The Cyber Kill Chain dashboard
The Cyber Kill Chain dashboard includes a custom visualization that shows what content is tied to different parts of the Cyber Kill Chain. The Cyber Kill Chain dashboard takes into account the data and active content in your environment to help you choose new cyber kill chain content. Each number in this dashboard represents a piece of content. Content labelled Active means that you have content enabled in your environment, Available means that you have content that can be enabled with data already in Splunk, and Needs data means that the data to support the content is missing in Splunk.
Before you use the Cyber Kill Chain, Configure the Data Inventory dashboard and Content Introspection. For more information, see Configure the products you have in your environment with the Data Inventory dashboard or Track active content in Splunk Security Essentials using Content Introspection.
Available Content
In the Kill Chain View, the Cyber Kill Chain tab shows the coverage in your environment against the Kill Chain steps. You can adjust what numbers are displayed in the Cyber Kill Chain visualization to show Active or Available content.
The Chart View shows on a high level how your environment stacks up against the content available and the Cyber Kill Chain. You can switch between the tabs to change the visualization.
Selected Content
The Selected Content panel contains further filters that allow you to drill into individual pieces of content.
View Content
The View Content panel allows you to go directly to the view full details of the selection inside the Security Essentials general content page.
| The MITRE ATT&CK Framework dashboard | Aggregate risk attributions with the Analyze ES Risk Attributions dashboard |
This documentation applies to the following versions of Splunk® Security Essentials: 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.4.0, 3.5.0, 3.5.1, 3.6.0
Download manual
Feedback submitted, thanks!