Monitor your environment continuously using the InfoSec app for Splunk
Use the following dashboards in the InfoSec app for Splunk to monitor your environment continuously for security threats:
- Windows Access and Changes dashboard to View events in Windows
- All Authentications dashboard to View all authentication actions
- Malware dashboard to View antivirus solutions
- Intrusion Detection (IDS/IPS) dashboard to View intrusion detection and prevention systems
- Firewalls dashboard to View firewall events
- Network Traffic dashboard to View firewall data in your network
- VPN Access dashboard to View VPN session data
View events in Windows
Use the Windows Access and Changes dashboard to review events within your Windows environment, including the following information:
- Locked out accounts
- Privilege escalations
- Change metrics
- Authentication metrics
The Windows Access and Changes dashboard and other dashboards within the InfoSec app displays the search time period for the last 24 hours by default. You can access and modify the search filters associated with these dashboards by selecting Show Filters near the title of each dashboard.
View authentication actions
Use the All Authentications dashboard for a consolidated view of authentication actions across all data sources. You can use this dashboard to identify authentication anomalies within your environment or problem accounts that repeatedly fail to log in.
The All Authentications dashboard also provides an interactive filter that allows you to filter by User, Host, Action, and a frequency criteria. For example: You can use the All Authentications dashboard to authenticate against five or more hosts.
View antivirus solutions
Use the Malware dashboard for a consolidated view of your antivirus solutions over the last 24 hours.
The first row of the dashboard displays the count of Unresolved, Deferred and Blocked infections. These metrics are derived from the action field of the Malware data model. Clicking an action constrains the results of the remaining dashboards to the selected action.
Selecting a destination takes you to the Host Investigation dashboard. Selecting anything else within the presented dashboards displays the results of the underlying search.
View intrusion detection and prevention systems
Use the Intrusion Detection (IDS/IPS) dashboard for a consolidated view across all IDS/IPS systems within your environment. This data typically comes from your NG Firewall solutions and dedicated IPS solutions like Snort, Suricata, Darktrace, and so on.
The first row provides a breakdown of the total events by action over the last 24 hours. Clicking an action constrains the results in the other dashboards to the selected action.
The second row provides a breakdown of the total events by severity. Clicking a severity also constrains the results presented in the other dashboards to the selected severity.
Click any of the displayed data to display the results of the underlying search.
View firewall events
Use the Firewalls dashboard for a high-level consolidated view of all firewall events within your organization.
The first row displays whether the event was blocked or allowed as well as the total counts for source and destination IP addresses. You can only select the action values, which constrain the other dashboards to the selected action.
The displayed results are geo-tagged by country.
Click any of the presented results to display the results in the underlying search.
View firewall data
Use the Network Traffic dashboard to display your firewall data in more detail. Click any source or destination pivots to the Host Investigation dashboard.
The second part of the dashboard allows you to filter and investigate the firewall detailed results through a series of filters. A communications map displays the relationship of the filtered results.
View VPN session data
Use the VPN dashboard to present VPN session data from all monitored data sources. You can view a list of geographically improbable VPN connections on the dashboard.
You can filter the VPN data by user. Select any of the presented results to display the results in a search.
Monitor your security posture using the InfoSec app for Splunk
Identify advanced threats using the InfoSec app for Splunk
This documentation applies to the following versions of Splunk® InfoSec App: 1.6.4, 1.7.0