Splunk® Enterprise Security

Use Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Endpoint dashboards

The Endpoint Protection domain provides insight into malware events including viruses, worms, spyware, attack tools, adware, and PUPs (Potentially Unwanted Programs), as well as your endpoint protection deployment.

Malware Center dashboard

Malware Center is useful to identify possible malware outbreaks in your environment. It displays the status of malware events in your environment, and how that status changes over time based on data gathered by Splunk.

Search malware events directly using Malware Search, or click chart elements or table rows to display raw events. See Drill down to raw events for more information on this feature. Configure new data inputs through the Settings menu.

You can use the filters to refine which events are shown.

Filter by Description Action
Action All, allowed, blocked, or deferred. Drop-down: select to filter by
Business Unit A group or department classification for the identity. Text field. Empty by default. Wildcard strings with an asterisk (*)
Category Filter based on the categories to which the malware belongs. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by

The following table describes the panels for this dashboard.

Panel Description
Key Indicators Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
Malware Activity Over Time By Action Shows all malware detected over the specified time period, split by action (allowed, blocked, deferred). Use this chart to detect whether too many malware infections are allowed.
Malware Activity Over Time By Signature Shows all malware detected over the specified time period, split by signature. Example signatures are Mal/Packer, LeakTest, EICAR-AV-Test, TROJ_JAVA.BY. Use this chart to detect which infections are dominant in your environment.
Top Infections Shows a bar chart of the top infections in your environment, split by signature. This panel helps identify outbreaks related to a specific type of malware.
New Malware - Last 30 Days Shows new malware detected on the network over the last 30 days. For each malware signature identified, the date and time it was first detected and the total number of infections are shown. First-time infections are the most likely to cause outbreaks.

Malware Search dashboard

The Malware Search dashboard assists in searching malware-related events based on the criteria defined by the search filters. The dashboard is used in ad-hoc searching of malware data, but is also the primary destination for drilldown searches used in the Malware Center dashboard panels.

The Malware Search dashboard displays no results unless it is opened in response to a drilldown action, or you update a filter, select a time range, and click Submit.

Filter by Description Action
Action Filter by the action taken on the malware (allowed, blocked, or deferred). Drop-down: select to filter by
Signature Filter on malware with matching signatures. Text field. Empty by default. Wildcard strings with an asterisk (*)
File Filter on file name. Text field. Empty by default. Wildcard strings with an asterisk (*)
Destination Filter on endpoint systems. Text field. Empty by default. Wildcard strings with an asterisk (*)
User Filter based on username. Text field. Empty by default. Wildcard strings with an asterisk (*)
Time Range Select the time range to view. Drop-down: select to filter by

Malware Operations dashboard

The Malware Operations dashboard tracks the status of endpoint protection products deployed in your environment. Use this dashboard to see the overall health of systems and identify systems that need updates or modifications made to their endpoint protection software. This dashboard can also be used to see how the endpoint protection infrastructure is being administered.

You can click chart elements or table rows to display raw events. See Drill down to raw events for more information on this feature. Configure new data inputs through the Settings menu.

Use the filters to refine which events are shown.

Filter by Description Action
Business Unit A group or department classification for the identity. Text field. Empty by default. Wildcard strings with an asterisk (*)
Category Filter based on the categories to which the malware belongs. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by

The following table describes the panels for this dashboard.

Panel Description
Key Indicators Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
Clients by Product Version Shows a bar chart of the number of clients with a certain version of the endpoint protection product installed.
Clients by Signature Version Shows a bar chart of the number of clients with a certain signature version.
Repeat Infections Shows repeated malware infections. Sort by signature, destination, action, or number of days.
Oldest Infections Shows the oldest malware infections in your environment. Sort by date that the infection was detected (first or last time), the signature, destination host (affected system), or days the infection has been active.

System Center dashboard

The System Center dashboard shows information related to endpoints beyond the information reported by deployed anti-virus or host-based IDS systems. It reports endpoint statistics and information gathered by the Splunk platform. System configuration and performance metrics for hosts, such as memory usage, CPU usage, or disk usage, can be displayed on this dashboard.

Click chart elements or table rows to display raw events. See Drill down to raw events for more information on this feature. Configure new data inputs through the Settings menu.

Use the filters to refine which events are shown.

Filter by Description Action
Destination Host name of the affected endpoint system. Text field. Empty by default. Wildcard strings with an asterisk (*)
Business Unit A group or department classification for the identity. Text field. Empty by default. Wildcard strings with an asterisk (*)
Category Filter based on the categories to which the malware belongs. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by

The following table describes the panels for this dashboard.

Panel Description
Operating Systems Shows the operating systems deployed on the network. Use this chart to detect operating systems that should not be present in your environment.
Top-Average CPU Load by System Shows the systems on the network with the top average CPU load.
Services by System Count Shows services ordered by the number of systems on which they are present.
Ports By System Count Shows the transport method (e.g., tcp) and destination ports, ordered by the number of systems.

Note: If incorrect or missing data is showing up in the System Center dashboard, be sure that the technology add-ons that supply the data for this dashboard are installed on the full forwarders in the deployment. Technology add-ons containing knowledge needed for parsing of data need to be installed on the full forwarders.

Time Center dashboard

The Time Center dashboard helps ensure data integrity by identifying hosts that are not correctly synchronizing their clocks.

Splunk will create an alert when it discovers a system with time out of sync. When you receive an alert, you can drill down to the raw data and investigate further by clicking any of the chart elements or table rows on the dashboard. See Drill down to raw events for more information on this feature.

Use the filters to refine which events are shown.

Filter by Description Action
Show only systems that should timesync Select true to filter by systems categorized as should_timesync=true in the Asset table or false to filter by systems categorized as should_timesync=false in the Asset table. See Configure the new asset or identity list in Splunk Enterprise Security in Administer Splunk Enterprise Security for more about asset configuration. Drop-down: select to filter by
Business Unit A group or department classification for the identity. Text field. Empty by default. Wildcard strings with an asterisk (*)
Category Filter based on the categories to which the malware belongs. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by

The following table describes the panels for this dashboard.

Panel Description
Time Synchronization Failures A list of systems where time synchronization has failed.
Systems Not Time Synching Shows a list of systems that have not synchronized their clocks in the specified time frame.
Indexing Time Delay Shows hosts with significant discrepancies between the timestamp the host places on the event and the time that the event appears in the Splunk platform.
For example, if the timestamp on an event is later than the time that Splunk indexes the event, the host is timestamping events as future events. A large difference (on the order of hours) indicates improper time zone recognition.
Time Service Start Mode Anomalies Shows hosts that have a time service start mode, such as Manual that others do not.

Endpoint Changes dashboard

The Endpoint Changes dashboard uses the Splunk change monitoring system, which detects file-system and registry changes, to illustrate changes and highlight trends in the endpoints in your environment. For example, Endpoint Changes can help discover and identify a sudden increase in changes that may be indicative of a security incident.

You can click chart elements or table rows on this dashboard to display raw events. See Drill down to raw events for more information on this feature.

Use the filters to refine which events are shown.

Filter by Description Action
Business Unit A group or department classification for the identity. Text field. Empty by default. Wildcard strings with an asterisk (*)
Category Filter based on the categories to which the malware belongs. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by

The following table describes the panels for this dashboard.

Panel Description
Endpoint Changes by Action Summarizes changes over time. A substantial increase in changes may indicate the presence of an incident that is causing changes on the endpoints such as a virus or worm.
Endpoint Changes by Type Summarizes the type of changes observed on the endpoints, such as file or registry changes.
Changes by System Summarizes changes by system
Recent Endpoint Changes Shows the most recent endpoint changes observed.

Update Center dashboard

The Update Center dashboard provides additional insight into systems by showing systems that are not updated. It is a good idea to look at this dashboard on a monthly basis to ensure systems are updating properly.

You can click any of the chart elements or table rows on the dashboard to see raw events. See Drill down to raw events for more information on this feature.

Use the filters to refine which events are shown.

Filter by Description Action
Show only systems that should update Select true to filter by systems categorized as should_update=true in the Asset table or false to filter by systems categorized as should_update=false in the Asset table. See Configure the new asset or identity list in Splunk Enterprise Security in Administer Splunk Enterprise Security for more about asset configuration. Drop-down: select to filter by
Destination Host name of the system. Text field. Empty by default. Wildcard strings with an asterisk (*)
Business Unit A group or department classification for the identity. Text field. Empty by default. Wildcard strings with an asterisk (*)
Category Filter based on the categories to which the malware belongs. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by

The following table describes the panels for this dashboard.

Panel Description
Key Indicators Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
Top Systems Needing Updates A bar chart of the top systems that need updates installed.
Top Updates Needed A bar chart of the top updates needed across the environment, sorted by signature, such as the KB number.
Systems Not Updating - Greater Than 30 Days Systems that have not been updated, sorted by the number of days for which they have not been updated.
Update Service Start Mode Anomalies Shows all systems where the update startup task or service is disabled. Administrators sometimes disable automatic updates to expedite a restart and can forget to re-enable the process.

Update Search dashboard

The Update Search dashboard shows patches and updates by package and/or device. This dashboard helps identify which devices have a specific patch installed. This is useful when, for example, there is a problem caused by a patch and you need to determine exactly which systems have that patch installed.

The Update Search dashboard displays no results unless it is opened in response to a drilldown action, or you update a filter, select a time range, and click Submit.

Filter by Description Action
Show only systems that should update Select true to filter by systems categorized as should_update=true in the Asset table or false to filter by systems categorized as should_update=false in the Asset table. See Configure the new asset or identity list in Splunk Enterprise Security in Administer Splunk Enterprise Security for more about asset configuration. Drop-down: select to filter by
Update Status Filter by the status of the update on a machine. Drop-down: select to filter by
Signature Filter by the signature, for example the KB number, of a particular update. Text field. Empty by default. Wildcard strings with an asterisk (*)
Destination Filter on affected endpoint systems. Text field. Empty by default. Wildcard strings with an asterisk (*)
Time Range Select the time range to view. Drop-down: select to filter by
Last modified on 19 January, 2022
Access dashboards   Asset and Identity dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters