Splunk Enterprise Security Use Splunk Enterprise Security 5.3.1
Splunk Enterprise Security Use Splunk Enterprise Security 5.3.1
Splunk Enterprise Security Use Splunk Enterprise Security 5.3.1
Incident Review.....................................................................................................................................................................2
Overview of Incident Review in Splunk Enterprise Security......................................................................................2
Triage notable events on Incident Review in Splunk Enterprise Security..................................................................3
Investigate a notable on Incident Review in Splunk Enterprise Security...................................................................4
Take action on a notable event on Incident Review in Splunk Enterprise Security...................................................5
Included adaptive response actions with Splunk Enterprise Security........................................................................9
How urgency is assigned to notable events in Splunk Enterprise Security.............................................................11
Investigations......................................................................................................................................................................13
Investigations in Splunk Enterprise Security............................................................................................................13
Start an investigation in Splunk Enterprise Security................................................................................................14
Investigate a potential security incident on the investigation workbench in Splunk Enterprise Security.................15
Add details to an investigation in Splunk Enterprise Security..................................................................................18
Make changes to an investigation in Splunk Enterprise Security............................................................................20
Collaborate on an investigation in Splunk Enterprise Security................................................................................22
Review an investigation in Splunk Enterprise Security............................................................................................23
Share or print an investigation in Splunk Enterprise Security..................................................................................24
Refer to your action history in Splunk Enterprise Security.......................................................................................24
Review the summary of an investigation in Splunk Enterprise Security..................................................................25
Analytic Stories...................................................................................................................................................................26
Use Analytic Stories for actionable guidance in Splunk Enterprise Security...........................................................26
Risk Analysis......................................................................................................................................................................28
Analyze risk in Splunk Enterprise Security..............................................................................................................28
Create an ad hoc risk entry in Splunk Enterprise Security......................................................................................31
Glass Tables........................................................................................................................................................................33
Create a glass table in Splunk Enterprise Security..................................................................................................33
Manage glass tables in Splunk Enterprise Security.................................................................................................34
Dashboard Overview..........................................................................................................................................................36
Introduction to the dashboards available in Splunk Enterprise Security..................................................................36
Customize Splunk Enterprise Security dashboards to fit your use case.................................................................37
Key indicators in Splunk Enterprise Security...........................................................................................................38
Dashboard Reference.........................................................................................................................................................41
Security Posture dashboard....................................................................................................................................41
Audit dashboards.....................................................................................................................................................41
Predictive Analytics dashboard................................................................................................................................47
Access dashboards.................................................................................................................................................48
Endpoint dashboards...............................................................................................................................................52
Asset and Identity dashboards................................................................................................................................58
Asset and Identity Investigator dashboards.............................................................................................................60
i
Table of Contents
Dashboard Reference
User Activity Monitoring...........................................................................................................................................64
Risk Analysis...........................................................................................................................................................66
Network dashboards................................................................................................................................................67
Web Center and Network Changes dashboards.....................................................................................................71
Port and Protocol Tracker dashboard......................................................................................................................73
Protocol Intelligence dashboards.............................................................................................................................74
Threat Intelligence dashboards...............................................................................................................................79
Web Intelligence dashboards..................................................................................................................................81
Included Add-ons...............................................................................................................................................................87
Viewing data from Splunk UBA in Enterprise Security............................................................................................87
ii
Introduction
Get started
• See Introduction to the dashboards available in Splunk Enterprise Security for an overview of the dashboards
available and how to use them for your use cases.
• See Overview of Incident Review in Splunk Enterprise Security to learn how to work with notable events.
• See Investigations in Splunk Enterprise Security for an introduction to tracking your work in an investigation.
• See Use Analytic Stories for actionable guidance in Splunk Enterprise Security for using the use case library to
help with detecting, analyzing, and addressing security threats.
• See Analyze risk in Splunk Enterprise Security to learn how Splunk Enterprise Security assigns risk to objects.
If you are a Splunk Enterprise Security administrator, see Administer Splunk Enterprise Security to access documentation
specific to your administrator workflows.
1
Incident Review
A notable event represents one or more anomalous incidents detected by a correlation search across data sources. For
example, a notable event can represent:
• The repeated occurrence of an abnormal spike in network usage over a period of time
• A single occurrence of unauthorized access to a system
• A host communicating with a server on a known threat list
As an analyst, you can use the dashboard to gain insight into the severity of events occurring in your system or network.
You can use the dashboard to triage new notable events, assign events to analysts for review, and examine notable event
details for investigative leads.
As an administrator, you can manage and customize Incident Review and notable event settings. See Managing Incident
Review in Splunk Enterprise Security for more information about administrator activities.
Splunk Enterprise Security detects patterns in your data and automatically reviews events for security-relevant incidents
using correlation searches. When a correlation search detects a suspicious pattern, the correlation search creates a
new notable event.
The Incident Review dashboard surfaces all notable events, and categorizes them by potential severity so you can quickly
triage, assign, and track issues.
You can use this example workflow to triage and work notable events on the Incident Review dashboard.
1. An administrative analyst monitors the Incident Review dashboard, sorting and performing high-level triage on
newly-created notable events.
2. When a notable event warrants investigation, the administrative analyst assigns the event to a reviewing analyst
to start investigating the incident.
3. The reviewing analyst updates the status of the event from New to In Progress, and begins investigating the
cause of the notable event.
4. The reviewing analyst researches and collects information on the event using the fields and field actions in the
notable event. The analyst records the details of their research in the Comments field of the notable event. As
part of the research, the analyst might run adaptive response actions. If the research proves that the notable
event needs more lengthy investigation, the analyst can assign the notable event to an investigation.
5. After the reviewing analyst addresses the cause of the notable event and any remediation tasks have been
escalated or solved, the analyst sets the notable event status to Resolved.
6. The analyst assigns the notable event to a final analyst for verification.
7. The final analyst reviews and validates the changes made to resolve the issue, and sets the status to Closed.
2
Triage notable events on Incident Review in Splunk Enterprise Security
Use the Incident Review dashboard as part of your incident triage workflow. You can monitor notable events and the
actions that analysts take to resolve the issues that triggered a notable event.
Speed up your notable event triage with search filters, tagging, and sorting. For example, focus on groups of notable
events or an individual notable event with the search filters and time range selector. Notable events contain Urgency,
Status, and Owner fields to help you categorize, track, and assign events.
Simplify searching and add identifiers to notable events using tags. Click Edit Tags in the field actions menu for a notable
event field such as Title, Status, or Owner to add new tags or modify existing ones. After you create a tag, you can use it
to filter the dashboard.
You can filter for notable events created by the same correlation search using the Correlation Search Name filter to type
the name of the correlation search that created a notable event. As you type, the correlation search names appear for you
to select.
Type SPL into the Search filter to search within the notable event details of notable events on Incident Review.
If you added notable events to investigations, or generated short IDs for notable events to share them with other analysts,
you can filter by the Associations filter to quickly view the notable events associated with a specific investigation or the
notable event represented by a short identifier. However, the short ID filter dropdown lists all short IDs, including notable
events that are suppressed. If the notable event is suppressed, you will not be able to see it in Incident Review when
filtering on short ID.
If you want to see a filtered view of Incident Review by default, ask your ES admin to modify the navigation menu in
Enterprise Security to link directly to a filtered view. See Add a link to a filtered view of Incident Review in Administer
Splunk Enterprise Security.
Owners are unassigned by default, and you can assign notable events to any user with an administrator, ess_admin, or
ess_analyst role. For more on user roles, see Configure users and roles in the Installation and Upgrade Manual.
If you use SAML authentication, it can take up to 10 minutes to update the list of users that you can assign notable
events to.
3
Update the status of a notable event
New notable events have the New status. As analysts triage and move a notable event through the incident review
workflow, the owner can update the status of the notable event to reflect the actions they take to address the event.
1. Select one or more events, then click Edit all selected. To take action on all displayed events, click Edit all ##
matching events.
2. In the Edit Events window, update the fields to reflect your actions.
3. (Optional) Add a Comment to describe the actions you took.
4. Save changes.
If your ES administrator customized the Incident Review dashboard, you might be required to enter comments when
updating a notable event. See Customize Incident Review in Splunk Enterprise Security for more information about how
ES admins can customize the ways that analysts view and interact with notable events.
If your changes are not immediately visible, check the dashboard filters. For example, if the filter is set to "New" after
you changed an event to "In Progress", your updated event will not display.
Status Description
Unassigned Used by Enterprise Security when an error prevents the notable event from having a valid status assignment.
Resolved The owner has addressed the cause of the event and is waiting for verification.
Use the urgency level of a notable event to prioritize incident review. Every notable event is assigned an urgency.
Urgency levels can be unknown, low, medium, informational, high, or critical.
Urgency levels are calculated using the severity of the correlation search event and the priority of the asset or identity
involved in the event. See How urgency is assigned to notable events in Splunk Enterprise Security.
By default, security analysts can change the urgency of a notable event. See Customize Incident Review in Splunk
Enterprise Security to learn how to change that default.
4
Open the event details to learn more about a notable event.
• Review the History to see the recent investigation activity on the notable event. Click View all recent activity for
this Notable Event to see analyst comments, status changes, and other activities for the event.
• Determine if the notable event is part of an existing investigation by reviewing the Related Investigations
section. Click the name of the investigation to open it.
• See which correlation search generated the notable event. Click the name of the correlation search to make
changes to or review the correlation search to understand why the notable event was created.
• View the Contributing Events that caused the notable event to be created.
• Review the risk scores listed for assets and identities involved in a notable event. Click a risk score to open the
Risk Analysis dashboard filtered on that asset or identity.
• If one original event created a notable event, you can see the full details of the original event.
• Review the Adaptive Responses to see which adaptive response actions have been performed for this notable
event, whether the actions were successfully performed, and drill down for more details. Click the name of the
response action to see potential results generated by this action's invocation. Click View Adaptive Response
Invocations to see the raw audit events for the response actions associated with this correlation search. It takes
up to five minutes for updates to appear on this table.
• Review the Next Steps to see if any next steps for notable event triage are defined.
• Click Create Short ID to create a short ID to share with other analysts. You can also share a notable event with a
link. See Take action on a notable event on Incident Review in Splunk Enterprise Security.
There are some correlation searches that detect a lack of something. For example, the "Endpoint - Should Timesync Host
Not Syncing - Rule" detects a lack of successful time synchronization events for a particular host. Another example is the
"Audit - Expected Host Not Reporting - Rule" that detects a lack of data from a host.
When notable events are created for these hosts, it is possible that clicking the view all contributing events link from
Incident Review will result in "No results found". You can use the time range picker to expand the time range for
identifying when the lack of events occurred, but it's possible that "No results found" will persist because the host never
did the thing it was supposed to do.
Once you have created a sequence template, and it has reached the end state, the output is listed as a sequenced event
in the Incident Review dashboard. See Find the sequenced events generated by the event sequence template.
Based on the details in a notable event, you may want to run a response action to gather more information, take an action
in another system, send information to another system, modify a risk score, or something else.
5
Prerequisite
Some custom adaptive response actions use the credential store to connect to a third-party system or app. To run these
actions successfully, you must have the list_storage_passwords capability.
Steps
1. From a notable event, select the arrow to expand the Actions column.
2. Click Run Adaptive Response Actions.
3. Click Add New Response Action and select an adaptive response action from the list. You can use the category
filter or search to reduce the number of actions that you can select.
4. Fill out the form fields for the response action. Use the field name to specify a field, rather than the name that
shows on Incident Review.
For example, type "src" instead of "Source" to specify the source field for an action.
5. Click Run.
You can check the status of the response action in the notable event details. View the original field names of fields
displayed on Incident Review on the Incident Review - Event Attributes panel of the Incident Review Settings dashboard.
Adblock extensions in your browser can cause response actions to fail. Add the host name of your Splunk Enterprise
Security host to the site whitelist for the adblock extension.
See Included adaptive response actions with Splunk Enterprise Security for more about the different adaptive response
actions included with Splunk Enterprise Security.
You can share a notable event with another analyst using a short ID or a link.
You can analyze the risk that an asset or identity poses to your environment in the Incident Review dashboard.
Not all assets and identities display a risk score. Risk scores that display for an asset or identity in Incident Review may
not match the risk score on the Risk Analysis dashboard for that risk object. For more information, see How risk scores
display in Incident Review in Administer Splunk Enterprise Security.
6
Add a notable event to an investigation
Investigate notable events that could be a part of a security incident by adding them to an investigation.
1. Select one or several notable events and click Add Selected to Investigation.
2. Click Create Investigation to start a new investigation.
3. Type a title for the investigation.
4. (Optional) Change the default status.
5. (Optional) Type a description.
6. Click Save to save the investigation and add the notable event or notable events to the investigation. Clicking
Cancel does not add the selected notable events, but the new investigation is still created. You can click Start
Investigation to add the notable events to the investigation and open the investigation.
7. After the event or events are successfully added to the investigation, click Close or click Open <Investigation
name> to open the investigation.
After you add a notable event to an investigation, you can filter by notable events on that investigation on the Incident
Review dashboard using the Associations filter, or view the investigation in the notable event details.
When adding a sequenced event to an investigation, the contributing notable events will be added instead. For more
information about creating sequenced events, see Create sequence templates in Splunk Enterprise Security.
While you are investigating an event, you can get notified about incoming notable events that are related to the
investigation via the investigation toolbar. The investigation toolbar is available on all ES dashboards. Settings enabled for
an investigation in one dashboard are carried over to that investigation in other dashboards automatically.
1. Click the bell icon on the investigation toolbar at the bottom-right side of the Incident Review page, the
Investigation Workbench, or any ES dashboard.
2. Toggle the switch to enable notification for the livefeed.
3. Click Close.
While you are investigating, you will get a visual notification if any related notable events occur. The bell icon color will
change to orange within five minutes of the occurrence.
7
Acknowledge the livefeed notification or add notable events to the investigation.
1. Hover over the orange bell icon on the investigation bar at the bottom-right side of the Incident Review page or
the Investigation Workbench. This tells you how many notable events are available.
2. Click the orange bell icon.
3. The related notable event livefeed window appears, containing events from the last 48 hours.
4. (Optional) Click + to add a notable event to the investigation.
5. Click Mark All as Seen to clear the livefeed when you no longer want to see the related events. This will also
reset the notification, so that these no longer count against the notification number mentioned in step 1.
6. Click Close.
Take action on a specific field, such as host, src, src_ip, dest, or dest_ip. Different actions are available to take
depending on the field you select.
Hide notable events from the Incident Review dashboard by suppressing them. Creating a notable event suppression
does not change the counts of notable events on the posture or auditing dashboards. See Create and manage notable
event suppressions for more details.
8
4. (Optional) Provide a reason for the suppression using the Description field.
5. (Optional) Set a date range. After the time limit ends, the suppression filter expires and stops hiding events.
6. Review the Selected Fields to validate the fields that you want to suppress notable events from. For example,
the src field
7. (Optional) Click change to modify the notable event fields used for the suppression.
8. Save changes.
This example notable event suppression hides all notable events created after June 10, 2016 that contain a src=_jdbc_
field from Incident Review.
Note: ES admins can configure these and additional adaptive response actions to be triggered by correlation searches.
See Configure adaptive response actions for a correlation search in Splunk Enterprise Security in Administer Splunk
Enterprise Security.
Modify a risk score as a result of a correlation search or in response to notable event details with the Risk Analysis
adaptive response action. The risk adaptive response action creates a risk modifier event. You can view the risk modifier
events on the Risk Analysis dashboard in Enterprise Security.
9
1. Click Add New Response Action and select Risk Analysis.
2. Type the score to assign to the risk object.
3. Select a field from the notable event to apply the risk score to for the Risk Object Field.
4. Select the Risk Object Type to apply the risk score to.
Run a script
More information about scripted alerts can be found in the Splunk platform documentation.
• For Splunk Enterprise, see Configure scripted alerts in the Splunk Enterprise Alerting Manual.
• For Splunk Cloud Platform, see Configure scripted alerts in the Splunk Cloud Platform Alerting Manual.
Start a Stream capture to capture packets on the IP addresses of the selected protocols over the time period that you
select. You can view the results of the capture session on the Protocol Intelligence dashboards.
A stream capture will not work unless you integrate Splunk Stream with Splunk Enterprise Security. See Splunk Stream
integration.
1. Click Add New Response Action and select Stream Capture to start a packet capture in response to a
correlation search match.
2. Type a Description to describe the stream created in response to the correlation search match.
3. Type a Category to define the type of stream capture. You can view streams by category in Splunk Stream.
4. Type the comma-separated event fields to search for IP addresses for the Stream capture. The first non-null field
is used for the capture.
5. Type the comma-separated list of protocols to capture.
6. Select a Capture duration to define the length of the packet capture.
7. Type a Stream capture limit to limit the number of stream captures started by the correlation search.
Ping a host
Determine whether a host is still active on the network by pinging the host.
Run nbtstat
Learn more about a host and the services that the host runs by running nbtstat. You must have nbtstat installed on the
search head for this to run successfully.
10
Run nslookup
Look up the domain name of an IP address, or the IP address of a domain name, by running nslookup. You must have
nslookup installed on the search head for this to run.
1. Click Add New Response Action and select Add Threat Intelligence.
2. Select the Threat Group to attribute this artifact to.
3. Select the Threat Collection to add the threat artifact to.
4. Select the Field from event that contains the value to add as a threat artifact to the threat intelligence collection.
5. Type a Description for the threat artifact.
6. Type a Weight associated with the threat list. Defaults to 1.
7. Type a number of Max Results to specify the number of results to process as threat artifacts. Each unique search
field value counts as a result. Defaults to 100.
• If event severity is informational, the event urgency is informational, regardless of asset priority.
• If asset priority is unknown or low and event severity is unknown, low, or medium, the event urgency is low.
• If asset priority is unknown or low and event severity is high, the event urgency is medium.
• If asset priority is unknown or low and event severity is critical, the event urgency is high.
• If asset priority is unknown or low and event severity is critical, the event urgency is high.
• If asset priority is medium and event severity is unknown or low, the event urgency is low.
• If asset priority is medium and event severity is medium, the event urgency is medium.
• If asset priority is medium and event severity is high, the event urgency is high.
• If asset priority is medium and event severity is critical, the event urgency is critical.
• If asset priority is high and event severity is unknown, low, or medium, the event urgency is medium.
• If asset priority is medium and event severity is high, the event urgency is high.
• If asset priority is medium and event severity is critical, the event urgency is critical.
• If asset priority is critical and event severity is unknown or low, the event urgency is medium.
11
• If asset priority is critical and event severity is medium, the event urgency is high.
• If asset priority is critical and event severity is high or critical, the event urgency is critical.
When calculating the severity level, a notable event displays a default of "low" urgency when an asset or identity is
categorized as "unknown." The "unknown" classification typically represents an object that has no match in the asset and
identities system.
A notable event can be assigned an "unknown" urgency level if the priority value from the asset and identity lookups or
the severity value assigned by the correlation search or in a triggering event is not recognized by Enterprise Security.
Verify that the correlation search severity is unknown, informational, low, medium, high, or critical. Verify that the asset or
identity priority is unknown, low, medium, high, or critical.
You can modify the urgency assigned to notable events in several ways.
Potentially modify the urgency of a notable event by defining severity in the correlation search syntax. You must have
access to edit correlation searches to make these changes.
For example, if you want to change the severity of a correlation search according to the number of failures in the search
results. To set a "critical" severity when there are more than 100 failures, a high severity when there are more than 50
failures, and a medium severity for the rest of the results, add search syntax like the following example to the end of the
correlation search:
Severity defined in the search syntax takes precedence over the severity defined in the notable event adaptive response
action.
You can change which severity and priority values result in which calculated urgency values for notable events in Splunk
Enterprise Security.
Only specific values are valid for severity or priority values. Use only those values when modifying the lookup. Do not
modify the names of the notable event urgency values.
1. On the Enterprise Security menu bar, select Configure > Content > Content Management.
2. Choose the Urgency Levels lookup. An editable, color coded table representing the urgency lookup file displays.
3. In any row where the priority or severity is listed as unknown, review the assigned urgency.
4. (Optional) Edit the table and change the urgency to another one of the accepted values. All urgency values must
be lower case.
5. Click Save.
12
Investigations
You can start, manage, and add details to investigations on the Investigations page. View or filter the investigations
assigned to you, or create one. You can view all investigations that you collaborate on using the Investigations page.
Enterprise Security admins can also view and manage all investigations that exist in Splunk Enterprise Security. For
information for admins, see Manage investigations in Splunk Enterprise Security in Administer Splunk Enterprise Security.
As an analyst, you only see investigations assigned to you unless you also have been granted the capability to manage all
investigations.
Manage ongoing investigations from the Investigations page. You can see the titles, descriptions, time created, last
modified time, and collaborators on the investigations assigned to you. If you have the capability to manage all
investigations, you can see all the same details for all investigations, not just the investigations that you collaborate on.
Find an investigation or refine the list of investigations by filtering. Type in the Filter box to search the title and description
fields of investigations.
1. You are notified of a security incident that needs investigation through a notable event, an alert action, or an
email, ticket from the help desk, or a phone call.
2. Create an investigation in Splunk Enterprise Security.
3. Add colleagues to the investigation as collaborators.
4. Open the investigation and start investigating on the workbench.
5. Add artifacts to the investigation scope, in addition to those added automatically from notable events.
6. Review the tabs and panels for information relevant to your investigation, such as additional affected assets or
details about the affected assets that can accelerate your investigation.
7. As you investigate, add helpful or insightful events, actions, and artifacts to the investigation to record the steps
you took in your investigation.
1. Run searches, adding useful searches to the investigation from your action history with the investigation
bar or relevant events using event actions. This makes it easy to replicate your work for future, similar
investigations, and to make a comprehensive record of your investigation process.
13
2. Filter dashboards to focus on specific elements, like narrowing down a swim lane search to focus on a
specific asset or identity on the asset or identity investigator dashboards. Add insightful filtering actions
from your action history to the investigation using the investigation bar.
3. Triage and investigate potentially-related notable events. Add relevant notable events to the investigation.
4. Add notes to record other investigation steps, such as notes from a phone call, email or chat
conversations, links to press coverage or social media posts. Upload files like screenshots or forensic
investigation files.
8. Complete the investigation and close the investigation and optionally, close associated notable events.
9. Review the investigation summary and share it with others as needed.
• Start an investigation from Incident Review while triaging notable events. See Add a notable event to an
investigation.
• Start an investigation with an event workflow action. See Add a Splunk event to an investigation.
• Start an investigation from the Investigations page.
• Start an investigation when viewing a dashboard using the investigation bar.
After you start an investigation, you can investigate assets and identities using the investigation workbench, and start
adding details to the investigation.
By default, users with the ess_admin and ess_analyst roles can start an investigation.
When viewing dashboards in Splunk Enterprise Security, you can see an investigation bar at the bottom of the page. You
can use the investigation bar to track your investigation progress from any page in Splunk Enterprise Security.
14
Investigate a potential security incident on the investigation workbench in
Splunk Enterprise Security
Investigate assets and identities, or artifacts, involved in a potential security incident on the investigation workbench. After
you create an investigation in Splunk Enterprise Security, you can start using the workbench for that investigation. Each
investigation has a separate workbench.
When you investigate artifacts on an investigation workbench, by default you see Context, Endpoint Data, and Network
Data tabs. Those tabs contain panels that help you gain context into the assets and identities you investigate,
endpoint-related data such as file system activity, and network data such as network traffic.
As part of your investigation on the workbench, you can add assets, identities, files, and URLs as artifacts to the scope of
your investigation so that you can verify whether or not they are affected by, or participants in, the overall security
incident.
• Add artifacts automatically from a notable event. See Set up artifact extraction for notable events in Administer
Splunk Enterprise Security.
• Add artifacts manually. See Manually add artifacts to the scope of your investigation in this topic.
• Add artifacts from a workbench panel. See Add artifacts from a workbench panel in this topic.
• Add artifacts from an event on the investigation. See Add artifacts from a raw event on the investigation in this
topic.
For example, if you're investigating a malware outbreak at your organization, you can add hosts to the scope that you
suspect are infected with malware without adding the associated events to the timeline and recording them as verifiably
compromised. Add them to the scope first and review the relevant panels for additional context. If you discover that an
artifact is part of the security incident you are investigating, you can add the event or detail that revealed that insight to the
investigation to record that information for later.
You can add any value as an artifact on the workbench. Assets and identities added as artifacts to the scope are not
limited to the assets and identities in the asset and identity framework in Splunk Enterprise Security.
When artifacts are extracted, duplicates are not created if they already exist in the investigation. You will see a notification
that "the following artifacts already exist and have not been added." The existing artifact is not linked against the new
notable event that would have caused the duplicate artifact to be created. This does not prevent you from manually
adding a duplicate artifact.
You can manually add artifacts such as assets, identities, files, or URLs to the scope of your investigation on the
workbench.
15
3. (Optional) Type a description.
For example, Personal computer infected by ransomware.
4. (Optional) Type one or more labels to contextualize the entity. Press enter to add a label, or use
a comma-separated entry for multiple labels.
For example, ransomware, laptop, mac.
5. (Optional) Click Expand Artifacts to look up the asset or identity in the asset or identity lookups
and add the correlated artifacts to the investigation scope.
Only assets and identities can be expanded.
♦ To add multiple artifacts:
1. Select the Add multiple artifacts tab.
2. Select the Type: Identity, Asset, File or URL. All artifacts that you add must be the same type.
The file artifact is a filename, file hash, or file path.
3. You can use a comma or a line break as a delimiter. Select a Separator that delimits the list of
assets or identities.
4. Type or paste the values for the assets or identities, using the separator specified in the previous
step.
5. (Optional) Type a description to apply to all artifacts that you are adding.
For example, Potentially-infected computers in the HR department.
6. (Optional) Type one or more labels to apply to all artifacts that you are adding. Press enter to add
a label, or use a comma-separated entry for multiple labels.
For example, ransomware, laptop, mac.
4. Click Add to Scope to add the artifacts to your investigation scope.
The artifacts that you add to your investigation scope manually are automatically selected so that you can click Explore
and continue your investigation with the new artifacts.
The labels can be seen under the workbench tab if you hover over the artifact and select the information icon (i). Labels
can also be seen under the summary tab.
If a workbench panel has drilldown enabled, you can add field values as artifacts from the panel.
The ability to add artifacts replaces any other drilldown that might exist on the panel. See Administer and customize the
investigation workbench in Administer Splunk Enterprise Security.
After you add an event to the investigation, you can add field values from the event as artifacts to your investigation
scope.
16
1. Open the investigation and view the Timeline of the investigation.
2. Locate the event in the Slide View.
3. Click Details to view a table of fields and values in the event.
4. Click the value that you want to add to the investigation scope.
The Add Artifact dialog box appears with the value already added.
5. Select a Type for the artifact. Some types, such as IP addresses, are automatically detected.
6. (Optional) Add a description for the artifact.
7. (Optional) Add labels for the artifact.
8. (Optional) Click Expand Artifacts to look up the asset or identity in the asset or identity lookups and add the
correlated artifacts to the investigation scope.
9. Click Add to Scope.
If there are notable events on the investigation, the workbench searches over a suggested time range based on the times
of the notable events on the investigation. Time analysis suggests a time range based on the _time value of the earliest
and latest notable events on the investigation.
If there are no notable events on an investigation, the workbench uses your default time range settings. See Change the
default time range in the Search Manual.
If a time range is defined in the XML or in the search of a prebuilt panel, that time range takes precedence over the
time range that you choose on the workbench.
Your administrator can develop additional panels, tabs, and profiles, which you can then add to the workbench to further
simplify your investigation process. See Administer and customize the investigation workbench.
Tabs and profiles that you add to the investigation workbench disappear when you refresh the workbench. Only the
default tabs display.
17
Add details to an investigation in Splunk Enterprise Security
As an analyst working on an investigation, add details and evidence to your investigation by adding events, actions, and
notes. While you conduct your investigation using Splunk Enterprise Security, you can add notable events or Splunk
events that add insight to the investigation. Add searches, suppression filters, and dashboard views to the investigation
from your action history. Record important investigation steps that you take, such as phone, email, or chat conversations
as notes on the investigation. You can use notes to add relevant information like links to online press coverage, tweets, or
upload screenshots and files.
Run a search without opening the search dashboard by clicking Quick Search on the investigation bar. The
investigation bar is found at the bottom-right side of the Incident Review page or the Investigation Workbench.
• Add the search to the investigation in the investigation bar by clicking Add to Investigation.
• Use the Event Actions to add specific events in the search results to an investigation.
• To save the search results at investigation time, click Export to export the search results as a CSV file. Add the
search results as an attachment to a note on the investigation.
• Click Open in Search to view the search results on the Search dashboard.
• Enlarge or shrink your view of the search results by clicking and dragging the corner of the window. Double click
to expand the search view to cover most of your screen, or double click again to shrink it.
You can add a notable event to an investigation from the Incident Review dashboard. See Add a notable event to an
investigation.
If the status of a notable event changes, or if an adaptive response action is run from the notable event, the investigation
is updated with that information.
Add an event from the Splunk search page to an investigation. You can only add an event to an investigation from the
search page in the Splunk Enterprise Security context.
You can only add an event from the search page to an investigation if you are in Splunk
1. Expand the event details to see the Event Actions menu and other information.
2. Click Event Actions and select Add to Investigation.
3. A tab opens. Select from existing investigations, or create one.
4. Click Save.
The action history stores a history of the actions that you have performed in Splunk Enterprise Security, such as searches
that you have run, dashboards you have viewed, and per-panel filtering actions that you have performed.
Add an entry to an investigation from your action history with the investigation bar. Search for specific types of action
history items over time to find the action history items that you want to add to your investigation.
18
1. From the investigation bar, click the icon.
2. Select an action history type and optionally change the time range.
3. Click Search to retrieve a list of action history items.
4. Find the actions that you want to add to the investigation. For example, view the dashboards that you viewed to
add them to your investigation.
5. The actions that you've taken display in the action history dialog box. You can only add actions from your own
action history.
6. Locate the action you want to add and select the check box next to the action or actions that you want to add to
the investigation timeline.
7. Click Add to Investigation.
The actions are added to the investigation that you are viewing or that is selected in the investigation bar.
Add a note to an investigation to record investigation details or add attachments. You can add a note from dashboards in
Splunk Enterprise Security.
19
Timeline notes show up in the timeline slide view, while standard notes do not.
3. Type a title for the note.
For example, "Phone conversation with police."
4. Select a date and time. The default is the current date and time.
For example, select the time of the phone call.
5. (Optional) Click the check box to show or hide the note on the timeline.
6. (Optional) Type a description.
For example, a note to record a phone conversation might include the description: Called the police. Spoke with
Detective Reggie Martin. Discussed an employee stealing identities from other employees.
7. (Optional): Attach a file to the note.
1. In the attachments section, drag the file onto the note or click browse to find the file.
2. Select a file to add from your computer.
The maximum file size is 4 MB. You can add multiple files to a note. The first file you add to the note
previews on the investigation timeline.
3. If the filename contains unsupported characters, click the Replace not supported characters with '-'
and then click Change.
Alternately, you can remove and replace the unsupported characters manually.
8. Click Add to Investigation to add the note to the open investigation.
Change the title and description of an investigation from the investigation bar. For example, change the name of the
investigation as your investigation progresses to more accurately describe the security incident you are investigating.
1. From the investigation bar, click the icon. From the investigation view, click Edit.
2. Change the title or description.
3. Click Save.
20
Update the status of an investigation
Update the status of an investigation from the workbench, summary, or timeline view.
1. While viewing the investigation, click Edit > Edit title, description, and status.
2. Select a new status.
3. Click Save.
You can also update the status of an investigation from the investigation bar.
Similar to notable events, administrators can customize the statuses available to select, and restrict the status workflow.
Because of this, you might not be able to transition from some statuses to other statuses. See Manage and customize
investigation statuses in Administer Splunk Enterprise Security.
You can delete investigation entries when viewing the investigation timeline list or slide views.
Alternately, go to the timeline list view to edit or delete the note entry.
21
1. Locate the notable event, Splunk event, action history item, or other entry on the investigation.
2. From the Actions menu, click Edit.
3. Change the title.
You can add any Splunk user in your deployment as a collaborator. By default, a collaborator has write permissions on
the investigation. The option to add more collaborators to an investigation disappears if all available users have been
added to the investigation.
You can view the collaborators assigned to an investigation from an individual investigation or from the Investigations
dashboard.
• Hover over the collaborator icons to see the names of the collaborators on your investigation.
• If a collaborator does not have write permissions for an investigation, the icon is gray and (read-only) is
appended to their name.
• Click the icon of a collaborator to see information about them. See their name and the permissions that the user
has for the investigation.
22
Make changes to the collaborators on an investigation
If you are a collaborator on an investigation with write permissions, you can change the permissions of other collaborators
on the investigation.
You can remove a collaborator if they are not the only collaborator on the investigation with write permissions.
You can also review the summary of an investigation. See Review the summary of an investigation in Splunk Enterprise
Security.
Review an entry's investigation for training or research purposes. Click an entry on an investigation to see all details
associated with it.
• For notes with file attachments, click the file name to download the file attachment.
• For notable events, click View on Incident Review to open the Incident Review dashboard filtered on that
specific notable event.
• For action history entries, you can repeat the previously-performed action. For a search action history entry, click
the search string to open it in search. For a dashboard action history entry, click the dashboard name to view the
dashboard.
23
Gain insight into an attack or investigation by viewing the entire investigation timeline or view only part of it by expanding
or contracting the timeline.
Click the timeline to move it and scan the entries. View a chronological list of all timeline entries by clicking the list icon, or
refine your view of the timeline using filters. You can filter by type or use the Filter box to filter by title.
You can review the status history of an investigation visually on the investigation timeline. The timeline changes color to
reflect changes in status assignments. The color does not relate directly to the status of the investigation, and is
automatically assigned. The colors cannot be changed, customized, or removed.
1. From the investigation, click the icon. Splunk Enterprise Security generates a formatted version of the
investigation timeline with entries in chronological order. The order of the entries in the printout remains in the
original order, even if you manually edit the times so that they show up differently in the user interface.
2. Print the investigation or save it as a PDF using the print dialog box options.
Your action history tracks the following types of actions using searches:
24
• Dashboards you visit
• Searches you run
• Per-panel filtering actions you take
• Changes you make to a notable event
• Changes you make to the suppression filters of a notable event
When you select a type of action history to add an investigation, the corresponding search runs to retrieve results. Splunk
Enterprise Security tracks these actions to help you add context to an investigation, audit an investigation, and give a
complete history of actions taken during an investigation that resulted in relevant findings.
For example, if you run a search that gives helpful information for an investigation, you can add that search to the
investigation. You can then find that search string in the investigation, run the search again, or revisit a search to save it
as a report when the investigation is over. See Add an entry from your action history to an investigation for more about
using your action history when investigating in Splunk Enterprise Security.
You can use the summary to provide an overview of an investigation to a SOC manager or to get an overview of the
current state of an investigation before you continue working on it.
The summary reflects a point in time of the investigation, rather than the overall progress of an investigation. Therefore,
the artifacts listed on the summary page reflect the artifacts present at the end of the investigation, rather than all artifacts
that you investigated on the workbench.
25
Analytic Stories
By default, the ess_admin and ess_analyst roles can configure the use case library with relevant Analytic Stories. See
Manage Analytic Stories through the use case library in Splunk Enterprise Security in the Administer Splunk Enterprise
Security manual.
You can use common industry use cases to determine which Analytic Stories and searches are useful to you. There are a
variety of ways to determine if an Analytic Story contains the searches you need:
In the following scenario, you know that you're interested in common AWS-related security issues, so you start by filtering
on known use cases for cloud security.
1. From the Splunk ES menu bar, select Configure > Content > Use Case Library.
2. From the use cases filters on the left, click Cloud Security.
3. From an Analytic Story, such as Suspicious AWS EC2 Activities, click the greater than ( >) symbol to expand the
display.
4. You see the detection searches that are related to this use case.
5. You also see your data sources, data models, and lookups that these searches use.
Data Sources Description
Recommended Data Sources The type of data sources that are likely to provide valuable data.
Your sourcetypes that are in use by the detection searches for this Analytic Story. If the status icon
Sourcetypes
shows a red exclamation mark, hover over the icon to see the reason.
Your data that is in use by the detection searches for this Analytic Story as mapped to the Splunk data
Data Models models via the CIM add-on. If the status icon shows a red exclamation mark, hover over the icon to
see the reason.
Your lookups that are in use by the detection searches for this Analytic Story. If the status icon shows a
Lookups
red exclamation mark, hover over the icon to see the reason.
You can use an Analytic Story if the recommended data sources, sourcetypes, data models, and lookups do not have red
exclamation marks. However, even though green checkmarks indicate that sources are available, they don't always mean
that the searches return results based on the ingested data.
26
Use Analytic Stories to search for results and get guidance
In the following scenario, you know that you're interested in EC2 instances that originate from unusual locations or those
launched by previously unseen users, so you start by filtering on known use cases for cloud security.
1. From the Splunk ES menu bar, select Configure > Content > Use Case Library.
2. From the use cases filters on the left, click Cloud Security.
3. Click the name of the Analytic Story. In this case, click Suspicious AWS EC2 Activities.
The Analytic Story Details page opens for the story.
1. From the References section, see any links, white papers, or PDFs provided.
2. From the Detection section, select a search, such as ESCU - EC2 Instance Started In Previously
Unseen Region.
3. From the Search section, click the greater than (>) symbol to expand the display.
4. Revise the time picker and click Search to manually run the search and see the results.
5. From the Known False Positives section, click the greater than (>) symbol to expand the display for tips
on when the results might not indicate a problem.
By default, the ess_admin and ess_analyst roles can enable and schedule to run this search automatically on a regular
basis. See Enable and schedule the Analytic Story in the Administer Splunk Enterprise Security manual.
Bookmarks persist per user, so you can bookmark the Analytic Stories that are specific to your duties.
1. From the Splunk ES menu bar, select Configure > Content > Use Case Library.
2. Find the name of the Analytic Story.
3. Toggle the Bookmark switch to enable it.
4. From the drop-down filters, select Bookmarked > True to find your bookmarked stories.
27
Risk Analysis
Enterprise Security uses risk analysis to take note of and calculate the risk of small events and suspicious behavior over
time to your environment. The Risk Analysis dashboard displays these risk scores and other risk-related information.
Enterprise Security indexes all risk as events in the risk index.
A risk score is a single metric that shows the relative risk of a device or user object in the network environment over time.
An object represents a system, a user, or an unspecified other.
Enterprise Security uses correlation searches to correlate machine data with asset and identity data, which comprises the
devices and user objects in a network environment. Correlation searches search for a conditional match to a question.
When a match is found, an alert is generated as a notable event, a risk modifier, or both.
• A notable event becomes a task. It is an event that must be assigned, reviewed, and closed.
• A risk modifier becomes a number. It is an event that will add to the risk score of a device or user object.
The host RLOG-10 is a jump server that is generating several notable events. The correlation searches Excessive Failed
Logins, and Default Account Activity Detected are creating one notable event a day for that system. As RLOG-10 is a
jump server, several network credentials are being used against this host, and software or other utilities may have been
installed. As a jump server, this behavior is less interesting than if the same behavior is observed on the production DNS
server. Rather than ignoring or suppressing notable events generated by jump servers, you can create
jump-server-specific rules to monitor those servers differently.
You can do this by creating a correlation search that assigns a risk modifier instead of creating a notable event, when the
correlation matches hosts that serve as jump servers.
1. Isolate jump servers from the existing correlation searches using a whitelist. See Whitelist events in Administer
Splunk Enterprise Security for more information.
2. Create and schedule a new correlation search based on Excessive Failed Logins, but isolate the search to the
jump server hosts and assign a risk modifier alert type only.
3. Verify the risk modifiers are applied to the jump server hosts by raising their risk score incrementally. With the
new correlation search, no notable events will be created for those hosts based on failed logins.
As the relative risk score goes up, RLOG-10 can be compared to all network servers and to other jump servers. If the
relative risk score for RLOG-10 exceeds its peers, that host would be investigated by an analyst. If the risk scores of all
jump servers are higher relative to other network hosts, an internal security policy may need to be reviewed or
implemented differently. See the Risk Analysis With Enterprise Security 3.1 blog post for additional examples.
It is also worth noting that risk modifiers cannot be suppressed in the same manner as notable events. Instead, the
following options are available:
28
Correlation Search Aggregation
You can aggregate multiple firings of a correlation search based on fields and duration via savedsearches.conf in
the alert.suppress settings. See Savedsearchesconf.
Correlation Search Modification
To prevent further false positives, you can edit the correlation search syntax to filter events or results.
Create a risk analysis response action, or risk modifier, to assign risk to an object. You can assign risk to objects in
several ways.
• Assign risk automatically as part of a correlation search. See Modify a risk score with a risk modifier in Administer
Splunk Enterprise Security.
• Assign risk on as an ad hoc adaptive response action from Incident Review. See Modify a risk score with a risk
modifier in this manual.
• Create an ad hoc risk entry from the Risk Analyis dashboard. See Create an ad hoc risk entry in Splunk
Enterprise Security in this manual.
• Assign risk through a search. See the example below.
You can assign risk using search rather than an alert. You can do this to modify risk on multiple risk objects, or to alter the
risk score of an object based on the results of a search.
Use these search examples to assign risk to a user, system, or other risk object in a custom correlation search. To assign
risk to just one field, or on an ad hoc basis, use the risk adaptive response action instead.
Each example uses ... to indicate a search that includes the field to which you want to assign risk in the results.
Use appendpipe to add risk to multiple objects. Replace <your_risk_score_integer> with the risk score that you want to
apply to the fields.
For example, run this search to assign a risk score of 15 to mysystem and myuser.
You can use sendalert without appendpipe to assign risk directly to field values, without performing conditional
evaluations of the field values.
29
... | sendalert risk param._risk_object_type="system" param._risk_score=<your_risk_score_integer> | eval
risk_object=user | sendalert risk param._risk_object_type="user"
param._risk_score=<your_risk_score_integer>
For example:
You can also set a risk score based on a calculation performed in the search, rather than setting it to a static integer.
For example, if you want to set a higher risk score for users that log into multiple infected assets, write a search that
collects the users that logged in to infected assets, then does a count of the users in the results, split by user so that you
see how many login attempts there are by each user.
For example, the Threat Activity Detected correlation search uses search-assigned risk in addition to an alert-type risk
modifier. When the search finds an asset or identity communicating with a host that matches a configured threat list, the
search modifies the risk score accordingly. In this case, the risk modifier reflects the number of times the system or user
communicated with the threat list, multiplied by the weight of the threat list. As a formula, risk score of a system or user +
(threat list weight x event count) = additional risk.
See the changes that you made by searching the data model or the risk correlation lookups:
or
Risk scoring offers a way to capture and aggregate the activities of an asset or identity into a single metric using risk
modifiers.
The correlation searches included in Enterprise Security assign a risk score between 20 and 100 depending on the
relative severity of the activity found in the correlation search. The searches scope the default scores to a practical range.
This range does not represent an industry standard. Enterprise Security does not define an upper limit for the total risk
score of an identity or asset, but operating systems can impose a limit. For example, 32-bit operating systems limit a risk
score to two million.
30
Risk score levels use the same naming convention as event severity. You can assess relative risk scores by comparing
hosts with similar roles and asset priority.
• 20 - Info
• 40 - Low
• 60 - Medium
• 80 - High
• 100 - Critical
ES Admins can edit correlation searches to modify the risk score that the risk analysis response action assigns to an
object. See Included adaptive response actions with Splunk Enterprise Security in Administer Splunk Enterprise Security.
The risk object field is a reference to a search field returned by a correlation search. Correlation searches use fields such
as src and dest to report on matching results. The risk object field represents a system, host, device, user, role,
credential, or any object that the correlation search is designed to report on. Review any correlation search that assigns a
risk score for examples of fields that receive a risk score.
User Network user, credential, or role. Can represent an identity in the identity lookup.
31
Score The number added to a Risk object. Can be a positive or negative integer.
A reason or note for manually adjusting an object's risk score. The Description field is mandatory for an ad hoc
Description
risk score.
32
Glass Tables
See Monitor threat activity in your environment with a glass table for a walkthrough of how to set up a glass table in the
context of a security use case.
Create a glass table using the flexible canvas and editing tools on the glass table editor.
1. From the list of glass tables, click the name of the glass table.
2. Use the editing tools to upload images, draw shapes, add icons, add text, and make connections to reflect the
relationship between the metrics.
3. In the panel of security metrics, click any metric to view the key indicator search widgets available to add. If you
do not see the one you need, an ES admin can create a new key indicator search. See Create and manage key
indicator searches in Splunk Enterprise Security in Administer Splunk Enterprise Security.
4. Click and drag one or more of the key indicator search widgets onto the drawing canvas.
A widget appears on the canvas, displaying the associated search values, which continuously update in real time.
See Configure widgets for details.
5. Add additional widgets to build out the dynamic elements of your visualization.
6. Click and drag Ad hoc Search onto the drawing canvas to add a custom widget that displays the results of a
search. See Create and configure search widgets for details.
7. Click Save.
Configure widgets
After you add a widget to your glass table, configure it to optimize performance, add a custom drilldown, and customize
the widget appearance for a particular glass table design. Key indicator searches populate the widgets included in the
glass table. Make changes to the key indicator searches on the Content Management dashboard.
Key indicator search values update at regular intervals according to the search schedule that you define when you create
the key indicator search.
33
Create and configure search widgets
You can also create a custom widget to display search results. Add a new search to any glass table, define a custom
search string, and customize the appearance of the search widget using a variety of visualization types.
Write your custom search outside of glass table to confirm that it produces expected results. Your custom search must
include the timechart command, or stats by _time to use thresholding.
1. In the glass table editor, click and drag Ad hoc Search onto the canvas.
2. In the Configurations panel, for Search Type, type your custom search string.
3. Use the time picker to select the end time for your search. Defaults to Now.
4. In the Earliest Time menu, select the earliest time for the search. This determines the start time for your search,
relative to the End Date and Time that you set in the time picker, and determines the time range over which your
search applies. Security metrics by default display results from the previous 48 hours.
For example, if the time range picker is set to Now, the security metric searches the previous 48 hours and
displays results. If you change the time range picker to 6 hours ago, the security metric displays results from -54
hours to -6 hours.
5. For Threshold Field, type the field that you want to use as the threshold for your search.
For example, count.
6. For Thresholds, click On to enable the thresholds for the search widget.
7. Click Edit to edit the threshold.
8. In the threshold window, add thresholds for the search widget. This determines the color of the widget, which
indicates the current status of the metric.
9. Select a Viz Type for your search widget.
10. Click Update to update the widget to the new visualization and display your search results over the specified time
range.
11. Click Save.
To access the glass tables lister page, click Glass Tables on the Splunk Enterprise Security menu bar.
After you create a glass table, you can continue to make changes to it.
1. From the list of glass tables, click Edit next to the glass table that you want to modify.
2. Choose whether you want to edit the glass table itself, edit the title or description, or edit permissions.
Restore a glass table that you deleted after importing it as part of an app
If you imported a glass table as part of an app and later deleted the glass table, you cannot import the glass table again to
restore it. Instead, do the following:
1. Disable the app that the glass table was imported in.
2. Wait a few minutes for the app importer to run.
34
3. Enable the app.
The glass table reappears.
You can clone a glass table to make a template, or to preserve a glass table included with Splunk Enterprise Security as
an original and make experimental changes on another version.
1. From the list of glass tables, click Edit next to the glass table that you want to modify.
2. Click Clone.
3. Type a new title.
4. (Optional) Type a new description.
5. (Optional) Change the permissions of the cloned glass table.
6. Click Clone Page.
All users can view glass tables, but you must have the ess_analyst, ess_admin, or admin role or have the "Edit glass
tables" capability to create and modify glass tables. If you do not have the necessary permissions, talk to your Splunk
Enterprise Security administrator.
Ad hoc search widgets that you create on individual glass tables cannot be shared automatically with other glass tables.
Key indicator searches populate the list of security metrics available to add as predefined widgets. ES admins can create
and edit key indicator searches on the Content Management page. See Create and manage key indicator searches in
Splunk Enterprise Security.
Glass table content is stored in the KV store. The glass table definitions are stored in the
SplunkEnterpriseSecuritySuite_glasstables collection. Files added to glass tables, such as images, are stored in the
SplunkEnterpriseSecuritySuite_files collection. Custom widgets, images, and other items that you add to a glass table
are all stored in this collection.
The performance of individual glass tables depends on the number of search widgets on a glass table. When you open a
glass table for viewing, each search runs at the same time. Searches on glass tables with 200 or more search widgets
could take 10-15 seconds to show data on the glass table.
You can export a glass table to share it with others or to back it up. See Export content from Splunk Enterprise Security as
an app in Administer Splunk Enterprise Security.
35
Dashboard Overview
The specific dashboards that will be most useful to you depend on how you plan to use Splunk Enterprise Security.
You can identify and investigate security incidents with a suite of dashboards and workflows. Splunk Enterprise Security
uses correlation searches to identify notable events in your environment that represent security incidents.
• Security Posture provides a high-level overview of the notable events in your environment over the last 24 hours.
Identify the security domains with the most incidents, and the most recent activity. See Security Posture
dashboard.
• Incident Review shows the details of all notable events identified in your environment. Triage, assign, and review
the details of notable events from this dashboard. See Incident Review.
• My Investigations shows all investigations in your environment. Open and work investigations to track your
progress and activity while investigating multiple related security incidents. See My Investigations.
A set of security intelligence dashboards allow you to investigate incidents with specific types of intelligence.
• Risk analysis allows you to assess the risk scores of systems and users across your network and identify
particularly risky devices and users posing a threat to your environment. See Risk Analysis.
• Protocol intelligence dashboards use packet capture data from stream capture apps to provide network insights
that are relevant to your security investigations. Identify suspicious traffic, DNS activity, email activity, and review
the connections and protocols in use in your network traffic. See Protocol Intelligence dashboards.
• Threat intelligence dashboards use the threat intelligence sources included in Splunk Enterprise Security and
custom sources that you configure to provide context to your security incidents and identify known malicious
actors in your environment. See Threat Intelligence dashboards.
• User intelligence dashboards allow you to investigate and monitor the activity of users and assets in your
environment. See Asset and Identity Investigator dashboards and User Activity Monitoring.
• Web intelligence dashboards help you analyze web traffic in your network and identify notable HTTP categories,
user agents, new domains, and long URLs. See Web Intelligence dashboards.
Domain dashboards provided with Splunk Enterprise Security allow you to monitor the events and status of important
security domains. You can review the data summarized on the main dashboards, and use the search dashboards for
specific domains to investigate the raw events.
• Access domain dashboards display authentication and access-related data, such as login attempts, access
control events, and default account activity. See Access dashboards.
36
• Endpoint domain dashboards display endpoint data relating to malware infections, patch history, system
configurations, and time synchronization information. See Endpoint dashboards.
• Network domain dashboards display network traffic data provided by devices such as firewalls, routers, network
intrusion detection systems, network vulnerability scanners, proxy servers, and hosts. See Network dashboards
and Web Center and Network Changes dashboards and Port & Protocol Tracker dashboard.
• Identity domain dashboards display data from your asset and identity lists, as well as the types of sessions in use.
See Asset and Identity dashboards.
Create a glass table to visualize security metrics in your environment. Monitor threat activity in your environment, assess
the state of your Splunk Enterprise Security deployment, or map out the pathway that an attacker took through your
network to monitor future intrusion attempts by an attacker in the future. See Create a glass table.
The audit dashboards provide insight into background processes and tasks performed by Splunk Enterprise Security.
Some audit dashboards allow you to review actions taken by users in Splunk Enterprise Security, while others provide
insight into your deployment and the status of your data models and content use. See Audit dashboards.
• For Splunk Enterprise, see Edit dashboards with the Dashboard Editor in Splunk Enterprise Dashboards and
Visualizations.
• For Splunk Cloud Platform, see Edit dashboards with the Dashboard Editor in Splunk Cloud Platform Dashboards
and Visualizations.
Dig deeper into data on dashboards by drilling down to raw events, and use workflow actions to move from raw events to
investigating specific fields on dashboards, or performing other actions outside of the Splunk platform.
You can drill down to raw events from charts and tables in dashboards. You can find information about the drilldown
behavior in the Splunk platform documentation.
• For Splunk Enterprise, see Use drilldown for dashboard interactivity in Splunk Enterprise Dashboards and
Visualizations.
• For Splunk Cloud Platform, see Use drilldown for dashboard interactivity in Splunk Cloud Platform Dashboards
and Visualizations.
You can take action on raw events with workflow actions. You can also create custom workflow actions. You can find
information about workflow actions in the Splunk platform documentation.
37
• For Splunk Enterprise, see Control workflow action appearance in field and event menus in the Splunk Enterprise
Knowledge Manager Manual.
• For Splunk Cloud Platform, see Control workflow action appearance in field and event menus in the Splunk Cloud
Platform Knowledge Manager Manual.
Key indicators provide a visual reference for several security metrics. Key indicator searches populate the security metrics
of key indicators.The key indicator searches run against the data models defined in Enterprise Security, or the data
models defined in the Common Information Model app. Some key indicator searches run against the count of notable
events.
On dashboards, each key indicator includes a value indicator, a trend amount, a trend indicator, and a threshold value
used to indicate the importance or priority of the indicator. The key indicator searches default to running over a relative
time span of 48 hours.
Field Description
Description Brief description of the security-related metric.
Current count of events. If a threshold is set, the numbers will change color as they cross thresholds. Click the value indicator to
Value drill down into the key indicator search and view the raw events. If the value indicator is wrong, such as a percentage value
indicator greater than 100%, there could be missing or wrong data in the data model dataset used by the key indicator search to calculate
a value.
Trend
Displays the change in event count over the time period defined in the key indicator search.
amount
Trend
Displays a directional arrow to indicate the direction of the trend. The arrow changes color and direction over time.
indicator
Enterprise Security includes preconfigured key indicators. Each dashboard key indicator row includes an editor that allows
simple, visual changes to be made directly to the key indicators without leaving the dashboard. You can make changes to
the search generating the key indicator on the Content Management dashboard. See Edit a key indicator search in
Administer Splunk Enterprise Security.
1. Click the Edit pencil icon to the top left of the indicator bar. The editing tools display above the indicators.
38
2. Drag and drop the indicators to rearrange them. There can be 5 indicators per row, and multiple indicator rows.
3. Click the checkmark icon to save.
1. Click the Edit pencil icon to the top left of the indicator bar. The editing tools display above the indicators.
Removing the indicator from a dashboard does not remove the key indicator from Enterprise Security.
1. Click the Edit pencil icon to the top left of the indicator bar. The editing tools display above the indicators.
You can set a threshold for a key indicator on a dashboard to change the color of the key indicator. A threshold defines an
acceptable value for the event count of an indicator. An event count above the threshold causes the key indicator to
display as red, while an event count below the threshold causes the key indicator to display as green. If the threshold is
undefined, the event count remains black.
1. Click the Edit pencil icon to the top left of the indicator bar. The editing tools display above the indicators.
39
2. Type a Threshold for the key indicator.
3. Click the checkmark icon to save.
40
Dashboard Reference
Dashboard panels
Panel Description
Displays the count of notable events by security domain over the past 24
Key Indicators hours. For more information, see Key indicators in Splunk Enterprise
Security.
Displays the top notable events by rule name, including a total count and
a sparkline to represent activity spikes over time. The drilldown opens
Top Notable Events
the Incident Review dashboard scoped to the selected notable event
rule.
Displays the top 10 notable event by src, including a total count, a count
Top Notable Event per correlation and domain, and a sparkline to represent activity spikes
Sources over time. The drilldown opens the Incident Review dashboard scoped
to the selected notable event source.
Audit dashboards
Use the audit dashboards to validate the security and integrity of the data in Enterprise Security. Ensure that forwarders
are functioning, that data has not been tampered with and is secured in transmission, and that analysts are reviewing the
notable events detected by correlation searches.
The Incident Review Audit dashboard provides an overview of incident review activity. The panels display how many
incidents are being reviewed and by which user, along with a list of the most recently reviewed events. The metrics on this
dashboard allow security managers to review the activities of analysts.
Panel Description
Displays the numbers of events reviewed by each user. This panel is useful for determining which user is performing the
Review Activity by
incident reviews and if the total number of incidents reviewed is changing over time. The drilldown opens a search with all
Reviewer
activity by the selected reviewer.
Top Reviewers
41
Panel Description
Displays the top users that have performed incident reviews. The panel includes details for each user, including the date
they first performed an incident review, the date they last performed a review, and the total number of incidents reviewed.
The drilldown opens a search with all activity by the selected reviewer.
Notable Events By Displays the status, count, and urgency for all notable events in the last 48 hours. This panel is useful for determining if the
Status - Last 48 incident review users are keeping up with incidents, or whether a backlog of unreviewed incidents is forming. The drilldown
Hours opens the Incident Review dashboard and searches on the selected urgency and status over the lat 48 hours.
Notable Events By Displays the owner, count, and urgency for all notable events in the last 48 hours. This panel is useful for determining how
Owner - Last 48 many events are assigned to a user and the urgency of the events. The drilldown opens the Incident Review dashboard
Hours and searches on the selected urgency over the lat 48 hours.
Displays the average time it took for a notable event to be triaged after it was created over the last 14 days, split by the
Mean Time to
name of the notable event. This panel is useful for determining how quickly analysts are triaging notable events, or
Triage - Last 14
whether certain types of events take longer to triage than others. The drilldown opens the Incident Review dashboard and
days
searches on the matching notable event names over the last 14 days.
Displays the average time it took for a notable event to be closed after it was created over the last 60 days, split by the
Mean Time to
name of the notable event. This panel is useful for determining how long it takes to close certain types of notable event
Closure - Last 60
investigations. The drilldown opens the Incident Review dashboard and searches on the matching notable event names
days
that have a status of closed from the last 60 days.
Recent Review Displays the 10 most recent changes on the incident review dashboard, such as triage actions. The drilldown opens a
Activity search with the selected rule ID.
To audit data from Incident Review from Enterprise Security prior to version 3.2, you must perform an ad hoc search like
this example.
Data sources
The reports in the Incident Review Audit dashboard reference fields in the notable index and the incident review objects
in a KVStore collection. See Notable index on the Splunk dev portal for more on the notable index.
Suppression Audit
The Suppression Audit dashboard provides an overview of notable event suppression activity. This dashboard shows
how many events are being suppressed, and by whom, so that notable event suppression can be audited and reported
on.
The metrics on this dashboard allow security managers to review the activities of analysts, which is useful for tuning
correlation searches. You can identify correlation search rules that are generating more events than your analysts are
capable of looking at, and tune them accordingly.
Panel Description
Suppressed Events Over Time - Last 24 Hours Displays notable events suppressed in the last 24 hours.
Suppression History Over Time - Last 30 Days Displays the history of suppressed notable events.
Suppression Management Activity Displays suppression management activity for the time period.
42
Data sources
The reports in the Suppression Audit dashboard reference events in the Notable index.
The Per-Panel Filter Audit dashboard provides information about the filters currently in use in your deployment.
Panel Description
Per-Panel By Reviewer Displays the count of updates to per-panel filters by user
Top Users Shows users, sparkline for trends, number of views, and first and last time viewed.
The Adaptive Response Action Center dashboard provides an overview of the response actions initiated by adaptive
response actions, including notable event creation and risk scoring.
Panel Description
Action Invocations Over Time By Name Displays a time chart of the adaptive response actions triggered by name.
Top Actions By Name Displays the top adaptive response actions by name.
Top Actions By Search Displays the top adaptive response actions by search.
Recent Response Actions Displays the most recent adaptive response actions.
Data sources
The reports in the Adaptive Response Action Center dashboard reference fields in the Audit data model. For a list of data
model objects and constraints, see Splunk Audit Logs in the Common Information Model Add-on manual.
The Threat Intelligence Audit dashboard tracks and displays the current status of all threat and generic intelligence
sources. As an analyst, you can review this dashboard to determine if threat and generic intelligence sources are current,
and troubleshoot issues connecting to threat and generic intelligence sources.
Panel Description
Intelligence Displays the status of all intelligence sources defined on the Intelligence Downloads configuration page. Use the filters to
Downloads sort by status or download location.
Displays log events related to intelligence downloads configured on the Intelligence Downloads configuration page and
Intelligence Audit
modular inputs configured on the Threat Intelligence Manager configuration page. Use the filters to sort and filter the
Events
events displayed.
If an intelligence download fails, a search automatically creates a system message. See Troubleshoot intelligence
downloads in Splunk Enterprise Security.
43
Data sources
The reports in the Threat Intelligence Audit dashboard reference events in the _internal index and state information
from the /services/data/inputs/threatlist REST endpoint.
ES Configuration Health
Use the ES Configuration Health dashboard to compare the latest installed version of Enterprise Security to prior releases
and identify configuration anomalies. The dashboard does not report changes to add-ons (TA.) Select the previous
version of Enterprise Security installed in your environment using the Previous ES Version filter.
Mode Description
The Unshipped setting compares the latest installed version of Enterprise Security with the content in the ES installation package.
Any item that was not provided as part of the Enterprise Security installation, such as files or scripts used for customization, is
Unshipped
labeled as an Unshipped item. Review Unshipped items to evaluate their use, determine if they are still needed, and reconcile if
necessary. The Unshipped setting ignores the Previous ES Version filter.
The Removed Stanzas setting compares the latest installed version of Enterprise Security with the version that you select in the
Removed
filter. Removed Stanzas are configuration stanzas that changed between versions, such as a deprecated threat list or input.
Stanzas
Review Removed Stanzas to evaluate their use, determine if they are still needed, and reconcile if necessary.
The Local Overrides setting compares the installed version of Enterprise Security with the version that you select in the filter. A
Local
setting that conflicts with or overrides the installed version of Enterprise Security is labeled as a Local Override. Review any Local
Overrides
Override settings to evaluate their use, determine if they are still needed, and reconcile if necessary.
The Data Model Audit dashboard displays information about the state of data model accelerations in your environment.
Top Accelerations By Run Displays the accelerated data models sorted in descending order by the time spent on running acceleration
Duration tasks.
Accelerations Details Displays a table of the accelerated data models with additional information.
Data model acceleration can be in progress and 100% complete at the same time. The process running and the status
completing are not directly tied together.
Data sources
The reports in the Data Model Audit dashboard reference fields in the Splunk Audit data model. For a list of data model
objects and constraints, see Splunk Audit Logs in the Common Information Model Add-on Manual.
Forwarder Audit
The Forwarder Audit dashboard reports on hosts forwarding data to Splunk Enterprise.
Use the search filters and time range selector to focus on groups of forwarders or an individual forwarder.
44
Filter by Description Action
Category Filter by the category field in the Asset table. Drop-down, select to filter by
Panel Description
Event Count Over Time By Host Displays the number of events reported over the time period selected in the filter. The events are split by host.
Hosts By Last Report Time Displays a list of hosts, ordered by the last time they reported an event.
Splunkd Process Utilization Displays the resource utilization of the forwarder's Splunk daemon splunkd.
Splunk Service Start Mode Displays the host names that are forwarding events, but are not configured to have splunkd start on boot.
Data sources
Relevant data sources for the Forwarder Audit dashboard include data from all forwarders in your Splunk environment
and the Application_State data model. See the Common Information Model Add-on Manual for more information. The
Common Information Model fields bunit and category are derived by automatic identity lookup, and do not need to be
mapped directly.
Indexing Audit
The Indexing Audit dashboard is designed to help administrators estimate the volume of event data being indexed by
Splunk Enterprise. The dashboard displays use EPD (Events Per Day) as a metric to track the event volume per index,
and the rate of change in the total event counts per index over time. The EPD applies only to event counts, and is
unrelated to the Volume Per Day metric used for licensing.
Panel Description
Key Indicators The key indicators on this dashboard are scoped to "All Time," not the "Last 24 hours".
Events Per Day Over Time Displays a column chart representing the event counts per day.
Events Per Day Displays a table representing event counts per day and the average eps.
Events Per Index (Last Day) Displays a table of event counts per index for the last day.
Data sources
The reports in the Indexing Audit dashboard reference data generated by the Audit - Events Per Day - Lookup Gen
saved search and are stored within a KVStore collection.
Search Audit
The Search Audit dashboard provides information about the searches being executed in Splunk Enterprise. This
dashboard is useful for identifying long running searches, and tracking search activity by user.
Panel Description
Searches Over Shows the number of searches executed over time by type, such as ad-hoc, scheduled, or real-time. Helps determine
Time by Type whether Splunk's performance is being affected by excessive numbers of searches.
45
Panel Description
Shows the number of searches executed by each user. Helps determine when a particular user is executing an excessive
Searches Over
number of searches. The splunk-system-user is the name of the account used to execute scheduled searches in
Time by User
Splunk Enterprise.
Top Searches by Lists the most expensive searches in terms of duration. Helps to identify specific searches that may be adversely affecting
Run Time Splunk performance.
Data sources
The reports in the Search Audit dashboard reference scheduled search auditing events from the audit index.
View Audit
The View Audit dashboard reports on the most active views in Enterprise Security. View Audit enables tracking of views
that are being accessed on a daily basis and helps to identify any errors triggered when users review dashboard panels.
Panel Description
View Activity Displays the Enterprise Security views that have the greatest access counts over time. The drilldown opens a search view of
Over Time all page activity for the time selected.
Lists the views set up in the Expected View lookup. You want to review these views on a daily basis for your deployment.
Expected View
Select a dashboard to see details in the Expected View Scorecard panel below. See Manage internal lookups in Splunk
Activity
Enterprise Security.
Web Service Displays errors that occurred while loading the web interface. Helps identify custom views that contain errors or an underlying
Errors issue that need to be escalated to Splunk.
Data sources
The reports in the View Audit dashboard reference fields in the Splunk Audit data model. For a list of data model objects
and constraints, see Splunk Audit Logs in the Common Information Model Add-on Manual.
The Managed Lookups Audit dashboard reports on managed lookups and collections such as services, data,
transforms, KV Store lookups, and CSV lookups in Enterprise Security. Managed Lookups Audit shows the growth of
lookups over time and the markers for anomalous growth. You can use this to help determine if any managed lookups are
growing too large for your particular environment's performance and need to be pruned.
Field Description
Displays the name of the Enterprise Security lookup. The drill-down takes you to all the contributing events for this particular lookup
Name
name from the audit_summary index.
Lists the lookup size over time as measured via a saved search that writes to the audit_summary index, running every 24 hours,
Growth
displayed as a sparkline.
Size Displays the size of the file in megabytes, sorted by the largest first.
46
Data Protection
The Data Protection dashboard reports on the the status of the data integrity controls.
Panel Description
Displays a view of all indexes with data protection enabled, sorted by search peer. For more information on configuring and
Data Integrity
validating data integrity, see Manage data integrity in Securing Splunk Enterprise. If you use Splunk Cloud, file a support
Control By Index
case to request enablement of data integrity control.
Displays the count of events with sensitive data. This panel requires enabling the Personally Identifiable Information
Sensitive Data
Detected correlation search.
With Common Information Model Add-on 4.15.0 and later, the Predictive Analytics dashboard is removed. Machine
Learning Toolkit functionality can be leveraged instead. MLTK is more robust for finding different varieties of anomalous
events in your data than the | predict command used by the Predictive Analytics dashboard. See Machine Learning
Toolkit Overview in Splunk Enterprise Security and see Release Notes in the Common Information Model Add-on
Manual.
Use the Predictive Analytics dashboard to search for different varieties of anomalous events in your data. Predictive
Analytics uses the predictive analysis functionality in Splunk to provide statistical information about the results, and
identify outliers in your data. The predict command can take some time to generate results.
To analyze data with predictive analytics, choose a data model, then an object, a function, an attribute, and a time range,
and click Search.
Dashboard filters
Use the available dashboard filters to refine the results displayed on the dashboard panels. The Predictive Analytics
dashboard filters are implemented in a series from left to right. For example, the Object filter is populated based on the
Data Model selection.
Filter by Description
Data
Specifies the data model for the search. Available data models are shown in the drop-down list.
Model
Object Specifies the object within the data model for the search. You must select a Data Model to apply an Object.
Specifies the function within the object for the search. Functions specify the type of analysis to perform on the search results. For
Function
example, choose "avg" to analyze the average of search results. Choose "dc" to create a distinct count of the results.
Specifies the constraint attributes within the object for the search.
Attribute Attributes are constraints on the search results. For example, choose "src" to view results from sources. You must select an
Object to apply an Attribute.
Time
Select the time range to represent.
Range
• For Splunk Enterprise, see predict options in the Splunk Enterprise Search Reference.
• For Splunk Cloud Platform, see predict options in the Splunk Cloud Platform Search Reference.
47
Dashboard Panels
Panel Description
Prediction Over The Prediction Over Time panel shows a predictive analysis of the results over time, based on the time range you chose. The
Time shaded area shows results that fall within two standard deviations of the mean value of the total search results.
Outliers The Outliers panel shows those results that fall outside of two standard deviations of the search results.
Data sources
The Predictive Analytics dashboard references data in any user selected data model. If the data model accelerations are
unavailable or incomplete for the chosen time range, the dashboard reverts to searching unaccelerated, raw data.
From this dashboard, create a correlation search based on the search parameters for your current predictive analytics
search. This correlation search will create an alert when the correlation search returns an event.
1. Click Save as Correlation Search... to open the Create Correlation Search dialog.
2. Select the Security domain and Severity for the notable event created by this search.
3. Add a search name and description.
4. Click Save.
To view and edit correlation searches, go to Configure > Content > Content Management. See Configure correlation
searches in Splunk Enterprise Security in Administer Splunk Enterprise Security.
Troubleshooting
This dashboard references data from various data models. Without the applicable data, the panels will remain empty. See
Troubleshoot dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.
Access dashboards
The Access Protection domain monitors authentication attempts to network devices, endpoints, and applications within
the organization. Access Protection is useful for detecting malicious authentication attempts, as well as identifying
systems users have accessed in either an authorized or unauthorized manner.
48
Access Center dashboard
Access Center provides a summary of all authentication events. This summary is useful for identifying security incidents
involving authentication attempts such as brute-force attacks or use of clear text passwords, or for identifying
authentications to certain systems outside of work hours.
Dashboard filters
Use the available dashboard filters to refine the results displayed on the dashboard panels. The filters do not apply to key
security indicators.
Filter based on the categories to which the host or user belongs. See Format an asset
Category or identity list as a lookup in Splunk Enterprise Security in Administer Splunk Drop-down: select to filter by
Enterprise Security.
Restricts the view to events related to privileged access. See Administrative Identities
Special Access Drop-down: select to filter by
in Administer Splunk Enterprise Security.
Time Range Select the time range to view. Drop-down: select to filter by
Dashboard Panels
Panel Description
Access Over Time By
Displays the count of authentication events over time by action.
Action
Displays the count of authentication events over time by app. For example, "win:local" refers to the local
Access Over Time By App
authentication performed on a Windows system and "win:remote" refers to remote API access.
Displays a table of highest access counts by source. This table is useful for detecting brute force attacks, since
Top Access By Source
aggressive authentication attempts display a disproportionate number of auth requests.
The Access Tracker dashboard gives an overview of account statuses. Use it to track newly active or inactive accounts,
as well as those that have been inactive for a period of time but recently became active. Discover accounts that are not
properly de-provisioned or inactivated when a person leaves the organization.
As inactive accounts or improperly active accounts are vulnerable to attackers, it is a good idea to check this dashboard
on a regular basis. You can also use this dashboard during an investigation to identify suspicious accounts and closely
examine user access activity.
49
Dashboard filters
Use the available dashboard filters to refine the results displayed on the dashboard panels. The filters do not apply to key
security indicators.
Filter based on the categories to which the host or user belongs. See Format an asset
Category or identity list as a lookup in Splunk Enterprise Security in Administer Splunk Drop-down: select to filter by
Enterprise Security.
Dashboard Panels
Panel Description
First Time Access - Last 7
Displays new account access by user and destination.
days
Displays accounts that have shown no activity. Use this panel to identify accounts that should be suspended or
removed. If the organization has a policy that requires password change after a specified interval, then accounts
Completely Inactive
that have shown no activity for more than that interval are known to be inactive.
Accounts - Last 90 days
This panel also indicates the effectiveness of the enterprise's policy for closing or de-provisioning accounts. If a
large number of accounts display here, the process may need to be reviewed.
Use the Access Search dashboard to find specific authentication events. The dashboard is used in ad-hoc searching of
authentication data, but is also the primary destination for drilldown searches used in the Access Anomalies dashboard
panels.
The Access Search page displays no results unless it is opened in response to a drilldown action, or you set a filter
and/or time range and click Submit.
Dashboard filters
Use the available dashboard filters to refine the results displayed on the dashboard panels. The filters do not apply to key
security indicators.
50
Filter by Description Action
Text field. Empty by default. Wildcard
strings with an asterisk (*)
Time Range Select the time range to view. Drop-down: select to filter by
The Account Management dashboard shows changes to user accounts, such as account lockouts, newly created
accounts, disabled accounts, and password resets. Use this dashboard to verify that accounts are being correctly
administered and account administration privileges are being properly restricted. A sudden increase in the number of
accounts created, modified, or deleted can indicate malicious behavior or a rogue system. A high number of account
lockouts could indicate an attack.
Dashboard filters
Use the available dashboard filters to refine the results displayed on the dashboard panels. The filters do not apply to key
security indicators.
Filter based on the categories to which the host or user belongs. See Format an asset
Category or identity list as a lookup in Splunk Enterprise Security in Administer Splunk Drop-down: select to filter by
Enterprise Security.
Restricts the view to events related to privileged access. See Administrative identities
Special Accounts Drop-down: select to filter by
in Administer Splunk Enterprise Security.
Time Range Select the time range to view. Drop-down: select to filter by
Dashboard Panels
Panel Description
Account Management
Displays all account management events over time.
Over Time
Account Lockouts Displays all account lockouts, including the number of authentication attempts per account.
Tracks the total account management activity by source user, and shows the source users with the most account
management events. The source user is the user that performed the account management event, rather than the
user that was affected by the event. For example, if user "Friday.Adams" creates an account "Martha.Washington",
Account Management by then "Friday.Adams" is the source user.
Source User
This panel helps identify accounts that should not be managing other accounts and shows
spikes in account management events, such as the deletion of a large number of accounts.
Top Account Management
Shows the most frequent management events in the specified time period.
Events
51
Default Account Activity dashboard
The Default Account Activity dashboard shows activity on "default accounts", or accounts enabled by default on various
systems such as network infrastructure devices, databases, and applications. Default accounts have well-known
passwords and are often not disabled properly when a system is deployed.
Many security policies require that default accounts be disabled. In some cases, you may need to monitor or investigate
authorized use of a default account. It is important to confirm that the passwords on default accounts are changed before
use. Abnormal or deviant user behavior from a default account can indicate a security threat or policy violation. Use this
dashboard to ensure that security policies regarding default accounts are properly followed.
Dashboard filters
Use the available dashboard filters to refine the results displayed on the dashboard panels. The filters do not apply to key
security indicators.
Filter based on the categories to which the host or user belongs. See Format an asset
Category or identity list as a lookup in Splunk Enterprise Security in Administer Splunk Drop-down: select to filter by
Enterprise Security.
Time Range Select the time range to view. Drop-down: select to filter by
Dashboard panels
Panel Description
Shows default account activity on all systems and applications during the selected time frame, split by
application. For example, sshd or ftpd. Application accounts are shown by the number of successful login
Default Account Usage Over Time
attempts and when the last attempt was made. Use this chart to identify spikes in default account login
by App
activity by application, which may indicate a security incident, as well as to determine whether default
account use is common (for example, a daily event) or rare for a certain application.
Shows all default user accounts with a high number of login attempts on different hosts, including the last
Default Accounts in Use attempt made. Abnormal default user account activity that could indicate a security threat. Also helps
ensure that default account behavior matches the security policy.
Lists all default accounts that are active on enterprise systems, including accounts "at rest". Any available
Default Local Accounts default accounts are listed, regardless of whether the account is actually in use. Only accounts detected on
a local system, for example by examining the users list on a host, are included in this list.
This dashboard references data from various data models. Without the applicable data, the dashboards will remain empty.
See Troubleshoot dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.
Endpoint dashboards
The Endpoint Protection domain provides insight into malware events including viruses, worms, spyware, attack tools,
adware, and PUPs (Potentially Unwanted Programs), as well as your endpoint protection deployment.
52
Malware Center dashboard
Malware Center is useful to identify possible malware outbreaks in your environment. It displays the status of malware
events in your environment, and how that status changes over time based on data gathered by Splunk.
Search malware events directly using Malware Search, or click chart elements or table rows to display raw events. See
Drill down to raw events for more information on this feature. Configure new data inputs through the Settings menu.
You can use the filters to refine which events are shown.
Category Filter based on the categories to which the malware belongs. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by
The following table describes the panels for this dashboard.
Panel Description
Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary
Key Indicators
information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
Malware Activity Over Shows all malware detected over the specified time period, split by action (allowed, blocked, deferred). Use this chart
Time By Action to detect whether too many malware infections are allowed.
Shows all malware detected over the specified time period, split by signature. Example signatures are Mal/Packer,
Malware Activity Over
LeakTest, EICAR-AV-Test, TROJ_JAVA.BY. Use this chart to detect which infections are dominant in your
Time By Signature
environment.
Shows a bar chart of the top infections in your environment, split by signature. This panel helps identify outbreaks
Top Infections
related to a specific type of malware.
Shows new malware detected on the network over the last 30 days. For each malware signature identified, the date
New Malware - Last 30
and time it was first detected and the total number of infections are shown. First-time infections are the most likely to
Days
cause outbreaks.
The Malware Search dashboard assists in searching malware-related events based on the criteria defined by the search
filters. The dashboard is used in ad-hoc searching of malware data, but is also the primary destination for drilldown
searches used in the Malware Center dashboard panels.
The Malware Search dashboard displays no results unless it is opened in response to a drilldown action, or you update a
filter, select a time range, and click Submit.
Signature Filter on malware with matching signatures. Text field. Empty by default. Wildcard strings with an
asterisk (*)
53
Filter by Description Action
Time Range Select the time range to view. Drop-down: select to filter by
The Malware Operations dashboard tracks the status of endpoint protection products deployed in your environment. Use
this dashboard to see the overall health of systems and identify systems that need updates or modifications made to their
endpoint protection software. This dashboard can also be used to see how the endpoint protection infrastructure is being
administered.
You can click chart elements or table rows to display raw events. See Drill down to raw events for more information on
this feature. Configure new data inputs through the Settings menu.
Category Filter based on the categories to which the malware belongs. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by
The following table describes the panels for this dashboard.
Panel Description
Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary
Key Indicators
information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
Clients by Product
Shows a bar chart of the number of clients with a certain version of the endpoint protection product installed.
Version
Clients by Signature
Shows a bar chart of the number of clients with a certain signature version.
Version
Repeat Infections Shows repeated malware infections. Sort by signature, destination, action, or number of days.
Shows the oldest malware infections in your environment. Sort by date that the infection was detected (first or last time),
Oldest Infections
the signature, destination host (affected system), or days the infection has been active.
The System Center dashboard shows information related to endpoints beyond the information reported by deployed
anti-virus or host-based IDS systems. It reports endpoint statistics and information gathered by the Splunk platform.
System configuration and performance metrics for hosts, such as memory usage, CPU usage, or disk usage, can be
displayed on this dashboard.
54
Click chart elements or table rows to display raw events. See Drill down to raw events for more information on this feature.
Configure new data inputs through the Settings menu.
Category Filter based on the categories to which the malware belongs. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by
The following table describes the panels for this dashboard.
Panel Description
Shows the operating systems deployed on the network. Use this chart to detect operating systems that should
Operating Systems
not be present in your environment.
Services by System Count Shows services ordered by the number of systems on which they are present.
Ports By System Count Shows the transport method (e.g., tcp) and destination ports, ordered by the number of systems.
Note: If incorrect or missing data is showing up in the System Center dashboard, be sure that the technology add-ons that
supply the data for this dashboard are installed on the full forwarders in the deployment. Technology add-ons containing
knowledge needed for parsing of data need to be installed on the full forwarders.
The Time Center dashboard helps ensure data integrity by identifying hosts that are not correctly synchronizing their
clocks.
Splunk will create an alert when it discovers a system with time out of sync. When you receive an alert, you can drill down
to the raw data and investigate further by clicking any of the chart elements or table rows on the dashboard. See Drill
down to raw events for more information on this feature.
55
Filter by Description Action
Category Filter based on the categories to which the malware belongs. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by
The following table describes the panels for this dashboard.
Panel Description
Time Synchronization
A list of systems where time synchronization has failed.
Failures
Shows hosts with significant discrepancies between the timestamp the host places on the event and the time that
the event appears in the Splunk platform.
Indexing Time Delay For example, if the timestamp on an event is later than the time that Splunk indexes the event, the host is
timestamping events as future events. A large difference (on the order of hours) indicates improper time zone
recognition.
The Endpoint Changes dashboard uses the Splunk change monitoring system, which detects file-system and registry
changes, to illustrate changes and highlight trends in the endpoints in your environment. For example, Endpoint Changes
can help discover and identify a sudden increase in changes that may be indicative of a security incident.
You can click chart elements or table rows on this dashboard to display raw events. See Drill down to raw events for more
information on this feature.
Category Filter based on the categories to which the malware belongs. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by
The following table describes the panels for this dashboard.
Panel Description
Endpoint Changes by Summarizes changes over time. A substantial increase in changes may indicate the presence of an incident that is
Action causing changes on the endpoints such as a virus or worm.
Endpoint Changes by Type Summarizes the type of changes observed on the endpoints, such as file or registry changes.
Recent Endpoint Changes Shows the most recent endpoint changes observed.
56
Update Center dashboard
The Update Center dashboard provides additional insight into systems by showing systems that are not updated. It is a
good idea to look at this dashboard on a monthly basis to ensure systems are updating properly.
You can click any of the chart elements or table rows on the dashboard to see raw events. See Drill down to raw events
for more information on this feature.
Category Filter based on the categories to which the malware belongs. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by
The following table describes the panels for this dashboard.
Panel Description
Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent
Key Indicators
summary information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
Top Updates Needed A bar chart of the top updates needed across the environment, sorted by signature, such as the KB number.
Update Service Start Mode Shows all systems where the update startup task or service is disabled. Administrators sometimes disable
Anomalies automatic updates to expedite a restart and can forget to re-enable the process.
The Update Search dashboard shows patches and updates by package and/or device. This dashboard helps identify
which devices have a specific patch installed. This is useful when, for example, there is a problem caused by a patch and
you need to determine exactly which systems have that patch installed.
The Update Search dashboard displays no results unless it is opened in response to a drilldown action, or you update a
filter, select a time range, and click Submit.
57
Filter by Description Action
Show only systems Select true to filter by systems categorized as
that should update should_update=true in the Asset table or false to filter by
systems categorized as should_update=false in the Asset
table. See Configure the new asset or identity list in Splunk
Enterprise Security in Administer Splunk Enterprise Security for
more about asset configuration.
Update Status Filter by the status of the update on a machine. Drop-down: select to filter by
Filter by the signature, for example the KB number, of a Text field. Empty by default. Wildcard strings with an
Signature
particular update. asterisk (*)
Time Range Select the time range to view. Drop-down: select to filter by
Use the Asset Center dashboard to review and search for objects in the asset data added to Enterprise Security. The
asset data represents a list of hosts, IP addresses, and subnets within the organization, along with information about each
asset. The asset list correlates asset properties to indexed events, providing context such as asset location and the
priority level of an asset.
Dashboard filters
Use the available dashboard filters to refine the results displayed on the dashboard panels.
Filter by Description
Asset A known or unknown asset
Panel Description
Assets by Priority Displays the number of assets by priority level. The drilldown opens a search with the selected priority level.
Assets by Displays the relative amount of assets by business unit. The drilldown opens a search with the selected business unit.
Business Unit
58
Panel Description
Assets by
Displays the relative amount of assets by category. The drilldown opens a search with the selected category.
Category
Shows all assets that match the current dashboard filters. The drilldown opens the Asset Investigator dashboard if the "ip",
Asset Information
"nt_host", "mac", or "dns" fields are selected. Any other field will open a search with the selected field.
Data sources
The reports in the Asset Center dashboard reference fields in the Asset and Identities data model. Relevant data sources
include lists of assets and identities collected and loaded as lookups, scripted inputs, or search-extracted data.
Use the Identity Center dashboard to review and search for objects in the identity data added to Enterprise Security.
Identity data represents a list of account names, legal names, nicknames, and alternate names, along with other
associated information about each identity. The identity data is used to correlate user information to indexed events,
providing additional context.
The filter for the Identity Center dashboard uses a key=value pair search field. To filter identities, enter a key=value pair
instead of a name or text string.
Use the available dashboard filters to refine the results displayed on the dashboard panels.
Filter by Description
Username A known or unknown user
Watchlisted Identities Only Filter by the identities tagged as "watchlist" in the Identities table.
Panel Description
Identities by Priority Displays the count of Identities by priority level. The drilldown opens a search with the selected priority level.
Identities by
Displays the relative number of Identities by business unit. The drilldown opens a search with the selected business unit.
Business Unit
Identities by
Displays the relative number of Identities by category. The drilldown opens a search with the selected category.
Category
Shows all assets that match the current dashboard filters. The drilldown opens the Identity Investigator dashboard if you
Identity Information
select the identity field. Any other field opens a search with the selected field.
59
Data sources
The reports in the Identity Center dashboard reference fields in the Asset and Identities data model. Relevant data
sources include lists of assets and identities collected and loaded as lookups, scripted inputs, or search extracted data.
The Session Center dashboard provides an overview of network sessions. Network sessions are used to correlate
network activity to a user using session data provided by DHCP or VPN servers. Use the Session Center to review the
session logs and identify the user or machine associated with an IP address used during a session. You can review
network session information from the Network Sessions data model, or user and device association data from Splunk
UBA.
Dashboard Panels
Panel Description
Sessions Over Displays the total count of network sessions over time. The drilldown opens a search with the selected session and time
Time range.
Displays the top 1000 network sessions that have been most recently opened, based on the session start time. The drilldown
Session Details
opens a search with the selected session details.
User Behavior Analytics tab:
Panel Description
Sessions of Based on the search filter, displays the sessions of users and devices associated with a device that you search, or
Associated Entities devices associated with a user that you search. Hover over a session to learn more about the session activity.
Shows the entity ID from Splunk UBA, the name of the entity, the type of entity, the start and end times of the session,
Session Details
and event data from Splunk UBA. Expand a row to view more details.
For more about viewing data from Splunk UBA, see Viewing data from Splunk UBA in Enterprise Security.
The dashboards reference data from various data models. Without the applicable data, the panels will remain empty. See
Troubleshoot dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.
60
Asset Investigator
The Asset Investigator dashboard displays information about known or unknown assets across a pre-defined set of event
categories, such as malware and notable events.
You can use the Asset Investigator dashboard to triage an asset's interactions with the environment.
The dashboard contains multiple event categories, with each one represented by its own swim lane. Each event category
contains relevant events that correspond to a data model. For example, the Malware Attacks swim lane displays events
from an anti-virus management or other malware data source, limited to the asset searched. Multiple swim lanes are
displayed at once to make it easier for you to track the actions of an asset across event categories.
To initiate the asset investigation workflow, perform a workflow action from any dashboard that displays events with
network source or destination addresses.
1. Look at the asset description at the top of the dashboard to confirm that you are viewing the asset you would like
to investigate. All events displayed in the swim lanes are limited to the selected asset.
2. Use the time range picker to narrow down the general time range you are interested in. Use the time sliders to
isolate periods of interesting events or peak event counts.
3. Add or change the swim lanes using the edit menu. For example, to display data collected on an asset from
packet analysis tools, change the selected collection from Default to Protocol Intelligence, which represents
packet capture data. See Edit the swim lanes.
4. Review individual and grouped events. After selecting an event, you can use the Event Panel to examine
common fields represented in the individual or grouped events.
5. If there is an event or pattern that you want to share or investigate further, you can do this using the Event Panel.
61
1. Click Go to Search to view a drilldown of the selected events.
2. Click Share for a shortened link to the current view.
3. Click Create Notable Event to open a dialog box to create an ad-hoc notable event. See Manually create
a notable event in Splunk Enterprise Security in Administer Splunk Enterprise Security.
Data sources
The event categories in the Asset Investigator dashboard display events from a number of data models containing an
asset or host field. In any given time selection, a selected asset may not have data to display in one or more event
categories. When a data model search returns no matching events, the swim lane displays "Search returned no results."
See Troubleshoot dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.
Identity Investigator
The Identity Investigator dashboard displays information about known or unknown user identities across a predefined set
of event categories, such as change analysis or malware.
You can use the Identity Investigator dashboard to triage a user identity's interactions with the environment.
62
The dashboard contains multiple event categories, with each one represented by its own swim lane. Each event category
contains relevant events that correspond to a data model. For example, the Malware Attacks swim lane displays events
from an anti-virus management or other malware data source, limited to the user identity or credential searched. Multiple
swim lanes are displayed at once to make it easier for you to track the actions of a user across event categories.
The identity investigation workflow is initiated through a workflow action from any dashboard that displays events with
network source or destination address.
1. Look at the identity description at the top of the dashboard to confirm that you are viewing the identity you would
like to investigate. All events displayed in the swim lanes are limited to the selected identity.
2. Use the time range picker to narrow down the general time range you are interested in. Use the time sliders to
isolate periods of interesting events or peak event counts.
3. Add or change swim lanes by using the edit menu. For example, to display identity information collected for user
activity monitoring, change the selected collection from Default to User Activity. See Edit the swim lanes.
4. Review individual and grouped events. After selecting an event, you can use the Event Panel to examine
common fields represented in the individual or grouped events.
5. If there is an event or pattern that you would like to share or investigate further, you can do this using the Event
Panel.
1. Click Go to Search to view a drilldown of the selected events.
2. Click Share for a shortened link to the current view.
3. Click Create Notable Event to open a dialog box to create an ad-hoc notable event. See Manually create
a notable event in Splunk Enterprise Security in Administer Splunk Enterprise Security.
Data sources
The event categories in the Identity Investigator dashboard display events from a number of data models containing an
identity or a user field. In any given time selection, an identity may not display data in one or more event categories. When
a data model search returns no matching events, the swim lane displays "Search returned no results." See Troubleshoot
dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.
You can add or remove swim lanes from the Entity Investigator dashboards by opening the Edit Lanes customization
menu. The Entity Investigator dashboards support the addition of custom swim lanes bundled with add-ons or created
using ES Content Management. For more information, see Managing content in Splunk Enterprise Security in Administer
Splunk Enterprise Security.
63
The order of swim lanes can be changed on the dashboard and does not require the Edit Lanes menu.
The Asset Investigator has additional, optional swim lanes in the collection Protocol intelligence to display data collected
about an asset using packet analysis tools. The Identity Investigator has additional, optional swim lanes in the collection
User Activity to display data collected about an identity for user activity monitoring.
All Changes Both Matches events in the Change Analysis data model.
Threat List Activity Both Matches events in the Threat Lists data model.
IDS Attacks Both Matches events in the Intrusion Detection data model.
Risk Modifiers Both Matches events in the Risk Analysis data model.
DNS Errors Asset only Matches events in the Network Resolution DNS data model.
Cloud Emails Asset only Matches events in the Email data model.
SSL Expired Certs Asset only Matches events in the Certificates data model.
HTTP Errors Asset only Matches events in the Web data model.
Non-corporate Emails Identity only Matches events in the Email data model.
Non-corporate Web Uploads Identity only Matches events in the Web data model.
Remote Access Identity only Matches events in the Authentication data model.
Ticket Activity Identity only Matches events in the Ticket Management data model.
Watchlisted Sites Identity only Matches events in the Web data model.
The Asset and Identity Investigator dashboards display events from the data model named in each swim lane. When a
data model search returns no matching events, the swim lane displays "Search returned no results." See Troubleshoot
dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.
The User Activity dashboard displays panels representing common risk-generating user activities such as suspicious
website activity. For more information about risk scoring, see How Splunk Enterprise Security assigns risk scores.
64
Dashboard filters
You can use the available dashboard filters to refine the results displayed on the dashboard panels. The filters do not
apply to key security indicators.
Filter by Description
User A known or unknown identity
Panel Description
Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary
Key Indicators
information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
Displays the top 100 highest risk users. As an insider threat can represent subtle and indirect changes in behavior, this
Users By Risk
panels assists an analyst in focusing on the riskiest users in the organization. The drilldown opens the Identity
Scores
Investigator dashboard and searches on the selected user.
Non-corporate Web Displays high volume upload and download activity by user. An irregular pattern of upload or download activity can be an
Uploads indicator of data exfiltration. The drilldown opens the Identity Investigator dashboard and searches on the selected user.
Displays the top 100 users performing high volume email activity to non-corporate domains. A pattern of large or high
Non-corporate
volume email activity can be an indicator of data exfiltration. The drilldown opens the Identity Investigator dashboard and
Email Activity
searches on the selected user.
Displays web access by user. Accessing specific categories of web sites while using workplace resources and assets
Watchlisted Site
can be an indicator of insider threat activity. The drilldown opens the Identity Investigator dashboard and searches on the
Activity
selected user.
Displays remote access authentication by user. A user performing risky web or email activity while using remote access
Remote Access services can be an indicator of data exfiltration, or exploited credentials. The drilldown opens the Identity Investigator
dashboard and searches on the selected user.
Displays ticketing activity by user. A user performing risky web or email activity while filing tickets to provide additional
Ticket Activity services or internal access can be an indicator of data exfiltration, or exploited credentials. The drilldown opens the
Identity Investigator dashboard and searches on the selected user.
Data sources
The reports in the User Activity dashboard reference data fields in multiple sources. Relevant data sources include proxy
servers, gateways and firewalls, or other sources that reference a distinct user. In order for the dashboards to populate,
new lookup content and fields in the identities list must be added. For a list of additional data sources, see Troubleshoot
dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.
Access Anomalies
The Access Anomalies dashboard displays concurrent authentication attempts from different IP addresses and
improbable travel anomalies using internal user credentials and location-relevant data.
65
Dashboard filters
Use the available dashboard filters to refine the results displayed on the dashboard panels.
Filter by Description
Action A successful or failed authentication attempt.
Panel Description
Displays users that initiated multiple authentication attempts separated by an improbable time and distance.
Geographically Authenticating from two geographically distant locations in a time frame lower than typical transportation methods
Improbable Accesses provide can be an indicator of exploited credentials. The drilldown opens the Access Search dashboard and searches on
the selected user.
Displays users that initiated multiple authentication attempts from unique IP addresses within a short time span. This
Concurrent
pattern of authentication can be an indicator of shared or stolen credentials. The drilldown redirects the page to the
Application Accesses
Access Search dashboard and searches on the selected user.
Data sources
The reports in the Access Anomalies dashboard reference data fields in the Authentication data model. Relevant data
sources include proxy servers, gateways and firewalls, or other sources that reference a distinct user. See Troubleshoot
dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.
Troubleshooting
This dashboard references data from various data models. Without the applicable data, the dashboards will remain empty.
See Troubleshoot dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.
Risk Analysis
The Risk Analysis dashboard displays recent changes to risk scores and objects that have the highest risk scores. As an
analyst, you can use this dashboard to assess relative changes in risk scores and examine the events that contribute to
an object's risk score.
You can use the Risk Analysis dashboard to review changes to an object's risk score, determine the source of a risk
increase, and decide if additional action is needed.
Dashboard filters
Use any of the available filters on the Risk Analysis dashboard to search and filter the results. A filter is applied to all
panels in the dashboard, but not the key security indicators.
Filter by Description
66
Source Filter by the correlation search that has risk modifiers
Risk Object Select a risk object type and type a string to filter by risk object. Risk object type defaults to All.
The Risk Object filter works by performing a reverse lookup against the asset and identity tables to find all fields that
have been associated with the specified Risk Object. All associated objects found by the reverse lookup then display on
the dashboard. For example, if you select a risk object type of system and type a Risk Object of 10.10.1.100, the reverse
lookup against the assets table could return a MAC address. The Risk Analysis dashboard will update to display any risk
score applied to the 10.10.1.100 address and a MAC address. If no match to another object was found in the asset table,
only the IP address matches from the Risk Analysis data model will be displayed.
Dashboard panels
The Risk Analysis dashboard offers additional views to help analyze risk scoring changes and what caused the changes.
Use the filters to refine the view to a specific object or group of objects. Use the drilldown to explore the data as events.
Panel Description
Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary
Key Indicators
information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
Risk Modifiers Displays the changes made to risk modifiers over time. Use the dashboard filters to scope the view to a specific object or
Over Time group of objects. The drilldown opens a search on all events in the Risk data model scoped to the selected time frame.
Risk Score By Displays the objects with the highest risk score. The drilldown opens a search with the selected risk object and scoped to the
Object selected time frame.
Most Active Displays the correlation searches that contribute the highest amount of risk to any object. The drilldown opens a search with
Sources the selected source.
Recent Risk
Displays a table of the most recent changes in a risk score, the source of the change, and the object.
Modifiers
Network dashboards
The Network Protection domain provides insight into the network and network-based devices, including routers, switches,
firewalls, and IDS devices. This domain aggregates all the traffic on the network, including overall volume, specific
patterns of traffic, what devices or users are generating traffic, and per-port traffic. It also shows results from the
vulnerability scanners on the network.
The Traffic Center dashboard profiles overall network traffic, helps detect trends in type and changes in volume of traffic,
and helps to isolate the cause (for example, a particular device or source) of those changes. This helps determine when a
traffic increase is a security issue and when it is due to an unrelated problem with a server or other device on the network.
You can use the filters to limit which items are shown. Configure new data inputs through the Settings menu, or search
for particular network intrusion events directly through Incident Review.
Business Unit A group or department classification for the identity. Text field. Empty by default.
Wildcard strings with an asterisk
(*)
67
Filter by Description Action
Category Filter based on the categories to which the host belongs. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by
Dashboard Panels
Panel Description
Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary
Key Indicators
information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
Traffic Over Time by Displays network traffic by action. The drilldown redirects the page to the Traffic Search dashboard and searches
Action on the selected action and time range.
Traffic Over Time By Displays the number of events per day for a specified protocol. The drilldown redirects the page to the Traffic
Protocol Search dashboard and searches on the selected protocol and time range.
Displays the top sources of total traffic volume over the given time frame with a sparkline representing peak event
Top Sources matches. The drilldown opens the Traffic Search dashboard and searches on the selected source IP and time
range.
Displays network activity from port scanners or vulnerability scanners and helps identify unauthorized instances of
Scanning Activity (Many
these scanners. The drilldown redirects the page to the Traffic Search dashboard and searches on the selected
Systems)
source IP and time range.
Traffic Search dashboard
The Traffic Search dashboard assists in searching network protocol data, refined by the search filters. The dashboard is
used in ad-hoc searching of network data, but is also the primary destination for drilldown searches used in the Traffic
Center dashboard panels.
The Traffic Search dashboard displays no results unless it is opened in response to a drilldown action, or you update a
filter, select a time range, and click Submit.
Time Range Select the time range to view. Drop-down: select to filter by
The Intrusion Center provides an overview of all network intrusion events from Intrusion Detection Systems (IDS) and
Intrusion Prevention Systems (IPS) device data. This dashboard assists in reporting on IDS activity to display trends in
severity and in volume of IDS events.
68
IDS Type Filter based on events matching a specified type of IDS. Drop-down: select to filter by
IDS Category Filter based on events matching vendor-defined categories. Drop-down: select to filter by
Category Filter based on the categories to which the host belongs. Drop-down: select to filter by
Time Range Select the time range to view. Drop-down: select to filter by
Dashboard Panels
Panel Description
Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary
Key Indicators
information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
Attacks Over Time By Displays the top attacks over time by severity. The drilldown opens the Intrusion Search dashboard and searches
Severity on the selected severity and time range.
Displays the top attacks by count and signature. The drilldown opens the Intrusion Search dashboard and
Top Attacks
searches on the selected signature.
Scanning Activity (Many Displays source IP's showing a pattern of attacks. The drilldown opens the Intrusion Search dashboard and
Attacks) searches on the selected source IP and time range.
Displays attacks that have been identified for the first time. New attack vectors indicate that a change has occurred
New Attacks - Last 30
on the network, potentially due to the presence of a new threat, such as a new malware infection. The drilldown
Days
opens the Intrusion Search dashboard and searches on the selected signature and time range.
Intrusion Search dashboard
The Intrusion Search dashboard assists in searching IDS-related events such as attacks or reconnaissance-related
activity, based on the criteria defined by the search filters. The dashboard is used in ad-hoc searching of network data, but
is also the primary destination for drilldown searches used in the Intrusion Center dashboard panels.
The Intrusion Search dashboard displays no results unless it is opened in response to a drilldown action, or you update
a filter, select a time range, and click Submit.
Time Range Select the time range to view. Drop-down: select to filter by
69
Vulnerability Center dashboard
The Vulnerability Center provides an overview of vulnerability events from device data.
Category Filter based on the categories to which the host belongs. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by
Dashboard Panels
Panel Description
Displays the metrics relevant to the dashboard sources over the past 60 days. Key indicators represent summary
Key Indicators
information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
Displays the most common issues reported by the vulnerability scanners. The reported issues are aggregated by
host so that the chart represents the number of unique occurrences of the issue as opposed to the number of times
Top Vulnerabilities the issue was detected (since scanning a single host multiple times will likely reveal the same vulnerabilities each
time). The drilldown opens the Vulnerability Search dashboard and searches on the selected signature and time
range.
Displays the hosts with the highest number of reported issues. The drilldown opens the Vulnerability Search
Most Vulnerable Hosts
dashboard and searches on the selected severity, host, and time range.
Displays issues by the severity assigned by the vulnerability scanner. Helps identify trends that are not visible
Vulnerabilities by Severity when looking at vulnerabilities individually. The drilldown opens the Vulnerability Search dashboard and searches
on the selected severity and time range.
Displays the most recent new vulnerabilities detected as well as the date each one was first observed. Helps
New Vulnerabilities identify new issues appearing on the network that need to be investigated as potential new attack vectors. The
drilldown opens the Vulnerability Search dashboard and searches on the selected signature and time range.
The Vulnerability Operations dashboard tracks the status and activity of the vulnerability detection products deployed in
your environment. Use this dashboard to see the overall health of your scanning systems, identify long-term issues, and
see systems that are no longer being scanned for vulnerabilities.
Category Filter based on the categories to which the host belongs. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by
Dashboard Panels
Panel Description
Displays vulnerability scan activity by systems over time. Hover over item for details. The drilldown opens the
Scan Activity Over Time
Vulnerability Search dashboard and searches on the selected time range.
Vulnerabilities by Age
70
Panel Description
Displays detected vulnerabilities by age, with signature, destination, and event time. Click an item to view in the
Vulnerability Profiler for more detail. The drilldown opens the Vulnerability Search dashboard and searches on the
selected signature or destination host, and time range.
Displays vulnerability scans with a severity of "high". Includes signature. The drilldown opens the Vulnerability
Delinquent Scanning
Search dashboard and searches on the selected destination host and time range.
Vulnerability Search dashboard
The Vulnerability Search dashboard displays a list of all vulnerability-related events based on the criteria defined by the
search filters. The dashboard is used in ad-hoc searching of vulnerability data, but is also the primary destination for
drilldown searches used in the Vulnerability Center dashboard panels.
The Vulnerability Search dashboard displays no results unless it is opened in response to a drilldown action, or you
update a filter, select a time range, and click Submit.
Reference (bugtraq, cert, Text field. Empty by default. Wildcard strings with an
Filter based on common reference standards.
cve, etc.) asterisk (*)
Time Range Select the time range to represent. Drop-down: select to filter by
This dashboard references data from various data models. Without the applicable data, the dashboards will remain empty.
See Troubleshoot dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.
You can use the Web Center dashboard to profile web traffic events in your deployment. This dashboard reports on web
traffic gathered by Splunk from proxy servers. It is useful for troubleshooting potential issues such as excessive bandwidth
usage, or proxies that are no longer serving content for proxy clients. You can also use the Web Center to profile the type
of content that clients are requesting, and how much bandwidth is being used by each client.
You can configure new data inputs through Splunk Settings, or search for particular traffic events directly through Incident
Review. Use the filters at the top of the screen to limit which items are shown. Filters do not apply to Key Indicators.
71
Filter by Description Action
Text field. Empty by default.
Wildcard strings with an asterisk
(*)
Category Filter based on the categories to which the host belongs. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by
Dashboard Panels
Panel Description
Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary
Key Indicators
information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
Events Over Time by Shows the total number of proxy events over time, aggregated by Method, or the HTTP method requested by the
Method client (POST, GET, CONNECT, etc.).
Sources associated with the highest volume of network traffic. This is useful for identifying sources that are using
Top Sources an excessive amount of network traffic (for example, file-sharing hosts), or frequently-requested destinations
generating large amounts of network traffic (for example, YouTube or Pandora).
Destinations associated with the highest volume of network traffic. This is useful for identifying sources that are
Top Destinations using an excessive amount of network traffic (for example, file-sharing hosts), or frequently-requested destinations
generating large amounts of network traffic (for example, YouTube or Pandora).
Web Search
The Web Search dashboard assists in searching for web events that are of interest based on the criteria defined by the
search filters. The dashboard is used in ad-hoc searching of web data, but is also the primary destination for drilldown
searches used in the Web Search dashboard panels.
The Web Search dashboard displays no results unless it is opened in response to a drilldown action, or you update a
filter, select a time range, and click Submit.
Time Range Select the time range to view. Drop-down: select to filter by
72
Network Changes
Use the Network Changes dashboard to track configuration changes to firewalls and other network devices in your
environment. This dashboard helps to troubleshoot device problems; frequently, when firewalls or other devices go down,
this is due to a recent configuration change.
Category Filter based on the categories to which the host belongs. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by
Dashboard Panels
Panel Description
Network Changes by Shows all changes to the devices by the type of change, or whether a device was added, deleted, modified, or
Action changed. The drilldown opens the "New Search" dashboard and searches on the selected action and time range.
Shows all devices that have been changed as well as the number of the changes, sorted by the devices with the
Network Changes by
highest number of changes. The drilldown opens the "New Search" dashboard and searches on the selected
Device
device and time range.
Recent Network Changes Shows a table of the most recent changes to network devices in the last day.
Troubleshooting
This dashboard references data from various data models. Without the applicable data, the dashboards will remain empty.
See Troubleshoot dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.
The lookup table specifies the network ports that the enterprise allows. From this dashboard, you can view new activity by
port to identify devices that are not in compliance with corporate policy, as well as detect prohibited traffic.
Category Filter based on the categories to which the host belongs. Drop-down: select to filter by
Dashboard Panels
Panel Description
Port/Protocol Profiler Displays the volume network transport and port activity over time, to evaluate if port activity is trending upwards or
downwards. Sudden increases in unapproved port activity may indicate a change on the networked devices, such
73
Panel Description
as an infection. The drilldown opens the "New Search" dashboard and searches on the selected transport
destination port and time range.
New Port Activity - Last 7 Displays a table of transport and port traffic communication over time. The drilldown opens the Traffic Search
Days dashboard and searches on the selected transport and time range.
Prohibited Or Insecure Displays the volume of prohibited network port activity over time, and helps determine if unapproved port activity is
Traffic Over Time - Last 24 trending upwards or downwards. The drilldown opens the "New Search" dashboard and searches on the selected
Hours transport destination port and time range.
Prohibited Traffic Details - Displays a table of the number of prohibited network traffic events. The drilldown opens the "New Search"
Last 24 Hours dashboard and searches on the selected source IP, destination IP, transport, port, and time range.
Troubleshooting
This dashboard references data from various data models. Without the applicable data, the dashboards will remain empty.
See Troubleshoot dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.
The Protocol Intelligence dashboards use packet capture data. Packet capture data contains security-relevant information
not typically collected in log files. Integrating network protocol data provides a rich source of additional context when
detecting, monitoring, and responding to security related threats.
Obtain packet capture data from apps such as Splunk Stream and the Splunk Add-on for Bro IDS. The dashboards will be
empty without applicable data.
• For information about integrating Splunk Stream with Splunk Enterprise Security, see Splunk Stream integration
in the Enterprise Security Installation and Upgrade Manual.
• For information about the protocols supported in Splunk Stream, see Supported protocols in the Splunk Stream
User Manual.
Protocol Center
The Protocol Center dashboard provides an overview of security-relevant network protocol data. The dashboard searches
display results based on the time period selected using the dashboard time picker.
Dashboard Panels
Panel Description
Displays metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information
Key Indicators and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security. Key indicators displayed include
Protocol Activity, Long Lived Connections, Stream Connections, Encrypted Connections, and Total Bytes.
Displays the sum of all protocol connections, sorted by protocol over time. The connection distribution by protocol shows
Connections By
the most common protocols used in an environment, such as email protocols and HTTP/SSL. An exploited protocol may
Protocol
display a disproportionate number of connections for its service type.
74
Panel Description
Displays the sum of all protocol traffic in bytes, sorted by protocol over time. The bandwidth used per protocol will show
Usage By
consistency relative to the total network traffic. An exploited protocol may display a traffic increase disproportionate to its
Protocol
use.
Displays the top 10 hosts by total protocol traffic sent and received over time. A host displaying a large amount of
Top Connection
connection activity may be heavily loaded, experiencing issues, or represent suspicious activity. The drilldown redirects the
Sources
page to the Traffic Search dashboard and searches on the selected source IP.
Displays the sum of protocol traffic, sorted by ports under 1024 over time. The bandwidth used per port will show
Usage For Well
consistency relative to the total network traffic. An exploited port may display an increase in bandwidth disproportionate to
Known Ports
its use. The drilldown redirects the page to the Traffic Search dashboard and searches on the selected port.
Long Lived Displays TCP connections sustained longer than 3 minutes. A long duration connection between hosts may represent
Connections unusual or suspicious activity. The drilldown opens the Traffic Search dashboard and searches on the selected event.
Data sources
The reports in the Protocol Center dashboard use fields in the Network Traffic data model. Relevant data sources
include all devices or users generating TCP and UDP protocol traffic on the network captured from vulnerability scanners
and packet analysis tools such as Splunk Stream and the Bro network security monitor.
Use the Traffic Size Analysis dashboard to compare traffic data with statistical data to find outliers, traffic that differs
from what is normal in your environment. Any traffic data, such as firewall, router, switch, or network flows, can be
summarized and viewed on this dashboard.
• Investigate traffic data byte lengths to find connections with large byte counts per request, or that are making a
high number of connection attempts with small byte count sizes.
• Use the graph to spot suspicious patterns of data being sent.
• Drill down into the summarized data to look for anomalous source/destination traffic.
Dashboard filters
Use the filters to refine the traffic size events list on the dashboard.
Filter by Description
The percentage (%) shows the amount of data that will be filtered out if that number of standard deviations is selected.
Standard
Choose a higher number of deviations to see fewer traffic size anomalies and details, or choose a lower number of deviations
Deviation Index
to see a greater number of traffic size anomalies and details.
Click to see the list of category events that can be filtered for this dashboard. See Configure per-panel filtering in Splunk
Advanced Filter
Enterprise Security in Administer Splunk Enterprise Security for information.
Dashboard panels
Click chart elements or table rows to display raw events. See Drill down to raw events for more information on this feature.
The following table describes the panels for this dashboard.
Panel Description
Key Indicators Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary
information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
75
Panel Description
Traffic Size The chart displays a count of anomalous traffic size in your environment over time. It displays traffic volume greater than the
Anomalies Over number of standard deviations selected in the filter (2 by default) displayed in a line graph with time as the x-axis and count
Time as the y-axis.
Table that displays each of the traffic events and related details such as the size of the traffic event in bytes. If there is more
Traffic Size that one event from a source IP address, the count column shows how many events are seen. In the bytes column, the
Details minimum, maximum, and average number of bytes for the traffic event are shown. Z indicates the standard deviations for
the traffic event.
DNS Activity
The DNS Activity dashboard displays an overview of data relevant to the DNS infrastructure being monitored. The
dashboard searches display results based on the time period selected using the dashboard time picker.
Dashboard Panels
Panel Description
Displays metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information
Key Indicators
and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
Displays the top DNS Reply codes observed across hosts. A host initiating a large number of DNS queries to unknown or
Top Reply Codes
unavailable domains will report a large number of DNS lookup failures with some successes. That pattern of DNS queries
By Unique
may represent an exfiltration attempt or suspicious activity. The drilldown opens the DNS Search dashboard and searches
Sources
on the selected Reply Code.
Displays the top DNS query sources on the network. A host sending a large amount of DNS queries may be improperly
Top DNS Query
configured, experiencing technical issues, or represent suspicious activity. The drilldown opens the DNS Search
Sources
dashboard and searches on the selected source IP address.
Displays the top 10 DNS QUERY requests over time. The drilldown opens the DNS Search dashboard and searches on
Top DNS Queries
the queried host address.
Displays the most common queries grouped by domain. An unfamiliar domain receiving a large number of queries from
Queries Per
hosts on the network may represent an exfiltration attempt or suspicious activity. The drilldown opens the DNS Search
Domain
dashboard and searches on the queried domain address.
Recent DNS Displays the 50 most recent DNS Response queries with added detail. The drilldown opens the DNS Search dashboard
Queries and searches on the selected queried address.
Data sources
The reports in the DNS dashboard use fields in the Network Resolution data model. Relevant data sources include all
devices or users generating DNS protocol traffic on the network captured from vulnerability scanners and packet analysis
tools such as Splunk Stream and the Bro network security monitor.
DNS Search
The DNS Search dashboard assists in searching DNS protocol data, refined by the search filters. The dashboard is used
in ad-hoc searching of DNS data, but is also the primary destination for drilldown searches in the DNS dashboard panels.
The DNS Search page displays no results unless it is opened in response to a drilldown action, or you set a filter and/or
time range and click Submit.
Filter by Description
76
Filter by Description
Source Source IP address
Reply Code DNS Reply type: All, All Errors, and a list of common Reply Codes
SSL Activity
The SSL Activity dashboard displays an overview of the traffic and connections that use SSL. As an analyst, you can use
these dashboards to view and review SSL encrypted traffic by usage, without decrypting the payload. The dashboard
searches display results based on the time period selected using the dashboard time picker.
Dashboard Panels
Panel Description
Displays metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary
Key Indicators
information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
Displays outbound SSL connections by common name (CN) of the SSL certificate used. An unfamiliar domain
SSL Activity By Common receiving a large number of SSL connections from hosts on the network may represent unusual or suspicious
Name activity. The drilldown redirects the page to the SSL Search dashboard, and searches on the selected common
name.
Displays the count of active sessions by CN that represents a known cloud service. The CN is compared to a list
of cloud service domains pre-configured in the Cloud Domains lookup file. For more information about editing
SSL Cloud Sessions lookups in ES, see Create and manage lookups in Splunk Enterprise Security in Administer Splunk Enterprise
Security. The drilldown opens the SSL Search dashboard and searches on the selected source IP and common
name.
Displays the 50 most recent SSL sessions in a table with additional information about SSL key. The fields
ssl_end_time, ssl_validity_window, and ssl_is_valid use color-coded text for fast identification of
Recent SSL Sessions
expired, short lived, or invalid certificates. The drilldown redirects the page to the SSL Search dashboard and
displays the full details of the selected event.
Data sources
The reports in the SSL Activity dashboard use fields in the Certificates data model. Relevant data sources include all
devices or users generating SSL protocol traffic on the network captured from vulnerability scanners and packet analysis
tools such as Splunk Stream and the Bro network security monitor.
SSL Search
The SSL Search dashboard assists in searching SSL protocol data, refined by the search filters. The dashboard is used in
ad-hoc searching of SSL protocol data, but is also the primary destination for drilldown searches in the SSL Activity
dashboard panels.
The SSL Search page displays no results unless it is opened in response to a drilldown action, or you set a filter and/or
time range and click Submit.
Filter by Description
Source Source IP address.
77
Filter by Description
Subject/Issuer Common Name Common name retrieved from the x.509 certificate Subject or Issuer fields.
Email Activity
The Email Activity dashboard displays an overview of data relevant to the email infrastructure being monitored. The
dashboard searches displays result based on the time period selected using the dashboard time picker.
Dashboard Panels
Panel Description
Displays metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and
Key Indicators
appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
Displays the hosts generating the most email protocol traffic. A host sending excessive amounts of email on the network may
Top Email
represent unusual or suspicious activity. Periodicity displayed across hosts viewed on the sparklines may be an indicator of a
Sources
scripted action. The drilldown opens the Email Search dashboard and searches on the selected source IP.
Displays the hosts sending emails larger than 2MB. A host that repeatedly sends large emails may represent suspicious
Large Emails
activity or data exfiltration. The drilldown opens the Email Search dashboard and searches on the selected source IP.
Displays Sender email addresses that infrequently send email. An address that represents a service account or non-user
Rarely Seen
sending email may indicate suspicious activity or a phishing attempt. The drilldown opens the Email Search dashboard and
Senders
searches on the selected Sender.
Displays Receiver email addresses that infrequently receive email. An address that represents a service account or non-user
Rarely Seen
receiving email may indicate suspicious activity or a phishing attempt. The drilldown opens the Email Search dashboard and
Receivers
searches on the selected Recipient.
Data sources
The reports in the Email dashboard use fields in the Email data model. Relevant data sources include all the devices or
users generating email protocol traffic on the network captured from vulnerability scanners and packet analysis tools such
as Splunk Stream and the Bro network security monitor.
Email Search
The Email Search dashboard assists in searching email protocol data, refined by the search filters. The dashboard is used
in ad-hoc searching of email protocol data, but is also the primary destination for drilldown searches used in the Email
Activity dashboard panels.
The Email Search page displays no results unless it is opened in response to a drilldown action, or you set a filter and/or
time range and click Submit.
Filter by Description
Email Protocol The email communication protocol.
78
Filter by Description
The Protocol Intelligence dashboards use packet capture data from apps such as Splunk Stream and the Splunk Add-on
for Bro IDS. Without applicable data, the dashboards remain empty. For an overview of Splunk Stream Integration with
ES, see Splunk Stream integration in the Enterprise Security Installation and Upgrade Manual. See Troubleshoot
dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.
The Threat Activity dashboard provides information on threat activity by matching threat intelligence source content to
events in Splunk Enterprise.
Dashboard filters
Use the available dashboard filters to refine the results displayed on the dashboard panels. The filters do not apply to key
security indicators.
Filter by Description
Threat Group A named group or entity representing a known threat, such as a malware domain.
Threat
A category of threat, such as advanced persistent threat, financial threat, or backdoor.
Category
Used for searching on a value related to fields: Destination, Sourcetype, Source, Threat Collection, Threat Collection Key,
Search
Threat Key, Threat Match Field, and Threat Match Value.
Panel Description
Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary
Key Indicators
information, and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
Displays the count of events by all threat collections over the selected time. The drilldown opens a search with the selected
Threat Activity
threat collection and scoped to the selected time frame. To review the threat collections, see Supported types of threat
Over Time
intelligence in Splunk Enterprise Security in Administer Splunk Enterprise Security.
Most Active
Displays the top threat collections by event matches over the selected time, with a sparkline representing peak event
Threat
matches. The drilldown opens a search with the selected threat collection.
Collections
Most Active Displays the top threat sources over the selected time by event count matches. The drilldown opens a search with the
Threat Sources selected threat source.
79
Panel Description
Displays a breakout of the most recent threat matches. Use the event selection box Threat Activity Details with the
Advanced Filter option to:
Threat Activity
Details
• Whitelist by threat_match_value to remove matches.
• Highlight specific threat_match_value matches and place them at the top of the table.
Data sources
The reports in the Threat Activity dashboard use fields in the Threat_Intelligence data model. Relevant data sources
include threat source event matches in the threat_activity index along with the associated threat artifacts. See
Troubleshoot dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.
Threat Artifacts
The Threat Artifacts dashboard provides a single location to explore and review threat content sourced from all
configured threat download sources. It provides additional context by showing all threat artifacts related to a
user-specified threat source or artifact.
The dashboard offers multiple selection filters and tabs to isolate the threat content.
Begin by changing the Threat Artifact to select from available threat artifact types.
Filter by Description
Threat Artifact A collection of objects grouped by the threat collection, such as network, file, and service.
Other available filters will change depending on your selection.
HTTP. Select from: Referrer: User Agent, Cookie, Header, Data, or URL
Network IP, Domain
and add a string to search.
File File Name, File Extension, File Path, and File Hash
Registry Hive, Path, Key Name, Value Name, Value Type, and Value Text
Service Name, Descriptive Name:, Description:, and Type
User User, Full Name, Group Name, and Description
Process Process, Process Arguments, Handle Names, and Handle Type
Certificate Serial Number, Subject, Issuer, Validity Not After, and Validity Not Before
Email Address, Subject, and Body
Use the tabs to review threat source context:
Tab Panels
Threat Overview Endpoint Artifacts, Network Artifacts, Email Artifacts, Certificate Artifacts
80
Tab Panels
Network HTTP Intelligence, IP Intelligence, Domain Intelligence
Endpoint File Intelligence, Registry Intelligence, Process Intelligence, Service Intelligence, User Intelligence
The Threat Artifacts dashboard references fields in the threat collection KVStore. Relevant data sources include threat
sources such as STIX and OpenIOC documents.
Troubleshooting
This dashboard references data from the Threat Intelligence KVStore collections. Without the applicable data, the
dashboard panels will remain empty. To determine why data is not displaying in the dashboard, follow these
troubleshooting steps.
1. Confirm that the inputs are properly configured in the Threat Intelligence Downloads and Threat Intelligence
Manager pages. Those inputs are responsible for ingesting data from the threat sources and placing it into the
KVStore collections.
2. Use the Threat Intelligence Audit dashboard panel Threat Intelligence Audit Events to review log entries created
by the modular inputs.
For more, see Troubleshoot dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.
The HTTP Category Analysis dashboard looks at categories of traffic data. Any traffic data, such as firewall, router,
switch, or network flows, can be summarized and viewed in this dashboard.
• Compare statistical data to identify traffic outliers, or traffic different from what is typically found in your
environment.
• Look for category counts that fall outside of the norm (small or large) that may indicate a possible threat.
• Find low volume traffic activity and drill down from the summarized data to investigate events.
• Use sparklines to identify suspicious patterns of activity by category.
Use the "Show only unknown categories" filter on the HTTP Category Analysis dashboard to filter and view unknown
categories of web traffic.
Before you can filter unknown traffic, define which categories are unknown.
81
3. Select an App context of DA-ESS-NetworkProtection or a related network add-on, such as TA-websense.
4. Click New.
5. Type a Tag name of unknown.
6. Type a Field-value pair to define as unknown traffic.
For example, category=undetected.
7. Click Save.
Dashboard filters
Filter by Description
Time Range Select the time range to represent.
Click to see the list of category events that can be filtered for this dashboard. See Configure per-panel filtering in Splunk
Advanced Filter
Enterprise Security in Administer Splunk Enterprise Security for information.
Dashboard panels
Click chart elements or table rows to display raw events. See Drill down to raw events for more information on this feature.
The following table describes the panels for this dashboard.
Panel Description
Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary
Key Indicators
information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
Category Displays category counts as a scatter plot, with count as the x-axis and src_count as the y-axis. The chart updates when
Distribution you change filters or the time range. Hover over an item to see details.
Displays details of the HTTP categories, including a sparkline that represents the activity for that HTTP category over the last
Category Details
24 hours.
Use the HTTP User Agent Analysis dashboard to investigate user agent strings in your proxy data and determine if there
is a possible threat to your environment.
• A bad user agent string, where the browser name is misspelled (like Mozzila) or the version number is completely
wrong (v666), can indicate an attacker or threat.
• Long user agent strings are often an indicator of malicious access.
• User agent strings that fall outside of the normal size (small or large) may indicate a possible threat that should be
looked at and evaluated.
The Advanced Filter can be used to include or exclude specific user agents. Use the statistical information to visually
identify outliers. In the summarized data, you can evaluate user agents for command and control (C&C) activity, and find
unexpected HTTP communication activity.
Dashboard filters
The dashboard includes a number of filters that can help refine the user agent list.
Filter by Description
82
Filter by Description
The percentage (%) shows the amount of data that will be filtered out if that number of standard deviations is selected.
Standard
Choose a higher number of deviations to see fewer user agent strings, or choose a lower number of deviations to see a
Deviation Index
greater number of user agent strings.
Click to see the list of category events that can be filtered for this dashboard. See Configure per-panel filtering in Splunk
Advanced Filter
Enterprise Security in Administer Splunk Enterprise Security for information.
Dashboard panels
Click chart elements or table rows to display raw events. See Drill down to raw events for more information on this feature.
The following table describes the panels for this dashboard.
Panel Description
Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary
Key Indicators
information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
User Agent Displays user agent strings as a scatter plot, with length as the x-axis and count as the y-axis. The chart updates when
Distribution you change the filters or the time range. Hover over an item to see details about the raw data.
User Agent Displays details of the user agents in your environment, including the string value of the user agent and a sparkline that
Details represents the activity for that user agent string over the last 24 hours.
The New Domain Analysis dashboard shows any new domains that appear in your environment. These domains can be
newly registered, or simply newly seen by ES. Panels display New Domain Activity events, New Domain Activity by Age,
New Domain Activity by Top Level Domain (TLD), and Registration Details for these domains.
Dashboard filters
The dashboard includes a number of filters to refine the list of domains displayed.
Filter by Description
Domain Enter the domain (Access, Endpoint, Network).
New Domain
Select Newly Registered or Newly Seen to filter the types of domains to be viewed.
Type
Maximum Age
The time range for the newly seen or newly registered domains. The default is 30 days.
(days)
Click to see the list of category events that can be filtered for this dashboard. See Configure per-panel filtering in Splunk
Advanced Filter
Enterprise Security in Administer Splunk Enterprise Security for information.
83
Dashboard panels
Click chart elements or table rows to display raw events. See Drill down to raw events for more information on this feature.
The following table describes the panels for this dashboard.
Panel Description
New Domain Activity Table view of information about new domain activity
Scatter plot that displays Age as the x-axis and Count as the y-axis. Hover over a square for the exact age
New Domain Activity by Age and number of new domains.
New Domain Activity by TLD A bar chart with Count as the x-axis and TLD as the y-axis. Hover over a bar for the current number of
(Top Level Domain) events for a top level domain.
A table view of information about new domain registrations. Click a domain in the table to open a search on
Registration Details
that domain and view the raw events.
To see data in the New Domain Analysis dashboard, you must configure a connection to an external domain lookup data
source. You can use the example domain lookup data source provided in ES or you can use one of your choice. The
dashboard will only report whether or not a domain is newly seen until this modular input is configured and enabled.
The example uses the external domain source domaintools.com, which provides a paid API for WHOIS data.
Use the API information to set up a modular input in Splunk Enterprise Security.
1. From the ES menu bar, Select Configure > Data Enrichment > WHOIS Management.
2. Click Enable next to whois_domaintools.
3. Click the name of the modular input to add the API hostname and username used to access the domaintools API.
4. Save the API credentials on the Credential Management view. See Manage input credentials in Splunk Enterprise
Security.
If you choose to use a different domain source, complete the following steps.
1. From the ES menu bar, Select Configure > Data Enrichment > WHOIS Management.
2. Click New.
3. Enter the name of the modular input to add the API hostname and username used to access the API.
4. Save the API credentials on the Credential Management view. See Manage input credentials in Splunk Enterprise
Security.
5. Click Enable next to the name of the modular input you just created.
Until you enable the modular input, domains processed by the input will not be queued. This prevents the checkpoint
directory from filling up with files.
After enabling the modular input, enable the outputcheckpoint_whois macro to create checkpoint data.
84
1. Select Configure > General > General Settings.
2. Select Enable for the Domain Analysis setting to enable WHOIS tracking.
The modular input stores information in the whois_tracker.csv lookup file. After a file exists in the
$SPLUNK_HOME/var/lib/splunk/modinputs/whois directory, the whois index will begin to populate with data. After they are
processed, checkpoint files will be deleted.
• If you see 404 errors in the logs, this is normal behavior when querying domains that don't exist.
• If you see 400 errors in the logs returned from the domaintools API, this is normal behavior when querying
domains with invalid top level domains.
• If you don't see new events in the whois index, this might be normal behavior if using HTTP:// the api_url when it
should be HTTPS://. You can use either HTTP:// or HTTPS:// in the url. However, if you don't pick HTTP:// or
HTTPS://, then HTTP:// is prepended to the api_url by default .
The URL Length Analysis dashboard looks at any proxy or HTTP data that includes URL string information. Any traffic
data containing URL string or path information, such as firewall, router, switch, or network flows, can be summarized and
viewed in this dashboard.
Use the key indicators to compare each new URL and to identify outlier URL strings, ones that are different from what is
typically found in your environment. URLs that fall outside of the normal size (small or large) may indicate a possible
threat. Unusually long URL paths from unfamiliar sources and/or to unfamiliar destinations are often indicators of
malicious access and should be examined.
Dashboard filters
Use the filters to refine the URL length events represented on the dashboard.
Filter by Description
The percentage (%) shows the amount of data that will be filtered out if that number of standard deviations is selected.
Standard
Choose a higher number of deviations to see fewer user agent strings, or choose a lower number of deviations to see a
Deviation Index
greater number of user agent strings.
Click to see the list of category events that can be filtered for this dashboard. See Configure per-panel filtering in Splunk
Advanced Filter
Enterprise Security in Administer Splunk Enterprise Security for information.
Dashboard panels
Click chart elements or table rows to display raw events. See Drill down to raw events for more information on this feature.
The following table describes the panels for this dashboard.
Panel Description
85
Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary
Key Indicators
information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security in this manual.
The chart displays a count of URL length anomalies across time. It displays URL lengths greater than the number of
URL Length
standard deviations selected in the filter (2 by default) displayed in a line graph with time as the x-axis and count as the
Anomalies Over Time
y-axis.
Table that displays the URL strings and details such as the full URI string. If there is more that one event from a source
URL Length Details IP address, the count column shows how many events are seen. Z indicates the standard deviations for the URL
length.
86
Included Add-ons
• Send threats and anomalies from Splunk UBA to Splunk Enterprise Security to adjust risk scores and create
notable events.
• Send correlation search results from Splunk Enterprise Security to Splunk UBA to be processed for anomalies.
• Retrieve user and device association data from Splunk UBA to view it in Splunk Enterprise Security. Identify user
accounts and devices associated with devices during specific sessions, and devices associated with users during
specific sessions.
In Enterprise Security, you can see data from Splunk UBA In several places.
See Integrate Splunk Enterprise Security and Splunk UBA with the Splunk add-on for Splunk UBA in the Send and
Receive Data from the Splunk Platform manual.
Threats sent from Splunk UBA to Splunk Enterprise Security appear as notable events on the Incident Review and
Security Posture dashboards. You can see the count of notable events created from threats on the Security Posture
dashboard as a Key Security Indicator (KSI).
On Incident Review, you can expand the event details to see the description, threat category, correlation search
referencing Splunk UBA, and more details. Use the workflow actions on the event to View Contributing Anomalies and
open the Threat Details page in Splunk UBA. See Threat Details in Use Splunk User Behavior Analytics.
You can use the UBA Anomalies dashboard to view anomalies from Splunk UBA in Enterprise Security and understand
anomalous activity in your environment. Select Security Intelligence > User Intelligence > UBA Anomalies to view the
dashboard.
• See how the count of various metrics have changed over the past 48 hours in your environment with the key
indicators. Review the count of UBA notables, UBA anomaly actors, UBA anomaly signatures, UBA anomalies
per threat, and the total count of UBA anomalies.
• Investigate spikes in anomalous activity and compare the number of actors with the number of anomalies over
time on the Anomalies Over Time panel.
• Identify the most common types of anomalous activity on the Most Active Signatures panel.
• Determine which users, devices, apps, and other actors are responsible for the most anomalous activity on the
Most Active Actors panel.
• See the latest anomalous activity on the Recent UBA Anomalies panel.
87
View an anomaly in Splunk UBA by clicking on a value on the dashboard to drill down to the search. Use the event
actions on a specific anomaly event to View Contributing Anomalies and open Splunk UBA to view the Anomaly
Details view. See Anomaly Details in Use Splunk User Behavior Analytics.
View threat and anomaly swim lanes on the Asset and Identity Investigator dashboards
You can use swim lanes on the Asset and Identity Investigator dashboards to correlate counts of UBA threats and
anomalies with other notable events in ES.
To see anomaly and threat information associated with each asset or identity that you search, add the UEBA Threats and
UBA Anomalies swim lanes to the Asset Investigator and Identity Investigator dashboards. See Edit the swim lanes.
View an anomaly in Splunk UBA by clicking the swim lane to open a search with additional details. Use the event actions
to View Contributing Anomalies and open Splunk UBA to view the Anomaly Details or Threat Details. See Review
current threats for more.
Enterprise Security uses the risk score of anomalies and threats from Splunk UBA to modify risk for the assets and
identities associated with the threats and anomalies. The risk score modifier is 10 times the risk score of the anomaly or
threat in Splunk UBA.
For example:
1. Splunk UBA sends Enterprise Security an anomaly that applies to the host 10.11.12.123. The anomaly has a risk
score of 8.
2. Enterprise Security modifies the risk for the host 10.11.12.123 in response to the anomaly. A risk modifier of 10 *
UBA risk score results in a risk modifier of 80.
You can see the source of increased risk when analyzing risk scores on the Risk Analysis dashboard.
After you set up Enterprise Security and Splunk UBA, you can start sending correlation search results to Splunk UBA. You
can send correlation search results automatically, or you can send correlation search results in an ad-hoc manner by
sending notable events from the Incident Review dashboard.
Edit an existing correlation search or create a new correlation search to add a response action of Send to UBA to
automatically send correlation search results to Splunk UBA.
1. From the Enterprise Security menu bar, select Configure > Content > Content Management.
2. Click the name of a correlation search or click Create New to create a new correlation search.
3. Click Add New Response Action and select Send to UBA.
4. Type a Severity to set the score in Splunk UBA for an anomaly that might be created from the correlation search
result.
For example, type 7 to represent a high severity.
5. Save the correlation search.
88
Send correlation search results ad-hoc from Incident Review
Send notable events created by correlation search results to Splunk UBA in an ad-hoc manner from the Incident Review
dashboard.
1. On the Incident Review dashboard, locate the notable event that you want to send to Splunk UBA.
2. From the Actions column, select Run Adaptive Response Actions.
3. Click Add New Response Action and select Send to UBA.
4. (Optional) Type a Severity to set the score in Splunk UBA for the anomaly that might be created from the notable
event. The severity that you type takes precedence over the default severity of the notable event.
5. Click Run to run the response action and send the notable event details to Splunk UBA.
Only some correlation search results create anomalies in Splunk UBA. Splunk UBA parses the correlation search results
as external alarms, and correlation searches with a source, destination, or user in the results are most likely to produce
anomalies in Splunk UBA. Not all correlation search results sent from Enterprise Security appear as anomalies in Splunk
UBA. Splunk UBA only creates anomalies for the correlation search results with relevant data, and ignores other
correlation search results.
89