Splunk® Enterprise Security

Use Splunk Enterprise Security

Executive summary dashboard

The Executive summary dashboard is designed to provide a high level insight into security operations so that executives can evaluate security trends over time based on key metrics, findings, risk, and other additional metrics. Use the Executive Summary dashboard to prioritize security operations, monitor the overall health and evaluate the risk to your organization.

Dashboard panels

Key metrics

Panel Description and default search
Mean time to triage Displays the average time in minutes to triage or prioritize an investigation over the duration of a specified time period. Also, displays a trendline in absolute value that indicates how the mean time taken to triage the finding compares to the previous mean time taken to triage the finding over the same time period. For example, the trendline may display that the mean time to triage a finding over the last 7 days is 0.5% up or down over the mean time taken to triage the finding during the previous 7 day time period. For more information, see Triage notable events in Splunk Enterprise Security.

| tstats summariesonly=true earliest(_time) as _time FROM datamodel=Incident_Management BY "Notable_Events_Meta.rule_id" | rename "Notable_Events_Meta.*" as "*" | lookup update=true incident_updates_lookup rule_id OUTPUTNEW time | search time=* | stats earliest(_time) as create_time, earliest(time) as triage_time by rule_id | eval diff=triage_time-create_time, stat_type=if(create_time < relative_time(now(), "-7d@d"), "past", "current"), past=if(stat_type="past", 1, 0), current=if(stat_type="current", 1, 0), past_diff=if(stat_type="past", diff, 0), current_diff=if(stat_type="current", diff, 0) | stats sum(past) AS past, sum(current) AS current, sum(past_diff) AS past_diff, sum(current_diff) as current_diff | eval past = round(past_diff/past/60), current = round(current_diff/current/60) | table past, current | transpose | rename "column" as stat_type,"row 1" as mean_triage_time | fillnull value=0 mean_triage_time

Mean time to resolution Displays the average time in minutes taken by the finding to reach its configured end status over the duration of a specified time period. Also, displays a trendline in absolute value that indicates how the mean time taken by the finding to reach its configured end status compares to the previous mean time taken by the finding to reach its configured end status over the same time period. For more information, see Take action on notable events in Splunk Enterprise Security.

| tstats summariesonly=true earliest(_time) as _time FROM datamodel=Incident_Management BY "Notable_Events_Meta.rule_id" | rename "Notable_Events_Meta.*" as "*" | eval temp_time=time()+86400 | lookup update=true event_time_field=temp_time incident_review_lookup rule_id OUTPUTNEW time, status | `get_reviewstatuses` | search time=* AND status_end=true | stats first(_time) as create_time, last(time) as resolve_time by rule_id | eval diff=resolve_time-create_time, stat_type=if(create_time < relative_time(now(), "-7d@d"), "past", "current"), past=if(stat_type="past", 1, 0), current=if(stat_type="current", 1, 0), past_diff=if(stat_type="past", diff, 0), current_diff=if(stat_type="current", diff, 0) | stats sum(past) AS past, sum(current) AS current, sum(past_diff) AS past_diff, sum(current_diff) as current_diff | eval past = round(past_diff/past/60), current = round(current_diff/current/60) | table past, current | transpose | rename "column" as stat_type,"row 1" as mean_resolution_time | fillnull value=0 mean_resolution_time

Investigations created Displays the number of investigations created in the SOC over the duration of a specified time period. Also, displays a trendline in absolute value that indicates how the mean number of investigations created compares to the previous mean number of investigations created over the same time period. For more information, see Start an investigation in Splunk Enterprise Security.

| inputlookup investigation_lookup | where create_time > relative_time(now(), "-14d@d") | stats count(eval(create_time < relative_time(now(), "-7d@d"))) AS past, count(eval(create_time >= relative_time(now(), "-7d@d"))) AS current | transpose | rename "column" as count_type, "row 1" as count

You can access the key performance indicator (KPI) panel for Investigations created on the Executive summary dashboard. Only the admin and the ess_admin roles have the manage_all_investigations capability by default. For all other roles such as ess_analystor ess_user, you see an error message on the Investigations created KPI panel. An administrator can add the manage_all_investigations capability for users that allows other users to access the Investigations created KPI panel on the executive summary dashboard. For more information on adding capabilities to a specific role, see Specify role capabilities.

Findings

Panel Description and default search
Distribution by urgency Displays the distribution of the urgency level that is calculated based on the severity and priority level of a finding over the duration of a specified time period. The distribution is based on the following categories: Critical, High, Medium, Low, Information, and Unknown. For more information, see How urgency is assigned to a notable event in Splunk Enterprise Security.

`get_notable_index` | eval `get_event_id_meval`, rule_id=event_id, temp_time=time()+86400 | lookup update=true correlationsearches_lookup _key as source OUTPUTNEW severity | lookup update=true event_time_field=temp_time incident_review_lookup rule_id OUTPUT urgency as new_urgency | eval urgency=if(isnotnull(new_urgency),new_urgency,urgency) | `get_urgency` | eval urgency = upper(substr(urgency,1,1)).lower(substr(urgency,2)) | timechart span=1d count by urgency

Findings by domain Displays the classification of the findings by security domains, such as Access, Endpoint, Network, Threat, Identity, and Audit over the duration of a specified time period.

| tstats summariesonly=true earliest(_time) as _time, first(source) as source FROM datamodel=Incident_Management BY "Notable_Events_Meta.rule_id" | lookup update=true correlationsearches_lookup _key as source OUTPUTNEW security_domain | fillnull value="threat" security_domain | lookup update=true security_domain_lookup security_domain OUTPUTNEW label as security_domain_label | timechart span=1d count by security_domain_label

Untriaged findings by domain Displays the classification the untriaged findings by security domain, such as Access, Endpoint, Network, Threat, Identity, and Audit over the duration of a specified time period.

| tstats summariesonly=true earliest(_time) as _time, first(source) as source FROM datamodel=Incident_Management BY "Notable_Events_Meta.rule_id" | rename "Notable_Events_Meta.*" as "*" | eval temp_time=time()+86400 | lookup update=true event_time_field=temp_time incident_review_lookup rule_id OUTPUT time as triage_time | where isnull(triage_time) | lookup update=true correlationsearches_lookup _key as source OUTPUTNEW security_domain | fillnull value="threat" security_domain | lookup update=true security_domain_lookup security_domain OUTPUTNEW label as security_domain_label | timechart span=1d count by security_domain_label

Top 10 untriaged findings by source Displays the top 10 untriaged findings by their sources over the duration of a specified time period.

`get_notable_index` | eval `get_event_id_meval`, rule_id=event_id, temp_time=time()+86400 | lookup update=true event_time_field=temp_time incident_review_lookup rule_id OUTPUT time as triage_time | where isnull(triage_time) | lookup update=true correlationsearches_lookup _key as source OUTPUTNEW rule_name | eval rule_name=if(isnull(rule_name),source,rule_name) | stats count by rule_name | sort - count | head 10

Untriaged findings by type Displays the classification of findings based on whether or not they indicate risk over the duration of a specified time period.

`get_notable_index` | eval `get_event_id_meval`, rule_id=event_id, temp_time=time()+86400 | lookup update=true event_time_field=temp_time incident_review_lookup rule_id OUTPUT time as triage_time | where isnull(triage_time) | eval type=if(isnotnull(risk_object), "Risk Notable", "Notable") | timechart span=1d count by type

Frequent finding sources

Displays the sources that generate the most number of findings over the duration of a specified time period.

`get_notable_index` | eval source=case(isNotNull(orig_source), orig_source, isNotNull(source_correlation_search), source_correlation_search, 1=1, source) | lookup update=true correlationsearches_lookup _key as source OUTPUTNEW rule_name | eval rule_name=if(isnull(rule_name),source,rule_name) | stats count by rule_name | sort - count | head 10

Displays the sources that generate the least number of findings over the duration of a specified time period.

`get_notable_index` | eval source=case(isNotNull(orig_source), orig_source, isNotNull(source_correlation_search), source_correlation_search, 1=1, source) | lookup update=true correlationsearches_lookup _key as source OUTPUTNEW rule_name | eval rule_name=if(isnull(rule_name),source,rule_name) | stats count by rule_name | sort + count | head 10|}

Risk

Panel Description and default search
Risk Notables vs Notable Events Displays a comparison graph of regular notables versus risk notables in the SOC over the duration of a specified time period.

`get_notable_index` | eval notable_type=if(isnotnull(risk_object) AND isnotnull(risk_object_type), "Risk Notable", "Notable") | fields notable_type, count | timechart span=1d count by notable_type

Risk Events Contributing to Risk Notables Displays a comparison graph of risk events that generated risk notables versus the risk events that did not generate risk notables over the duration of a specified time period.

(index=risk ) OR (`get_notable_index` risk_object=* ) | eval source=case(index="risk",source,isnull(orig_source),source_correlation_search,1=1,orig_source),search_time=if(index="notable",mvzip(info_min_time,mvsort(info_max_time)),null()),risk_id=if(index="risk",replace(_bkt,".*~(.+)","\1")."@@".index."@@".md5(_time._raw),null()), risk_id_time=if(index="risk",mvzip(risk_id,_time),null()) | stats values(index) AS index, values(risk_id_time) AS risk_id_time, values(search_time) AS search_time by source, risk_object, risk_object_type | mvexpand risk_id_time | mvexpand search_time | eval risk_id=if(isnull(risk_id_time),null(),mvindex(split(risk_id_time,","),0)),risk_time=if(isnull(risk_id_time),null(),mvindex(split(risk_id_time,","),1)),search_earliest=if(isnull(search_time),null(),mvindex(split(search_time,","),0)), search_latest=if(isnull(search_time),null(),mvindex(split(search_time,","),1)),contributing=if(isnull(search_earliest) OR isnull(search_latest) OR risk_time <= search_earliest OR risk_time >= search_latest,"false","true") | stats values(contributing) as contributing, values(risk_time) as _time by risk_id | eval contributed=if(contributing="true", "Contributed", "Not Contributed") | timechart span=1d count by contributed

Risk Event Types Not Contributing to Risk Notables Displays a list in descending order of frequency of the type of risk events that did not generate risk notables over the duration of a specified time period.

(index=risk ) OR (`get_notable_index` risk_object=* ) | eval source=if(index="notable",if(isnull(orig_source),source_correlation_search, orig_source), source) | stats count, values(index) as index by source | where index != "notable" | `get_correlations` | table rule_name, count | sort - count

Additional Metrics

Panel Description and default search
Adaptive Response Actions Triggered Displays a graph indicating the type and frequency of the adaptive response actions that were triggered over the duration of a specified time period.

| tstats summariesonly=true count from datamodel=Splunk_Audit.Modular_Actions where Modular_Actions.is_Modular_Action_Invocations=1 by _time, Modular_Actions.action_mode, Modular_Actions.action_name | `drop_dm_object_name("Modular_Actions")` | eval action_mode=if(action_mode="saved","automated", action_mode), action_name=action_mode+"-"+action_name | fields - action_mode | timechart span=1d sum(count) as count by action_name

Sources with Notable Action vs Risk Action Enabled Displays a graph indicating how many enabled sources have risk actions versus notables actions over the duration of a specified time period.

| inputlookup correlationsearch_changes_lookup | where _time > relative_time(now(),"-7d@d") | sort - _time | bin _time span=1d | dedup label, _time | where (disabled == 0) | mvexpand actions | where actions="notable" OR actions="risk" | eval actions=if(actions="notable", "Notable Action", "Risk Action") | timechart span=1d count by actions

Correlation Searches Enabled vs Disabled Displays a bar chart that provides a distribution of the correlation searches enabled versus correlation searches disabled in the SOC over the duration of a specified time period.

| inputlookup correlationsearch_changes_lookup | where _time > relative_time(now(),"-7d@d") | sort - _time | bin _time span=1d | dedup label, _time | timechart span=1d count by disabled | rename 0 as Enabled, 1 as Disabled

For key indicator panels and time chart visualizations on the Executive Summary dashboard, some arguments in the underlying SPL searches may be dynamically updated based on the time range selected on the dashboard UI.

Last modified on 14 June, 2024
Security posture dashboard   SOC operations dashboard

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters