Audit dashboards
Use the audit dashboards to validate the security and integrity of the data in Splunk Enterprise Security. Ensure that forwarders are functioning, that data has not been tampered with and is secured in transmission, and that analysts are reviewing the findings generated by detections.
Analyst queue audit
The Analyst queue audit dashboard provides an overview of activity on findings. The panels display how many findings are being reviewed and by which user, along with a list of the most recently reviewed events. The metrics on this dashboard allow security managers to review the activities of analysts.
Panel | Description |
---|---|
Review activity by reviewer | Displays the numbers of findings and investigations reviewed by each user. This panel is useful for determining which user is performing the security incident reviews and if the total number of reviews is changing over time. The drilldown opens a search with all activity by the selected reviewer. |
Top reviewers | Displays the top users that review security incidents in the analyst queue. The panel includes details for each user, including the date they first reviewed a finding or investigation, the date they last performed a review, and the total number of findings and investigations reviewed. The drilldown opens a search with all activity by the selected reviewer. |
Findings by status: Last 48 hours | Displays the status, count, and urgency for all findings in the last 48 hours. This panel is useful for determining if the analyst queue users are keeping up with security incidents, or whether a backlog of unreviewed incidents is forming. The drilldown opens the analyst queue on the Mission Control page and searches on the selected urgency and status over the lat 48 hours. |
Findings by owner: Last 48 hours | Displays the owner, count, and urgency for all findings in the last 48 hours. This panel is useful for determining how many events are assigned to a user and the urgency of the events. The drilldown opens the analyst queue on the Mission Control page and searches on the selected urgency over the lat 48 hours. |
Mean time to triage: Last 14 days | Displays the average time it took for a finding to be triaged after it was created over the last 14 days, split by the name of the finding. This panel is useful for determining how quickly analysts are triaging findings, or whether certain types of events take longer to triage than others. The drilldown opens the analyst queue on the Mission Control page and searches on the matching finding names over the last 14 days. |
Mean time to closure: Last 60 days | Displays the average time it took for a finding to be closed after it was created over the last 60 days, split by the name of the finding. This panel is useful for determining how long it takes to close certain types of findings and investigations. The drilldown opens the analyst queue on the Mission Control page and searches on the matching finding names that have a status of closed from the last 60 days. |
Recent review activity | Displays the 10 most recent changes on the analyst queue, such as triage actions. The drilldown opens a search with the selected rule ID. |
To audit data from the analyst queue in Splunk Enterprise Security prior to version 3.2, you must perform an ad hoc search like the following example:
index=_audit sourcetype=incident_review | rex field=_raw "^(?<end_time>[^,]*),(?<rule_id>[^,]*),(?<owner>[^,]*),(?<urgency>[^,]*),(?<status>[^,]*),(?<comment>[^,]*),(?<user>[^,]*),(?<rule_name>[^,]*)"
Data sources
The reports in the Analyst queue audit dashboard reference fields in the notable index and the incident review objects in a KVStore collection. See Notable index on the Splunk dev portal for more on the notable index.
Investigation overview
The Investigation overview dashboard gives insight into investigations, including monitoring open investigations, time to completion, and number of collaborators. You can filter by investigations where you're a collaborator or by investigations that exist on the system. you can use the All filter only if you have the "manage_all_investigations" capability.
In the descriptions that follow, there are references to "progress state" and "end state." Depending on your configuration, progress states can include statuses such as new, pending, and resolved. These states are considered unclosed because there is more work to do on the investigations. Also depending on your configuration, end states can include statuses such as closed, withdrawn, and fixed. These states are considered closed because there is no more work to do on the investigations.
Panel | Description |
---|---|
Unclosed investigations | Displays the number of investigations in a progress state during the time set in the time range picker. This includes investigations that were closed yesterday but are reopened today, as the only states that are included in this panel are progress states. |
Investigations created | Displays the number of investigations created in the time set in the time range picker. |
Investigations closed | Displays the number of investigations that have reached an end state during the time set in the time range picker. This does not include investigations that were closed yesterday but are reopened today, as the only states that are included in this panel are current end states. |
Oldest unclosed investigations | Displays the age of the investigations in a progress state during the time set in the time range picker. The investigations are sorted by create time. This is the list of investigations that corresponds to the number shown in the Unclosed Investigations panel. |
Total time spent on investigations | Displays the investigations, which were created in the time set in the time range picker, that spent the most cumulative time in a progress state. |
Time unclosed (in days) | Displays the average and median number of days that investigations spent in a progress state during the time set in the time range picker. |
Time to complete (in days) | Displays the average and median number of days for investigations to reach an end state during the time set in the time range picker. This includes the total lifetime from when the investigation started, went through states of progress, and even if it reached an end state, then was opened and completed again. |
Investigations unclosed per collaborator | Displays the number of investigations in a progress state for each collaborator during the time set in the time range picker, and the status of the investigations. |
Investigations unclosed per creator | Displays the number of investigations in a progress state for each person who created an investigation during the time set in the time range picker. |
Investigations unclosed per status | Displays the number of investigations in a progress state for each status during the time set in the time range picker. |
Number of collaborators per unclosed investigation | Displays the number of people working on investigations in a progress state during the time set in the time range picker. |
Longest inactive investigation (unclosed) | Displays the investigations in a progress state that haven't been modified during the time set in the time range picker. These are investigations that are underway, but are not being actively worked on. |
Most often reopened | Displays the investigations that have been completed and reopened the most amount of times during the time set in the time range picker. |
Investigations created per day | Displays the investigations created each day during the time set in the time range picker. |
Suppression audit
The Suppression audit dashboard provides an overview of finding suppression activity. This dashboard shows how many events are being suppressed, and by whom, so that finding suppression can be audited and reported on.
The metrics on this dashboard allow security managers to review the activities of analysts, which is useful for tuning detections. You can identify detection rules that are generating more events than your analysts are capable of looking at, and tune them accordingly.
Panel | Description |
---|---|
Suppressed events over time: Last 24 hours | Displays findings suppressed in the last 24 hours. |
Suppression history over time: Last 30 days | Displays the history of suppressed findings. |
Suppression management activity | Displays suppression management activity for the time period. |
Expired suppressions | Displays expired suppressions. |
Data sources
The reports in the Suppression audit dashboard reference events in the Notable index.
Per-panel filter audit
The Per-panel filter audit dashboard provides information about the filters currently in use in your deployment.
The following table describes the panels for this dashboard.
Panel | Description |
---|---|
Per-panel by reviewer | Displays the count of updates to per-panel filters by user. |
Top users | Shows users, sparkline for trends, number of views, and first and last time viewed. |
Recent filter activity | Activity by time, user, action, and filename. |
Adaptive response action center
The Adaptive response action center dashboard provides an overview of the response actions initiated by adaptive response actions, including finding creation and risk scoring.
Panel | Description |
---|---|
Action invocations over time by name | Displays a time chart of the adaptive response actions triggered by name. |
Top actions by name | Displays the top adaptive response actions by name. |
Top actions by search | Displays the top adaptive response actions by search. |
Recent response actions | Displays the most recent adaptive response actions. |
Data sources
The reports in the Adaptive response action center dashboard reference fields in the Audit data model. For a list of data model objects and constraints, see Splunk Audit Logs in the Common Information Model Add-on manual.
Threat intelligence audit
The Threat intelligence audit dashboard tracks and displays the current status of all threat and generic intelligence sources. As an analyst, you can review this dashboard to determine if threat and generic intelligence sources are current, and troubleshoot issues connecting to threat and generic intelligence sources.
Panel | Description |
---|---|
Intelligence downloads | Displays the status of all intelligence sources defined on the Intelligence downloads configuration page. Use the filters to sort by status or download location. |
Intelligence audit events | Displays log events related to intelligence downloads configured on the Intelligence downloads configuration page and modular inputs configured on the Threat intelligence manager configuration page. Use the filters to sort and filter the events displayed. |
If an intelligence download fails, a search automatically creates a system message. See Troubleshoot intelligence downloads in Splunk Enterprise Security.
Data sources
The reports in the Threat intelligence audit dashboard reference events in the _internal
index and state information from the /services/data/inputs/threatlist
REST endpoint.
Machine learning audit
The Machine learning audit dashboard displays information related to usage of the Machine Learning Toolkit (MLTK).
Panel | Description |
---|---|
Machine learning toolkit errors and failed fit and apply searches: Last 7 days | The mlspl.log log file itself doesn't contain a lot of details about specific models and when they ran as part of a search or a rule. As an analyst, you can review this chart to help determine where MLTK errors are happening. It shows all the MLTK errors over the last 7 days. If you click on the chart to drill-down into the details, you can see the audits of failed searches that contain the fit or apply commands, which can help you correlate errors with the actual searches that produced the issues.
|
Machine learning models | The list shows the names of the MLTK models. If you click on a model name to drill-down into the details, it opens a custom search that helps audit your model generating searches and the corresponding rules that apply them. See Audit searches using an MLTK Model. |
List of model generating searches | The button shows all the MLTK model generating searches and their statuses. |
ES configuration health
Use the ES configuration health dashboard to compare the latest installed version of Splunk Enterprise Security to prior releases and identify configuration anomalies. The dashboard does not report changes to add-ons (TA.) Select the previous version of Splunk Enterprise Security installed in your environment using the Previous ES Version filter.
Mode | Description |
---|---|
Unshipped | The unshipped setting compares the latest installed version of Splunk Enterprise Security with the content in the ES installation package. Any item that was not provided as part of the Splunk Enterprise Security installation, such as files or scripts used for customization, is labeled as an Unshipped item. Review unshipped items to evaluate their use, determine if they are still needed, and reconcile if necessary. The unshipped setting ignores the Previous ES version filter. |
Removed stanzas | The removed stanzas setting compares the latest installed version of Splunk Enterprise Security with the version that you select in the filter. Removed stanzas are configuration stanzas that changed between versions, such as a deprecated threat list or input. Review removed stanzas to evaluate their use, determine if they are still needed, and reconcile if necessary. |
Local overrides | The local overrides setting compares the installed version of Splunk Enterprise Security with the version that you select in the filter. A setting that conflicts with or overrides the installed version of Splunk Enterprise Security is labeled as a Local override. Review any local override settings to evaluate their use, determine if they are still needed, and reconcile if necessary. |
Data model audit
The Data model audit dashboard displays information about the state of data model accelerations in your environment.
Field Name Panel | Description |
---|---|
Top accelerations by size | Displays the accelerated data models sorted in descending order by MB on disk. |
Top accelerations by run duration | Displays the accelerated data models sorted in descending order by the time spent on running acceleration tasks. |
accelerations details | Displays a table of the accelerated data models with additional information. |
Data model acceleration can be in progress and 100% complete at the same time. The process running and the status completing are not directly tied together.
Data sources
The reports in the Data model audit dashboard reference fields in the Splunk Audit data model. For a list of data model objects and constraints, see Splunk Audit Logs in the Common Information Model Add-on Manual.
Forwarder audit
The Forwarder audit dashboard reports on hosts forwarding data to Splunk Enterprise.
Use the search filters and time range selector to focus on groups of forwarders or an individual forwarder.
Filter by | Description | Action |
---|---|---|
Show only expected hosts | An expected host is a host defined in ES by the expected host field is_expected in the Asset table. |
Drop-down, select to filter by |
Host | Filter by the host field in the Asset table. | Text field. Wildcard with an asterisk (*) |
Business Unit | Filter by the business unit bunit field in the Asset table. |
Text field. Wildcard with an asterisk (*) |
Category | Filter by the category field in the Asset table. | Drop-down, select to filter by |
Panel | Description |
---|---|
Event count over time by host | Displays the number of events reported over the time period selected in the filter. The events are split by host. |
Hosts by last report time | Displays a list of hosts, ordered by the last time they reported an event. |
Splunkd process utilization | Displays the resource utilization of the forwarder's Splunk daemon splunkd .
|
Splunk service start mode | Displays the host names that are forwarding events, but are not configured to have splunkd start on boot.
|
Data sources
Relevant data sources for the Forwarder Audit dashboard include data from all forwarders in your Splunk environment and the Application_State data model. See the Common Information Model Add-on Manual for more information. The Common Information Model fields bunit
and category
are derived by automatic identity lookup, and do not need to be mapped directly.
Indexing audit
The Indexing audit dashboard is designed to help administrators estimate the volume of event data being indexed by Splunk Enterprise. The dashboard displays use EPD (events per day) as a metric to track the event volume per index, and the rate of change in the total event counts per index over time. The EPD applies only to event counts, and is unrelated to the volume per day metric used for licensing.
Panel | Description |
---|---|
Key indicators | The key indicators on this dashboard are scoped to "All time," not the "Last 24 hours". |
Events per day over time | Displays a column chart representing the event counts per day. |
Events per day | Displays a table representing event counts per day and the average eps. |
Events per index (last day) | Displays a table of event counts per index for the last day. |
Data sources
The reports in the Indexing audit dashboard reference data generated by the Audit - Events Per Day - Lookup Gen
saved search and are stored within a KVStore collection.
Search audit
The Search audit dashboard provides information about the searches run in Splunk Enterprise. This dashboard is useful for identifying long running searches and tracking search activity by user.
Panel | Description |
---|---|
Searches over time by type | Shows the number of searches run over time by type, such as ad-hoc, scheduled, or real-time. Helps determine whether Splunk's performance is being affected by excessive numbers of searches. |
Searches over time by user | Shows the number of searches executed by each user. Helps determine when a particular user is executing an excessive number of searches. The splunk-system-user is the name of the account used to execute scheduled searches in Splunk Enterprise.
|
Top searches by run time | Lists the most expensive searches in terms of duration. Helps to identify specific searches that might be adversely affecting Splunk performance. |
Data sources
The reports in the Search audit dashboard reference scheduled search auditing events from the audit
index.
View audit
The View audit dashboard reports on the most active views in Splunk Enterprise Security. The View audit dashboard allows tracking of views that are being accessed on a daily basis and helps to identify any errors triggered when users review dashboard panels.
Panel | Description |
---|---|
View activity over time | Displays the Splunk Enterprise Security views that have the greatest access counts over time. The drilldown opens a search view of all page activity for the time selected. |
Expected view activity | Lists the views set up in the Expected view lookup. You want to review these views on a daily basis for your deployment. Select a dashboard to see details in the Expected view scorecard panel below. See Manage internal lookups in Splunk Enterprise Security. |
Web service errors | Displays errors that occurred while loading the web interface. Helps identify custom views that contain errors or an underlying issue that need to be escalated to Splunk. |
Data sources
The reports in the View audit dashboard reference fields in the Splunk Audit data model. For a list of data model objects and constraints, see Splunk Audit Logs in the Common Information Model Add-on Manual.
Managed lookups audit
The Managed lookups audit dashboard reports on managed lookups and collections such as services, data, transforms, KV Store lookups, and CSV lookups in Splunk Enterprise Security. The Managed lookups audit dashboard shows the growth of lookups over time and the markers for anomalous growth. You can use this to help determine if any managed lookups are growing too large for your particular environment's performance and need to be pruned.
Field | Description |
---|---|
Name | Displays the name of the Splunk Enterprise Security lookup. The drill-down takes you to all the contributing events for this particular lookup name from the audit_summary index. |
Growth | Lists the lookup size over time as measured by a saved search that writes to the audit_summary index, running every 24 hours, displayed as a sparkline. |
Count | Displays the estimated number of rows in the lookup file. |
Size | Displays the size of the file in megabytes, sorted by the largest first. |
Data protection
The Data protection dashboard reports on the the status of the data integrity controls.
Panel | Description |
---|---|
Data integrity control by index | Displays a view of all indexes with data protection enabled, sorted by search peer. For more information on configuring and validating data integrity, see Manage data integrity in Securing Splunk Enterprise. If you use Splunk Cloud Platform, file a support case to request enablement of data integrity control. |
Sensitive data | Displays the count of events with sensitive data. This panel requires turning on the Personally Identifiable Information Detected detection. For more information on how the IIN and the LUHN lookups are leveraged by detections and displayed on the Data protection dashboard, see Internal lookups that you can modify. |
SOC operations dashboard | Predictive analytics dashboard |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!