Splunk® Enterprise Security

Use Splunk Enterprise Security

Network dashboards

The Network Protection domain provides insight into the network and network-based devices, including routers, switches, firewalls, and IDS devices. This domain aggregates all the traffic on the network, including overall volume, specific patterns of traffic, what devices or users are generating traffic, and per-port traffic. It also shows results from the vulnerability scanners on the network.

Traffic Center dashboard

The Traffic Center dashboard profiles overall network traffic, helps detect trends in type and changes in volume of traffic, and helps to isolate the cause (for example, a particular device or source) of those changes. This helps determine when a traffic increase is a security issue and when it is due to an unrelated problem with a server or other device on the network.

You can use the filters to limit which items are shown. Configure new data inputs through the Settings menu, or search for particular network intrusion events directly through Incident Review.

Filter by Description Action
Action Filter based on firewall rule actions. Drop-down: select to filter by
Business Unit A group or department classification for the identity. Text field. Empty by default. Wildcard strings with an asterisk (*)
Category Filter based on the categories to which the host belongs. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by

Dashboard Panels

Panel Description
Key Indicators Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
Traffic Over Time by Action Displays network traffic by action. The drilldown redirects the page to the Traffic Search dashboard and searches on the selected action and time range.
Traffic Over Time By Protocol Displays the number of events per day for a specified protocol. The drilldown redirects the page to the Traffic Search dashboard and searches on the selected protocol and time range.
Top Sources Displays the top sources of total traffic volume over the given time frame with a sparkline representing peak event matches. The drilldown opens the Traffic Search dashboard and searches on the selected source IP and time range.
Scanning Activity (Many Systems) Displays network activity from port scanners or vulnerability scanners and helps identify unauthorized instances of these scanners. The drilldown redirects the page to the Traffic Search dashboard and searches on the selected source IP and time range.

Traffic Search dashboard

The Traffic Search dashboard assists in searching network protocol data, refined by the search filters. The dashboard is used in ad-hoc searching of network data, but is also the primary destination for drilldown searches used in the Traffic Center dashboard panels.

The Traffic Search dashboard displays no results unless it is opened in response to a drilldown action, or you update a filter, select a time range, and click Submit.

Filter by Description Action
Action Filter based on firewall rule actions. Drop-down: select to filter by
Source Filter based on source IP or name. Text field. Empty by default. Wildcard strings with an asterisk (*)
Destination Filter based on destination IP or name. Text field. Empty by default. Wildcard strings with an asterisk (*)
Transport Protocol Filter based on transport protocol. Drop-down: select to filter by
Destination port Filter based on destination host port. Text field. Empty by default. Wildcard strings with an asterisk (*)
Time Range Select the time range to view. Drop-down: select to filter by

Intrusion Center dashboard

The Intrusion Center provides an overview of all network intrusion events from Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) device data. This dashboard assists in reporting on IDS activity to display trends in severity and in volume of IDS events.

Filter by Description Action
IDS Type Filter based on events matching a specified type of IDS. Drop-down: select to filter by
IDS Category Filter based on events matching vendor-defined categories. Drop-down: select to filter by
Severity Filter based on event severity. Drop-down: select to filter by
Business Unit A group or department classification for the identity. Text field. Empty by default. Wildcard strings with an asterisk (*)
Category Filter based on the categories to which the host belongs. Drop-down: select to filter by
Time Range Select the time range to view. Drop-down: select to filter by

Dashboard Panels

Panel Description
Key Indicators Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
Attacks Over Time By Severity Displays the top attacks over time by severity. The drilldown opens the Intrusion Search dashboard and searches on the selected severity and time range.
Top Attacks Displays the top attacks by count and signature. The drilldown opens the Intrusion Search dashboard and searches on the selected signature.
Scanning Activity (Many Attacks) Displays source IP's showing a pattern of attacks. The drilldown opens the Intrusion Search dashboard and searches on the selected source IP and time range.
New Attacks - Last 30 Days Displays attacks that have been identified for the first time. New attack vectors indicate that a change has occurred on the network, potentially due to the presence of a new threat, such as a new malware infection. The drilldown opens the Intrusion Search dashboard and searches on the selected signature and time range.

Intrusion Search dashboard

The Intrusion Search dashboard assists in searching IDS-related events such as attacks or reconnaissance-related activity, based on the criteria defined by the search filters. The dashboard is used in ad-hoc searching of network data, but is also the primary destination for drilldown searches used in the Intrusion Center dashboard panels.

The Intrusion Search dashboard displays no results unless it is opened in response to a drilldown action, or you update a filter, select a time range, and click Submit.

Filter by Description Action
IDS Category Filter based on events matching vendor-defined categories. Drop-down: select to filter by
Severity Filter based on event severity. Drop-down: select to filter by
Signature Filter based on IDS signature name. Text field. Empty by default. Wildcard strings with an asterisk (*)
Source Filter based on source IP or name. Text field. Empty by default. Wildcard strings with an asterisk (*)
Destination Filter based on destination IP or name. Text field. Empty by default. Wildcard strings with an asterisk (*)
Time Range Select the time range to view. Drop-down: select to filter by

Vulnerability Center dashboard

The Vulnerability Center provides an overview of vulnerability events from device data.

Filter by Description Action
Severity Filter based on event severity. Drop-down: select to filter by
Business Unit A group or department classification for the identity. Text field. Empty by default. Wildcard strings with an asterisk (*)
Category Filter based on the categories to which the host belongs. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by

Dashboard Panels

Panel Description
Key Indicators Displays the metrics relevant to the dashboard sources over the past 60 days. Key indicators represent summary information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
Top Vulnerabilities Displays the most common issues reported by the vulnerability scanners. The reported issues are aggregated by host so that the chart represents the number of unique occurrences of the issue as opposed to the number of times the issue was detected (since scanning a single host multiple times will likely reveal the same vulnerabilities each time). The drilldown opens the Vulnerability Search dashboard and searches on the selected signature and time range.
Most Vulnerable Hosts Displays the hosts with the highest number of reported issues. The drilldown opens the Vulnerability Search dashboard and searches on the selected severity, host, and time range.
Vulnerabilities by Severity Displays issues by the severity assigned by the vulnerability scanner. Helps identify trends that are not visible when looking at vulnerabilities individually. The drilldown opens the Vulnerability Search dashboard and searches on the selected severity and time range.
New Vulnerabilities Displays the most recent new vulnerabilities detected as well as the date each one was first observed. Helps identify new issues appearing on the network that need to be investigated as potential new attack vectors. The drilldown opens the Vulnerability Search dashboard and searches on the selected signature and time range.

Vulnerability Operations dashboard

The Vulnerability Operations dashboard tracks the status and activity of the vulnerability detection products deployed in your environment. Use this dashboard to see the overall health of your scanning systems, identify long-term issues, and see systems that are no longer being scanned for vulnerabilities.

Filter by Description Action
Business Unit A group or department classification for the identity. Text field. Empty by default. Wildcard strings with an asterisk (*)
Category Filter based on the categories to which the host belongs. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by

Dashboard Panels

Panel Description
Scan Activity Over Time Displays vulnerability scan activity by systems over time. Hover over item for details. The drilldown opens the Vulnerability Search dashboard and searches on the selected time range.
Vulnerabilities by Age Displays detected vulnerabilities by age, with signature, destination, and event time. Click an item to view in the Vulnerability Profiler for more detail. The drilldown opens the Vulnerability Search dashboard and searches on the selected signature or destination host, and time range.
Delinquent Scanning Displays vulnerability scans with a severity of "high". Includes signature. The drilldown opens the Vulnerability Search dashboard and searches on the selected destination host and time range.

Vulnerability Search dashboard

The Vulnerability Search dashboard displays a list of all vulnerability-related events based on the criteria defined by the search filters. The dashboard is used in ad-hoc searching of vulnerability data, but is also the primary destination for drilldown searches used in the Vulnerability Center dashboard panels.

The Vulnerability Search dashboard displays no results unless it is opened in response to a drilldown action, or you update a filter, select a time range, and click Submit.

Filter by Description Action
Vuln. category Filter based on events matching vendor-defined categories. Drop-down: select to filter by
Severity Filter based on event severity. Drop-down: select to filter by
Signature Filter based on vendor signature name. Text field. Empty by default. Wildcard strings with an asterisk (*)
Reference (bugtraq, cert, cve, etc.) Filter based on common reference standards. Text field. Empty by default. Wildcard strings with an asterisk (*)
Destination Filter based on destination IP or name. Text field. Empty by default. Wildcard strings with an asterisk (*)
Time Range Select the time range to represent. Drop-down: select to filter by

Troubleshooting Network Dashboards

This dashboard references data from various data models. Without the applicable data, the dashboards will remain empty. See Troubleshoot dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.

Last modified on 19 January, 2022
Risk Analysis   Web Center and Network Changes dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters