Add key indicators in Splunk Enterprise Security
Splunk Enterprise Security includes predefined key indicators that identify key security metrics for the security domains covered by Splunk Enterprise Security. You can view the key indicators on dashboards in Splunk Enterprise Security.
Key indicators provide a visual reference for several security metrics. Key indicator searches populate the security metrics of key indicators. The key indicator searches run against the data models defined in Splunk Enterprise Security, or the data models defined in the Common Information Model app. Some key indicator searches run against the count of findings.
Interpreting key indicators on dashboards
On dashboards, each key indicator includes a value indicator, a trend amount, a trend indicator, and a threshold value used to indicate the importance or priority of the indicator. The key indicator searches default to running over a relative time span of 48 hours.
The following table describes the security-related metrics:
| Metric | Description |
|---|---|
| Access findings | The total count and trend of findings from the Access security domain in the analyst queue. These findings include titles such as Excessive Failed Logins. |
| Endpoint findings | The total count and trend of findings from the Endpoint security domain in the analyst queue. These findings include titles such as Host With A Recurring Malware Infection. |
| Network findings | The total count and trend of findings from the Network security domain in the analyst queue. These findings include titles such as Network Change Detected. |
| Identity findings | The total count and trend of findings from the Identity security domain in the analyst queue. These findings include titles such as Activity from Expired User Identity. |
| Audit findings | The total count and trend of findings from the Audit security domain in the analyst queue. These findings include titles such as Personally Identifiable Information Detected. |
| Threat findings | The total count and trend of findings from the Threat security domain in the analyst queue. These findings include titles such as ATT&CK Tactic Threshold Exceeded For Object Over Previous 7 Days. |
| UBA findings | The total count and trend of findings from filtering on UBA in the analyst queue, if you're sending threat data from Splunk UBA to Splunk Enterprise Security (ES). See Investigate threats from Splunk UBA using Splunk Enterprise Security in the Splunk Add-on for Splunk UBA manual. |
The following table describes the components for each key indicator:
| Component | Description |
|---|---|
| Value indicator | Current count of events. If a threshold is set, the numbers will change color as they cross thresholds. Select the value indicator to drill down into the key indicator search and view the raw events. If the value indicator is wrong, such as a percentage value greater than 100%, there might be missing or incorrect data in the data model dataset used by the key indicator search to calculate a value. |
| Trend amount | Displays the change in event count over the time period defined in the key indicator search. |
| Trend indicator | Displays a directional arrow to indicate the direction of the trend. The arrow changes color and direction over time. |
Add key indicators on the dashboards
Splunk Enterprise Security includes preconfigured key indicators on several of its dashboards. From Splunk Enterprise Security version 7.0.1 and higher, you must edit the entire dashboard to add the key indicator values since Dashboard Studio has replaced the classic XML dashboards.
You can also make changes to the search generating the key indicator on the Content management page.
Follow these steps to add a key indicator on a dashboard:
- Go to the dashboard that displays key indicator values. For example, select Analytics then Security domains then Access and then Access center.
- Select the Edit button on the dashboard.
- Select the key indicator panel on the dashboard to display the editing options for the key indicators on that particular dashboard.
- Select the key indicators that you want to add to the dashboard from the list of available key indicators in
the Available Key Indicators drop-down menu.
You can add any available key indicator on the dashboard by selecting them from the drop-down menu. There can be 7 indicators in one row at most, and multiple indicator rows.
- Select Save.
Remove key indicators from a dashboard
Follow these steps to remove a key indicator from a dashboard:
- Go to the dashboard that displays key indicator values. For example, select Analytics then Security domains then Access and then Access center.
- Select the Edit button on the dashboard.
- Select the key indicator panel on the dashboard to display the editing options for the key indicators on that particular dashboard.
- Deselect the key indicators that you want to remove from the dashboard using the list of available key indicators in the Available Key Indicators drop-down menu.
- Select Save.
Set a threshold for a key indicator on a dashboard
You can set a threshold for a key indicator on a dashboard to change the color of the key indicator. A threshold defines an acceptable value for the event count of an indicator. An event count above the threshold causes the key indicator to appear red, while an event count below the threshold causes the key indicator to appear green. If the threshold is undefined, the event count remains black.
Follow these steps to set a threshold for a key indicator on a dashboard:
- Go to the dashboard that displays key indicator values. For example, select Analytics then Security domains then Access and then Access center.
- Select the Edit button on the dashboard.
- Select the key indicator panel on the dashboard to display the editing options for the key indicators on that particular dashboard.
- In the Threshold field, enter a value to set the threshold for the key indicator.
- Select Save.
| Customize Splunk Enterprise Security dashboards to fit your use case | Upgrade to the Splunk Dashboard Framework to improve performance |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Download manual
Feedback submitted, thanks!