Splunk® Enterprise Security

Use Splunk Enterprise Security

Threat intelligence dashboards

Splunk Enterprise Security includes two dashboards for reviewing threat intelligence data: the Threat findings dashboard and the Indicators dashboard.

Threat findings

The Threat findings dashboard provides information on threat findings by matching threat intelligence source content to events in Splunk Enterprise Security.

Dashboard filters

Use the available dashboard filters to refine the results displayed on the dashboard panels. The filters do not apply to key security indicators.

Filter by Description
Threat group A named group or entity representing a known threat, such as a malware domain.
Threat category A category of threat, such as advanced persistent threat, financial threat, or backdoor.
Search Used for searching on a value related to fields: Destination, Sourcetype, Source, Threat Collection, Threat Collection Key, Threat Key, Threat Match Field, and Threat Match Value.
Time range The time range of threat intelligence data.

Dashboard panels

Panel Description
Key indicators Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard.
Threat findings over time Displays the count of events by all threat collections over the selected time. The drilldown opens a search with the selected threat collection and scoped to the selected time frame.
Most active threat collections Displays the top threat collections by event matches over the selected time with a sparkline representing peak event matches. The drilldown opens a search with the selected threat collection.
Most active threat sources Displays the top threat sources over the selected time by event count matches. The drilldown opens a search with the selected threat source.
Threat findings details Displays a breakout of the most recent threat findings. Use the event selection box Threat findings details with the Per-panel filter option to:
  • Allowlist by threat_match_value to remove matches.
  • Highlight specific threat_match_value matches and place them at the top of the table.

Data sources

The reports in the Threat findings dashboard use fields in the Threat_Intelligence data model. Relevant data sources include threat source event matches in the threat_activity index along with the associated indicators.

Indicators

The Indicators dashboard provides a single location to explore and review threat content sourced from all configured threat download sources. It provides additional context by showing all indicators related to a user-specified threat source or indicator.

The dashboard offers multiple selection filters and tabs to isolate the threat content.

Begin by changing the Indicator filter to select from available indicator types. Other available filters will change depending on your selection.

Indicator selection Filter by text: (*) wildcard defaulted Filter by drop-down
Threat ID Malware Alias, Intel Source ID, and Intel Source Path Threat Category, Threat Group
Network IP, Domain HTTP. Select from: Referrer: User Agent, Cookie, Header, Data, or URL and add a string to search.
File File Name, File Extension, File Path, and File Hash n/a
Registry Hive, Path, Key Name, Value Name, Value Type, and Value Text n/a
Service Name, Descriptive Name:, Description:, and Type n/a
User User, Full Name, Group Name, and Description n/a
Process Process, Process Arguments, Handle Names, and Handle Type n/a
Certificate Serial Number, Subject, Issuer, Validity Not After, and Validity Not Before n/a
Email Address, Subject, and Body n/a

Use the tabs to review threat source context:

Tab Panels
Threat overview Endpoint artifacts, Network artifacts, Email artifacts, Certificate artifacts
Network HTTP intelligence, IP intelligence, Domain intelligence
Endpoint File intelligence, Registry intelligence, Process intelligence, Service intelligence, User intelligence
Certificate Certificate intelligence
Email Email intelligence

Data sources

The Indicator dashboard references fields in the threat collection KV Store. Relevant data sources include threat sources such as STIX and OpenIOC documents. -->

Last modified on 28 October, 2024
Protocol intelligence dashboards   Web intelligence dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters