Data model reference for dashboards in Splunk Enterprise Security
The Enterprise Security dashboards rely on events that conform to the Common Information Model (CIM), and are populated from data model accelerations unless otherwise noted.
Dashboard panel to data model
A - E
Dashboard Name | Panel Title | Data Model | Data Model Dataset |
---|---|---|---|
Access Anomalies | Geographically Improbable Accesses | Relies on the gia_summary summary index, which is populated by the Access - Geographically Improbable Access - Summary Gen search. That search references the Authentication data model. | Authentication.app, .src, .user |
Concurrent Application Accesses | Authentication | Authentication.app, .src, .user | |
Access Center | Access Over Time By Action | Authentication | Authentication.action |
Access Over Time By App | Authentication.app | ||
Top Access By Source | Authentication.src | ||
Top Access By Unique User | Authentication.user,.src | ||
Access Search | Authentication.action, .app, src, .dest, .user, src_user | ||
Access Tracker | First Time Access - Last 7 days | None. Calls access_tracker lookup | |
Inactive Account Usage - Last 90 days | |||
Completely Inactive Accounts - Last 90 days | |||
Account Usage For Expired Identities - Last 7 days | Authentication | Authentication.dest | |
Account Management | Account Management Over Time | Change | All_Changes.Account_Management, .action |
Account Lockouts | All_Changes.Account_Management, .result | ||
Account Management By Source User | All_Changes.Account_Management, .src_user | ||
Top Account Management Events | All_Changes.Account_Management, .action | ||
Adaptive Response Action Center | Action Invocations Over Time By Name | Splunk Audit Logs | Modular_Actions.action_name, .action_status, .sid, .rid |
Top Actions By Name | Modular_Actions.action_status, .search_name, .duration, .action_mode, .action_name, .user | ||
Top Actions By Search | Modular_Actions.action_status, .search_name, .action_mode, .action_name, .sid, .rid, .user | ||
Recent Adaptive Response Actions | "Splunk_Audit"."Modular_Actions" | ||
Asset Center | Assets By Priority | Assets And Identities | All_Assets.priority, .bunit, .category, .owner |
Assets By Business Unit | |||
Assets By Category | |||
Asset Information | |||
Asset Investigator | Asset Investigator | Based on swim lane selection |
Dashboard Name | Panel Title | Data Model | Data Model Dataset |
---|---|---|---|
Data Protection | Data Integrity Control By Index | Incident Management | |
Sensitive Data | None. Calls a REST search on indexes checking for data integrity controls. | ||
Default Account Activity | Default Account Usage Over Time By App | Authentication | Authentication.Default_Authentication, .action, .app |
Default Accounts In Use | Authentication.user_category, .dest, .user | ||
Default Local Accounts | None. Calls useraccounts_tracker lookup | ||
DNS Activity | Top Reply Codes By Unique Sources | Network Resolution DNS | DNS.message_type, DNS.reply_code |
Top DNS Query Sources | DNS.message_type, DNS.src | ||
Top DNS Queries | DNS.message_type, DNS.query | ||
Queries Per Domain | DNS.message_type, DNS.query | ||
Recent DNS Queries | DNS.message_type | ||
DNS Search | DNS.message_type, DNS.reply_code, DNS.dest, DNS.src ,DNS.query_type, DNS.query, DNS.answer |
Dashboard Name | Panel Title | Data Model | Data Model Dataset |
---|---|---|---|
Email Activity | Top Email Sources | All_Email.src | |
Large Emails | All_Email.size, src, .src_user, .dest | ||
Rarely Seen Senders | All_Email.protocol, .src, .src_user, .recipient | ||
Rarely Seen Receivers | All_Email.protocol, .src, .recipient | ||
Email Search | All_Email.protocol, .recipient, .src, .src_user, .dest | ||
Endpoint Changes | Endpoint Changes By Action | Change | All_Changes.Endpoint_Changes, .action |
Endpoint Changes By Type | All_Changes.Endpoint_Changes, .object_category | ||
Endpoint Changes By System | All_Changes.Endpoint_Changes, .object_category, .dest |
F - M
Dashboard Name | Panel Title | Data Model | Data Model Dataset |
---|---|---|---|
Forwarder Audit | Event Count Over Time By Host | None. Calls host_eventcount macro and search. | |
Hosts By Last Report Time | |||
Splunkd Process Utilization | Endpoint | Endpoint.Processes.cpu_load_percent, .mem_used, .process_exec, Endpoint_Ports_
fillnull_dest.dest | |
Splunk Service Start Mode | All_Application_State.Services.start_mode, .status, .service | ||
HTTP Category Analysis | Category Distribution | Web | Web.src, .category |
Category Details | Web.src, .dest, .category, | ||
HTTP User Agent Analysis | User Agent Distribution | Web | Web.http_user_agent_length, .http_user_agent |
User Agent Details | Web.http_user_agent_length, .src, .dest, .http_user_agent |
Dashboard Name | Panel Title | Data Model | Data Model Dataset | |
---|---|---|---|---|
Identity Center | Identities By Priority | Assets and Identities | All_Identities.priority, .bunit, .category | |
Identities By Business Unit | ||||
Identities By Category | ||||
Identity Information | ||||
Identity Investigator | Identity Investigator | Based on swim lane selection | ||
Incident Review Audit | Review Activity By Reviewer | None. Calls a search over the es_notable_events KV Store collection. | ||
Top Reviewers | ||||
Notable Events By Status - Last 48 hours | ||||
Notable Events By Owner - Last 24 hours | ||||
Recent Review Activity | ||||
Indexing Audit | Events Per Day Over Time | None. Calls a search over the licensing_epd KV Store collection. | ||
Events Per Day | ||||
Events Per Index (Last Day) | ||||
Intrusion Center | Attacks Over Time By Severity | Intrusion Detection | IDS_Attacks.severity | |
Top Attacks | IDS_Attacks.dest, .src, .signature | |||
Scanning Activity (Many Attacks) | IDS_Attacks.signature | |||
New Attacks | IDS_Attacks.ids_type | |||
Intrusion Search | IDS_Attacks.severity, .category, .signature, .src, .dest | |||
Investigations | Investigations | None. Calls a search over the investigation KV Store collection. | ||
Investigation timelines | None. Calls a search over the investigation_event KV Store collection. | |||
Investigation note attachments | None. Calls a search over the investigation_attachment KV Store collection. | |||
Action history | None. Calls one of five different searches. See Manage investigations in Splunk Enterprise Security. | |||
Investigation workbench artifacts | None. Calls a search over the investigation_leads KV Store collection. | |||
Investigation workbench | Authentication Data | Authentication | Authentication.app, .action, .src, .src_user, .dest, .user | |
Certificate Activity | Certificates | Certificates.SSL, .src, .src_port, .dest, .dest_port, .ssl_is_valid, .ssl_validity_window, .ssl_hash, .ssl_serial, .ssl_subject, .ssl_start_time, .ssl_end_time | ||
Computer Inventory | Inventory | Compute_Inventory.All_Inventory, .os, .vendor_product, .user, .dest | ||
DNS Data | Network Resolution DNS | Network_Resolution.DNS, DNS.dest, .query, .query_count, .message_type, .answer, .reply_code | ||
Email Data | Email.All_Email, .src, .dest, .src_user, .action, .recipient, .recipient_count, .subject | |||
Filesystem Changes | Endpoint | Endpoint.Filesystem, .file_create_time, .file_modify_time, .file_access_time, .dest, .action, .file_name, .file_hash, .file_path, .file_size | ||
IDS Alerts | Intrusion Detection | Intrusion_Detection.IDS_Attacks, .user, .src, .dest, .severity, .category, .signature, .ids_type, .vendor_product, .dvc | ||
Latest OS Updates | Updates | Updates.status, .dest, .signature_id, .signature, .vendor_product | ||
Network Session Data | Network Sessions | Network_Sessions.All_Sessions, .src_ip, .dest_ip, .dest_nt_host, .tag, .action, .vendor_product | ||
Network Traffic Data | Network Traffic | Network_Traffic.All_Traffic, .packets, .src_ip, .dest_ip, .user, .transport, .action, .src, .src_port, .dest, .dest_port | ||
Notable Events | Incident Management | Incident_Management.Notable_Events, .user, .src, .dest, .rule_name, .severity, .urgency, .security_domain, .status_label, .owner, .savedsearch_description | ||
Port Activity | Endpoint | Endpoint.Ports, .dest_port, .transport, .process_id | ||
Process Activity | Endpoint | Endpoint_Application_State, .dest, .user, .process_name, .process | ||
Registry Activity | Endpoint | Endpoint.Registry, .registry_hive, .registry_value_data, .registry_value_text, .dest, .action, .registry_path, .registry_key_name, .registry_value_name, .registry_value_type | ||
Risk Scores | Risk Analysis | Risk.All_Risk, .risk_score, .risk_object_type, .risk_object | ||
Service Activity | Endpoint | Endpoint.Processes, .user_id, .process_exec, .process_id | ||
System Vulnerabilities | Vulnerabilities | Vulnerabilities.Vulnerabilities, .user, .dest, .severity, .signature, .category, .vendor_product | ||
User Account Changes | Change | Change.All_Changes, .user, .dest, .action, .status, .object, .object_path, .object_attrs, .object_id, .Account_Management | ||
Web Activity | Web | Web.Web, .src, .dest, .user, .action, .http_method, .url, .http_referrer, .http_user_agent, .http_content_type, .status |
Dashboard Name | Panel Title | Data Model | Data Model Dataset |
---|---|---|---|
Malware Center | Malware Activity Over Time By Action | Malware | Malware_Attacks.action |
Malware Activity Over Time By Signature | Malware_Attacks.signature | ||
Top Infections | Malware_Attacks.signature, .dest | ||
New Malware - Last 30 Days | None. Calls malware_tracker lookup. | ||
Malware Operations | Clients By Product Version | None. Calls malware_operations_tracker lookup. | |
Clients By Signature Version | |||
Oldest Infections | |||
Repeat Infections | Malware | Malware_Attacks.action, .signature, .dest | |
Malware Search | Malware_Attacks.action, .file_name, .user, .signature, .dest | ||
Managed Lookups Audit | Lookups | None. Calls | rest /services/data/transforms/managed_lookups |
N - S
Dashboard Name | Panel Title | Data Model | Data Model Dataset |
---|---|---|---|
Network Changes | Network Changes By Action | Change | All_Changes.Network_Changes, .action |
Network Changes By Device | All_Changes.Network_Changes, .dvc | ||
New Domain Analysis | New Domain Activity | Web | Web.dest |
New Domain Activity By Age | |||
New Domain Activity By TLD | |||
Registration Details | None |
Dashboard Name | Panel Title | Data Model | Data Model Dataset |
---|---|---|---|
Port & Protocol Tracker | Port/Protocol Profiler | Network Traffic | All_Traffic.transport, .dest_port |
Prohibited Or Insecure Traffic Over Time - Last 24 Hours | All_Traffic.src_category, .dest_category, .src, .dest, .transport, .dest_port | ||
Prohibited Traffic Details - Last 24 Hours | All_Traffic.src_category, .dest_category, .src, .dest, .transport, .dest_port | ||
New Port Activity - Last 7 Days | None. Calls the application protocols lookup. | ||
Protocol Center | Connections By Protocol | Network Traffic | All_Traffic.app |
Usage By Protocol | All_Traffic.app, .bytes | ||
Top Connection Sources | All_Traffic.src | ||
Usage For Well Known Ports | All_Traffic.bytes, .dest_port | ||
Long Lived Connections | All_Traffic.src, .src_port, .duration, .dest, .dest_port, .transport | ||
Risk Analysis | Risk Modifiers Over Time | Risk Analysis | All_Risk.risk_score |
Risk Score By Object | All_Risk.risk_score | ||
Most Active Sources | All_Risk.risk_score, .risk_object | ||
Recent Risk Modifiers | All_Risk.* |
Dashboard Name | Panel Title | Data Model | Data Model Dataset |
---|---|---|---|
Security Posture | Notable Events By Urgency | None. Calls a search over the es_notable_events KVStore collection. | |
Notable Events Over Time | |||
Top Notable Events | |||
Top Notable Event Sources | |||
Session Center | Sessions Over Time | Network Sessions | All_Sessions.Session_* |
Session Details | All_Sessions.* | ||
SSL Activity | SSL Activity By Common Name | Certificates | All_Certificates.SSL.ssl_subject_common_name |
SSL Cloud Sessions | All_Certificates.SSL.ssl_subject_common_name, .src, | ||
Recent SSL Sessions | |||
SSL Search | All_Certificates.src, .dest, .ssl_subject_common_name, .ssl_subject_email, .ssl_issuer_common_name, .ssl_issuer_organization, .ssl_start_time, .ssl_end_time, .ssl_validity_window, .ssl_is_valid | ||
Suppression Audit | Suppressed Events Over Time - Last 24 Hours | None | Calls a macro to search on notable events. |
Suppression History Over Time - Last 30 Days | Calls a macro and a search on Summary Gen information. | ||
Suppression Management Activity | Calls a search by eventtype. | ||
Expired Suppressions | Calls a search by eventtype. | ||
System Center | Operating Systems | None. Calls system_version_tracker lookup. | |
Top-Average CPU Load By System | Performance | All_Performance.CPU.cpu_load_percent, All_Performance.dest | |
Services By System Count | Endpoint | Endpoint.Services | |
Ports By System Count | Endpoint.Ports |
T - Z
Dashboard Name | Panel Title | Data Model | Data Model Dataset |
---|---|---|---|
Threat Activity | Threat Activity Over Time | Intrusion Detection, Network Traffic, and Web. For more details, see Threat Activity Data Sources. | |
Most Active Threat Collections | |||
Most Active Threat Sources | |||
Threat Activity Details | |||
Threat Artifacts | Threat Overview | None. Calls the threat intelligence KV Store collections. For a list of threat intelligence collections, see Supported types of threat intelligence in Splunk Enterprise Security. | |
Endpoint Artifacts | |||
Network Artifacts | |||
Email Artifacts | |||
Certificate Artifacts | |||
Threat Intelligence Audit | Threat Intelligence Downloads | None. Calls a search by REST endpoint. | |
Threat Intelligence Audit Events | None. Calls a search by eventtype. | ||
Time Center | Time Synchronization Failures | Performance | All_Performance.OS.Timesync, All_Performance.dest, .dest_should_timesync, OS.Timesync.action |
Systems Not Time Synching | |||
Indexing Time Delay | None. Calls the results of a Summary Gen search. | ||
Time Service Start Mode Anomalies | Endpoint | Endpoint_Services_fillnull_start_mode, Endpoint_Services_fillnull_status, Endpoint_Services_fillnull_dest .dest_should_timesync, .tag | |
Traffic Center | Traffic Over Time By Action | Network Traffic | All_Traffic.action |
Traffic Over Time By Protocol | All_Traffic.transport | ||
Scanning Activity (Many Systems) | All_Traffic.dest, .src | ||
Top Sources | All_Traffic.src | ||
Traffic Search | All_Traffic.action, .src_port, .src, .dest, .transport, .dest_port | ||
Traffic Size Analysis | Traffic Size Anomalies Over Time | Network Traffic | All_Traffic.transport, .src |
Traffic Size Details | All_Traffic.bytes, .dest, .src |
Dashboard Name | Panel Title | Data Model | Data Model Dataset |
---|---|---|---|
Update Center | Top Systems Needing Updates | Updates | Updates.status, .dest, .signature_id, .vendor_product |
Top Updates Needed | Updates.status, .dest, .signature_id, .vendor_product | ||
Systems Not Updating - Greater Than 30 Days | Updates.dest_should_update, .dest, .signature_id, .vendor_product, .status | ||
Update Service Start Mode Anomalies | Endpoint | Endpoint_Services_fillnull_start_mode, Endpoint_Services_fillnull_status, .Services.service_exec, .tag | |
Update Search | Updates | Updates.dest_should_update, .status, .dest, .signature_id, .vendor_product | |
URL Length Analysis | URL Length Anomalies Over Time | Web | Web.http_method, .url |
URL Length Details | Web.url_length, .src, .dest, .url | ||
User Activity | Users By Risk Scores | Risk Analysis | All_Risk.risk_object |
Non-corporate Web Uploads | Web | Web.bytes, .user, .http_method, .url | |
Non-corporate Email Activity | All_Email.size, .recipient, .src_user, | ||
Watchlisted Site Activity | Web | Web.src, .url | |
Remote Access | Authentication | Authentication.src, .user | |
Ticket Activity | Ticket Management | All_Ticket_Management.description, .priority, . severity, .src_user |
Dashboard Name | Panel Title | Data Model | Data Model Dataset |
---|---|---|---|
View Audit | View Activity Over Time | Splunk Audit Logs | View_Activity.app, .view |
Expected View Activity | View_Activity.app, .view, .user | ||
Vulnerability Center | Top Vulnerabilities | Vulnerabilities | Vulnerabilities.signature, .dest |
Most Vulnerable Hosts | Vulnerabilities.signature, .severity, .dest | ||
Vulnerabilities By Severity | Vulnerabilities.signature, .severity, .dest | ||
New Vulnerabilities | Calls vuln_signature_reference lookup. | ||
Vulnerability Operations | Scan Activity Over Time | Vulnerabilities | Vulnerabilities.dest |
Vulnerabilities By Age | Calls vulnerability_tracker lookup. | ||
Delinquent Scanning | Vulnerabilities | Vulnerabilities.dest | |
Vulnerability Search | Vulnerabilities.category, .signature, .dest, .severity, .cve, | ||
Web Center | Events Over Time By Method | Web | Web.http_method |
Events Over Time By Status | Web.status | ||
Top Sources | Web.dest, .src | ||
Top Destinations | Web.dest, .src | ||
Web Search | Web.http_method, .status, .src, .dest, .url |
Dashboards to Add-on
Add-on dashboards are included in Splunk Enterprise Security. Use the navigation editor to add or rearrange dashboards on the menu bar. For more information about using the navigation editor, see Customize the menu bar in Splunk Enterprise Security.
To view the entire list of dashboards in Enterprise Security, select Search > Dashboards.
To review the list of dashboards in Enterprise Security by add-on, use Content Management and filter by app or data model. See Expand Content Management searches to view dependency and usage information in Splunk Enterprise Security.
Upgrade to the Splunk Dashboard Framework to improve performance | Add asset and identity data to Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!