Splunk® Enterprise Security

Use Splunk Enterprise Security

Introduction to the dashboards available in Splunk Enterprise Security

Splunk Enterprise Security includes more than 100 dashboards that provide integrated views and communicate key data that might be customized and shared with intended end users. Splunk Enterprise Security dashboards identify and investigate security incidents, reveal insights in your events, accelerate incident investigations, monitor the status of various security domains, and audit your incident investigations and your ES deployment.

The specific dashboards that will be most useful to you depend on how you plan to use Splunk Enterprise Security.

Identify and investigate security incidents

You can identify and investigate security incidents with a suite of dashboards and workflows. Splunk Enterprise Security uses correlation searches to identify notable events in your environment that represent security incidents.

  • Security Posture provides a high-level overview of the notable events in your environment over the last 24 hours. Identify the security domains with the most incidents, and the most recent activity. See Security Posture dashboard.
  • Incident Review shows the details of all notable events identified in your environment. Triage, assign, and review the details of notable events from this dashboard. See Incident Review.
  • My Investigations shows all investigations in your environment. Open and work investigations to track your progress and activity while investigating multiple related security incidents. See My Investigations.

Accelerate your investigations with security intelligence

A set of security intelligence dashboards allow you to investigate incidents with specific types of intelligence.

  • Risk analysis allows you to assess the risk scores of systems and users across your network and identify particularly risky devices and users posing a threat to your environment. See Risk Analysis.
  • Protocol intelligence dashboards use packet capture data from stream capture apps to provide network insights that are relevant to your security investigations. Identify suspicious traffic, DNS activity, email activity, and review the connections and protocols in use in your network traffic. See Protocol Intelligence dashboards.
  • Threat intelligence dashboards use the threat intelligence sources included in Splunk Enterprise Security and custom sources that you configure to provide context to your security incidents and identify known malicious actors in your environment. See Threat Intelligence dashboards.
  • User intelligence dashboards allow you to investigate and monitor the activity of users and assets in your environment. See Asset and Identity Investigator dashboards and User Activity Monitoring.
  • Web intelligence dashboards help you analyze web traffic in your network and identify notable HTTP categories, user agents, new domains, and long URLs. See Web Intelligence dashboards.

Monitor security domain activity

Domain dashboards provided with Splunk Enterprise Security allow you to monitor the events and status of important security domains. You can review the data summarized on the main dashboards, and use the search dashboards for specific domains to investigate the raw events.

  • Access domain dashboards display authentication and access-related data, such as login attempts, access control events, and default account activity. See Access dashboards.
  • Endpoint domain dashboards display endpoint data relating to malware infections, patch history, system configurations, and time synchronization information. See Endpoint dashboards.
  • Network domain dashboards display network traffic data provided by devices such as firewalls, routers, network intrusion detection systems, network vulnerability scanners, proxy servers, and hosts. See Network dashboards and Web Center and Network Changes dashboards and Port & Protocol Tracker dashboard.
  • Identity domain dashboards display data from your asset and identity lists, as well as the types of sessions in use. See Asset and Identity dashboards.

Audit activity in Splunk Enterprise Security

The audit dashboards provide insight into background processes and tasks performed by Splunk Enterprise Security. Some audit dashboards allow you to review actions taken by users in Splunk Enterprise Security, while others provide insight into your deployment and the status of your data models and content use. See Audit dashboards.

Display visualizations of your Cloud Security environment

You can explore your Cloud Security environment by displaying visualizations of your Amazon Web Services (AWS) and Microsoft 365 environments using the Cloud Security dashboards. You can access the dashboards through the Cloud Security menu and use them for insights into potential security issues such as errors, unusual events, unintended access, and suspicious activity.

Last modified on 07 December, 2022
Create an ad hoc risk entry in Splunk Enterprise Security   Prerequisites to use Cloud Security dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters