Splunk® InfoSec App

User Guide

Monitor your environment continuously using the InfoSec app for Splunk

Use the following dashboards in the InfoSec app for Splunk to monitor your environment continuously for security threats:

View events in Windows

Use the Windows Access and Changes dashboard to review events within your Windows environment, including the following information:

  • Locked out accounts
  • Privilege escalations
  • Change metrics
  • Authentication metrics

The Windows Access and Changes dashboard and other dashboards within the InfoSec app displays the search time period for the last 24 hours by default. You can access and modify the search filters associated with these dashboards by selecting Show Filters near the title of each dashboard.

View authentication actions

Use the All Authentications dashboard for a consolidated view of authentication actions across all data sources. You can use this dashboard to identify authentication anomalies within your environment or problem accounts that repeatedly fail to log in.

The All Authentications dashboard also provides an interactive filter that allows you to filter by User, Host, Action, and a frequency criteria. For example: You can use the All Authentications dashboard to authenticate against five or more hosts.

View antivirus solutions

Use the Malware dashboard for a consolidated view of your antivirus solutions over the last 24 hours.

The first row of the dashboard displays the count of Unresolved, Deferred and Blocked infections. These metrics are derived from the action field of the Malware data model. Clicking an action constrains the results of the remaining dashboards to the selected action.

Selecting a destination takes you to the Host Investigation dashboard. Selecting anything else within the presented dashboards displays the results of the underlying search.

View intrusion detection and prevention systems

Use the Intrusion Detection (IDS/IPS) dashboard for a consolidated view across all IDS/IPS systems within your environment. This data typically comes from your NG Firewall solutions and dedicated IPS solutions like Snort, Suricata, Darktrace, and so on.

The first row provides a breakdown of the total events by action over the last 24 hours. Clicking an action constrains the results in the other dashboards to the selected action.

The second row provides a breakdown of the total events by severity. Clicking a severity also constrains the results presented in the other dashboards to the selected severity.

Click any of the displayed data to display the results of the underlying search.

View firewall events

Use the Firewalls dashboard for a high-level consolidated view of all firewall events within your organization.

The first row displays whether the event was blocked or allowed as well as the total counts for source and destination IP addresses. You can only select the action values, which constrain the other dashboards to the selected action.

The displayed results are geo-tagged by country.

Click any of the presented results to display the results in the underlying search.

View firewall data

Use the Network Traffic dashboard to display your firewall data in more detail. Click any source or destination pivots to the Host Investigation dashboard.

The second part of the dashboard allows you to filter and investigate the firewall detailed results through a series of filters. A communications map displays the relationship of the filtered results.

View VPN session data

Use the VPN dashboard to present VPN session data from all monitored data sources. You can view a list of geographically improbable VPN connections on the dashboard.

You can filter the VPN data by user. Select any of the presented results to display the results in a search.

Last modified on 25 February, 2021
Monitor your security posture using the InfoSec app for Splunk   Identify advanced threats using the InfoSec app for Splunk

This documentation applies to the following versions of Splunk® InfoSec App: 1.6.4, 1.7.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters