address used during a session. You can review network session information from the Network Sessions data model, or user and device association data from Splunk UBA.

Dashboard Panels

Network Sessions tab:

Panel Description
Sessions Over Time Displays the total count of network sessions over time. The drilldown opens a search with the selected session and time range.
Session Details Displays the top 1000 network sessions that have been most recently opened, based on the session start time. The drilldown opens a search with the selected session details.

User Behavior Analytics tab:

Panel Description
Sessions of Associated Entities Based on the search filter, displays the sessions of users and devices associated with a device that you search, or devices associated with a user that you search. Hover over a session to learn more about the session activity.
Session Details Shows the entity ID from Splunk UBA, the name of the entity, the type of entity, the start and end times of the session, and event data from Splunk UBA. Expand a row to view more details.

For more about viewing data from Splunk UBA, see Viewing data from Splunk UBA in Enterprise Security.

Troubleshooting Identity dashboards

The dashboards reference data from various data models. Without the applicable data, the panels will remain empty. See Troubleshoot dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.

Last modified on 19 January, 2022
Endpoint dashboards   Asset and Identity Investigator dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters