Splunk® Enterprise Security

Use Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Access dashboards

The Access Protection domain monitors authentication attempts to network devices, endpoints, and applications within the organization. Access Protection is useful for detecting malicious authentication attempts, as well as identifying systems users have accessed in either an authorized or unauthorized manner.

Access Center dashboard

Access Center provides a summary of all authentication events. This summary is useful for identifying security incidents involving authentication attempts such as brute-force attacks or use of clear text passwords, or for identifying authentications to certain systems outside of work hours.

Dashboard filters

Use the available dashboard filters to refine the results displayed on the dashboard panels. The filters do not apply to key security indicators.

Filter by Description Action
Action Filter based on authentication success or failure. Drop-down: select to filter by
App Filter based on authentication application. Drop-down: select to filter by
Business Unit A group or department classification for the identity. Text field. Empty by default. Wildcard strings with an asterisk (*)
Category Filter based on the categories to which the host or user belongs. See Format an asset or identity list as a lookup in Splunk Enterprise Security in Administer Splunk Enterprise Security. Drop-down: select to filter by
Special Access Restricts the view to events related to privileged access. See Administrative Identities in Administer Splunk Enterprise Security. Drop-down: select to filter by
Time Range Select the time range to view. Drop-down: select to filter by

Dashboard Panels

Panel Description
Access Over Time By Action Displays the count of authentication events over time by action.
Access Over Time By App Displays the count of authentication events over time by app. For example, "win:local" refers to the local authentication performed on a Windows system and "win:remote" refers to remote API access.
Top Access By Source Displays a table of highest access counts by source. This table is useful for detecting brute force attacks, since aggressive authentication attempts display a disproportionate number of auth requests.
Top Access By Unique Users Displays a table of the sources generating the highest number of unique user authentication events.

Access Tracker dashboard

The Access Tracker dashboard gives an overview of account statuses. Use it to track newly active or inactive accounts, as well as those that have been inactive for a period of time but recently became active. Discover accounts that are not properly de-provisioned or inactivated when a person leaves the organization.

As inactive accounts or improperly active accounts are vulnerable to attackers, it is a good idea to check this dashboard on a regular basis. You can also use this dashboard during an investigation to identify suspicious accounts and closely examine user access activity.

Dashboard filters

Use the available dashboard filters to refine the results displayed on the dashboard panels. The filters do not apply to key security indicators.

Filter by Description Action
Business Unit A group or department classification for the identity. Text field. Empty by default. Wildcard strings with an asterisk (*)
Category Filter based on the categories to which the host or user belongs. See Format an asset or identity list as a lookup in Splunk Enterprise Security in Administer Splunk Enterprise Security. Drop-down: select to filter by

Dashboard Panels

Panel Description
First Time Access - Last 7 days Displays new account access by user and destination.
Inactive Account Usage - Last 90 days Displays accounts that were inactive for a period of time, but that have shown recent activity.
Completely Inactive Accounts - Last 90 days Displays accounts that have shown no activity. Use this panel to identify accounts that should be suspended or removed. If the organization has a policy that requires password change after a specified interval, then accounts that have shown no activity for more than that interval are known to be inactive.
This panel also indicates the effectiveness of the enterprise's policy for closing or de-provisioning accounts. If a large number of accounts display here, the process may need to be reviewed.
Account Usage For Expired Identities - Last 7 days Displays activity for accounts that are suspended within the specified time frame. Use this panel to verify that accounts that should be inactive are not in use.

Access Search dashboard

Use the Access Search dashboard to find specific authentication events. The dashboard is used in ad-hoc searching of authentication data, but is also the primary destination for drilldown searches used in the Access Anomalies dashboard panels.

The Access Search page displays no results unless it is opened in response to a drilldown action, or you set a filter and/or time range and click Submit.

Dashboard filters

Use the available dashboard filters to refine the results displayed on the dashboard panels. The filters do not apply to key security indicators.

Filter by Description Action
Action Filter based on authentication success or failure. Drop-down: select to filter by
App Filter based on authentication application. Drop-down: select to filter by
Source A string that the source field src must match. Text field. Empty by default. Wildcard strings with an asterisk (*)
Destination A string that the destination field dest must match. Text field. Empty by default. Wildcard strings with an asterisk (*)
User A string that the user field user must match. Text field. Empty by default. Wildcard strings with an asterisk (*)
Time Range Select the time range to view. Drop-down: select to filter by

Account Management dashboard

The Account Management dashboard shows changes to user accounts, such as account lockouts, newly created accounts, disabled accounts, and password resets. Use this dashboard to verify that accounts are being correctly administered and account administration privileges are being properly restricted. A sudden increase in the number of accounts created, modified, or deleted can indicate malicious behavior or a rogue system. A high number of account lockouts could indicate an attack.

Dashboard filters

Use the available dashboard filters to refine the results displayed on the dashboard panels. The filters do not apply to key security indicators.

Filter by Description Action
Business Unit A group or department classification for the identity. Text field. Empty by default. Wildcard strings with an asterisk (*)
Category Filter based on the categories to which the host or user belongs. See Format an asset or identity list as a lookup in Splunk Enterprise Security in Administer Splunk Enterprise Security. Drop-down: select to filter by
Special Accounts Restricts the view to events related to privileged access. See Administrative identities in Administer Splunk Enterprise Security. Drop-down: select to filter by
Time Range Select the time range to view. Drop-down: select to filter by

Dashboard Panels

Panel Description
Account Management Over Time Displays all account management events over time.
Account Lockouts Displays all account lockouts, including the number of authentication attempts per account.
Account Management by Source User Tracks the total account management activity by source user, and shows the source users with the most account management events. The source user is the user that performed the account management event, rather than the user that was affected by the event. For example, if user "Friday.Adams" creates an account "Martha.Washington", then "Friday.Adams" is the source user.

This panel helps identify accounts that should not be managing other accounts and shows spikes in account management events, such as the deletion of a large number of accounts.

Top Account Management Events Shows the most frequent management events in the specified time period.

Default Account Activity dashboard

The Default Account Activity dashboard shows activity on "default accounts", or accounts enabled by default on various systems such as network infrastructure devices, databases, and applications. Default accounts have well-known passwords and are often not disabled properly when a system is deployed.

Many security policies require that default accounts be disabled. In some cases, you may need to monitor or investigate authorized use of a default account. It is important to confirm that the passwords on default accounts are changed before use. Abnormal or deviant user behavior from a default account can indicate a security threat or policy violation. Use this dashboard to ensure that security policies regarding default accounts are properly followed.

Dashboard filters

Use the available dashboard filters to refine the results displayed on the dashboard panels. The filters do not apply to key security indicators.

Filter by Description Action
Business Unit A group or department classification for the identity. Text field. Empty by default. Wildcard strings with an asterisk (*)
Category Filter based on the categories to which the host or user belongs. See Format an asset or identity list as a lookup in Splunk Enterprise Security in Administer Splunk Enterprise Security. Drop-down: select to filter by
Time Range Select the time range to view. Drop-down: select to filter by

Dashboard panels

Panel Description
Default Account Usage Over Time by App Shows default account activity on all systems and applications during the selected time frame, split by application. For example, sshd or ftpd. Application accounts are shown by the number of successful login attempts and when the last attempt was made. Use this chart to identify spikes in default account login activity by application, which may indicate a security incident, as well as to determine whether default account use is common (for example, a daily event) or rare for a certain application.
Default Accounts in Use Shows all default user accounts with a high number of login attempts on different hosts, including the last attempt made. Abnormal default user account activity that could indicate a security threat. Also helps ensure that default account behavior matches the security policy.
Default Local Accounts Lists all default accounts that are active on enterprise systems, including accounts "at rest". Any available default accounts are listed, regardless of whether the account is actually in use. Only accounts detected on a local system, for example by examining the users list on a host, are included in this list.

Troubleshooting Access dashboards

This dashboard references data from various data models. Without the applicable data, the dashboards will remain empty. See Troubleshoot dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.

Last modified on 19 January, 2022
Predictive Analytics dashboard   Endpoint dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters