Using Enterprise Security for security investigation and monitoring
The information in this article applies to Splunk Enterprise Security (ES) versions 7.x. If you have upgraded to Splunk Enterprise Security version 8.x, some terminology and steps might not apply. For assistance with ES 8.x, Splunk Professional Services can help.
Identify and investigate security incidents
Use the Security Posture dashboard to monitor enterprise security status
- View a high-level overview of the notable events in your environment over the last 24 hours.
- Identify the security domains with the most incidents and the most recent activity.
- For more information on this dashboard, see Splunk Docs.
Use the Incident Review dashboard to investigate notable events
- View the details of all notable events identified in your environment.
- Triage, assign, and review the details of notable events from this dashboard.
- Create and save filters for more efficient future investigations.
- Assess incidents, visualize gaps, and understanding the impact of different tactics and techniques with the MITRE ATT&CK framework.
For more information, see the following resources:
Accelerate your investigations with security intelligence
- Use the Risk Analysis dashboard to assess the risk scores of systems and users across your network and identify particularly risky devices and users posing a threat to your environment. This dashboard reduces false positive detection rates, accelerates the detection of sophisticated threats, and enhances SOC productivity. It generates alerts only when risk and behavior thresholds are exceeded.
- Use the Protocol intelligence dashboard to provide network insights that are relevant to your security investigations. Identify suspicious traffic, DNS activity, email activity, and review the connections and protocols in use in your network traffic.
- Use the Threat intelligence dashboard to provide context to your security incidents and identify known malicious actors in your environment. Use the threat intelligence sources included in Splunk Enterprise Security and custom sources that you configure.
- User activity dashboards allow you to investigate and monitor the activity of users and assets in your environment.
- Web intelligence dashboards help you analyze web traffic in your network and identify notable HTTP categories, user agents, new domains, and long URLs.
Monitor security domain activity
- Access domain dashboards display authentication and access-related data, such as login attempts, access control events, and default account activity.
- View endpoint domain dashboards for endpoint data relating to malware infections, patch history, system configurations, and time synchronization information.
- View network domain dashboards for network traffic data provided by devices such as firewalls, routers, network intrusion detection systems, network vulnerability scanners, proxy servers, and hosts.
- Identity domain dashboards display data from your asset and identity lists, as well as the types of sessions in use.
Additional resources
- Tech Talks: Remediate threats faster and simplify investigations with Splunk Enterprise Security 7.2
- Blog: Detect faster, rapidly scope an incident, and streamline security workflows with Splunk Enterprise Security 7.1
- Blog: Top 5 incident response metrics with real-world examples and impact
- Docs: Overview of incident review in Splunk Enterprise Security
- Docs: Security posture dashboard
- Docs: Introduction to the dashboards available in Splunk Enterprise Security