Splunk® InfoSec App

User Guide

Monitor your security posture using the InfoSec app for Splunk

Use the Security Posture dashboard for a high-level view of your security posture.

Security posture indicators that report on events hosts and accounts

For an immediate view of the state of your environment compared to the previous 24 hours, use the first two panels of indicators. These provide information on the statistical counts of events and the number of detected hosts and devices.

Use the indicators that display the statistical counts of events on the Security posture dashboard to track the number of events from intrusion detection systems (IDS), antivirus, and malware systems. Each indicator shows the current state, with an arrow identifying the rate of change (positive, neutral, or negative) and the previously recorded statistic from the previous 24 hours.

Use the indicators that display the hosts, devices, and accounts to monitor the number of detected hosts, devices, and accounts being monitored on the Security Posture dashboard. Each indicator also includes the 24-hour trend and previous results for comparative purposes. Clicking on any of these indicators opens a new dashboard with more detailed information.

Security posture dashboards that report on intrusion alerts

Use the following three dashboards within the Security Posture dashboard to break down the reporting of the intrusion alerts into a statistical count:

  • Intrusion Alerts by Severity classifies the intrusion alerts by severity
  • Intrusion Alerts over Time provides a 24-hour view of the intrusion alerts over time
  • Top 10 High Severity Intrusion Alerts indicates the top 10 critical intrusion alerts charted over the same 24-hour window

Click any of these dashboards to get more detail on your IDS.

Security posture dashboards that report on accounts and assets

Use the punch-card-style dashboards within the Security Posture dashboard to provide a swim-lane view of the type and count of events that are detected against the assets and identities within your organization over the past 24 hours. You can use these dashboards to quickly identify bursts of activity that might need an investigation.

You must install and enable the punch card visualization within your Splunk platform instance for these dashboards to populate. If you see the message "No matching visualization found for type: punchcard, in app: punchcard_app", the punch card visualization might not be installed or enabled.

To install the Splunk InfoSec app, review Install the InfoSec app for Splunk in the Installation Guide.

Last modified on 29 July, 2021
Overview of the InfoSec app for Splunk   Monitor your environment continuously using the InfoSec app for Splunk

This documentation applies to the following versions of Splunk® InfoSec App: 1.6.4, 1.7.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters