Executive summary dashboard
The Executive summary dashboard is designed to provide a high level insight into security operations so that executives can evaluate security trends over time based on key metrics, findings, risk, and other additional metrics. Use the Executive Summary dashboard to prioritize security operations, monitor the overall health and evaluate the risk to your organization.
Dashboard panels
Key metrics
Panel | Description and default search |
---|---|
Mean time to triage | Displays the average time in minutes to triage or prioritize an investigation over the duration of a specified time period. Also, displays a trendline in absolute value that indicates how the mean time taken to triage the finding compares to the previous mean time taken to triage the finding over the same time period. For example, the trendline may display that the mean time to triage a finding over the last 7 days is 0.5% up or down over the mean time taken to triage the finding during the previous 7 day time period. For more information, see Triage notable events in Splunk Enterprise Security.
|
Mean time to resolution | Displays the average time in minutes taken by the finding to reach its configured end status over the duration of a specified time period. Also, displays a trendline in absolute value that indicates how the mean time taken by the finding to reach its configured end status compares to the previous mean time taken by the finding to reach its configured end status over the same time period. For more information, see Take action on notable events in Splunk Enterprise Security.
|
Investigations created | Displays the number of investigations created in the SOC over the duration of a specified time period. Also, displays a trendline in absolute value that indicates how the mean number of investigations created compares to the previous mean number of investigations created over the same time period. For more information, see Start an investigation in Splunk Enterprise Security.
|
You can access the key performance indicator (KPI) panel for Investigations created on the Executive summary dashboard. Only the admin
and the ess_admin
roles have the manage_all_investigations
capability by default. For all other roles such as ess_analyst
or ess_user
, you see an error message on the Investigations created KPI panel.
An administrator can add the manage_all_investigations
capability for users that allows other users to access the Investigations created KPI panel on the executive summary dashboard. For more information on adding capabilities to a specific role, see Specify role capabilities.
Findings
Panel | Description and default search |
---|---|
Distribution by urgency | Displays the distribution of the urgency level that is calculated based on the severity and priority level of a finding over the duration of a specified time period. The distribution is based on the following categories: Critical, High, Medium, Low, Information, and Unknown. For more information, see How urgency is assigned to a notable event in Splunk Enterprise Security.
|
Findings by domain | Displays the classification of the findings by security domains, such as Access, Endpoint, Network, Threat, Identity, and Audit over the duration of a specified time period.
|
Untriaged findings by domain | Displays the classification the untriaged findings by security domain, such as Access, Endpoint, Network, Threat, Identity, and Audit over the duration of a specified time period.
|
Top 10 untriaged findings by source | Displays the top 10 untriaged findings by their sources over the duration of a specified time period.
|
Untriaged findings by type | Displays the classification of findings based on whether or not they indicate risk over the duration of a specified time period.
|
Frequent finding sources |
Displays the sources that generate the most number of findings over the duration of a specified time period.
|
Displays the sources that generate the least number of findings over the duration of a specified time period.
|
Risk
Panel | Description and default search |
---|---|
Risk Notables vs Notable Events | Displays a comparison graph of regular notables versus risk notables in the SOC over the duration of a specified time period.
|
Risk Events Contributing to Risk Notables | Displays a comparison graph of risk events that generated risk notables versus the risk events that did not generate risk notables over the duration of a specified time period.
|
Risk Event Types Not Contributing to Risk Notables | Displays a list in descending order of frequency of the type of risk events that did not generate risk notables over the duration of a specified time period.
|
Additional Metrics
Panel | Description and default search |
---|---|
Adaptive Response Actions Triggered | Displays a graph indicating the type and frequency of the adaptive response actions that were triggered over the duration of a specified time period.
|
Sources with Notable Action vs Risk Action Enabled | Displays a graph indicating how many enabled sources have risk actions versus notables actions over the duration of a specified time period.
|
Correlation Searches Enabled vs Disabled | Displays a bar chart that provides a distribution of the correlation searches enabled versus correlation searches disabled in the SOC over the duration of a specified time period.
|
For key indicator panels and time chart visualizations on the Executive Summary dashboard, some arguments in the underlying SPL searches may be dynamically updated based on the time range selected on the dashboard UI.
Security posture dashboard | SOC operations dashboard |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!