Skip to main content
 
 
Splunk Lantern

Comparing security domain dashboards in Enterprise Security

 

Your organization has just experienced a security breach. You have Splunk Enterprise Security and know that you can use the security domain dashboards to:

  • Drill down into root causes of notable events
  • Examine log and stream data in depth
  • Examine events related to an asset or identity 
  • Evaluate the status of security-related events

You need a quick overview of the purpose of each security domain dashboard to know where to start your forensic investigation.

Solution 

The information in this article applies to Splunk Enterprise Security (ES) versions 7.x. If you have upgraded to Splunk Enterprise Security version 8.x, some terminology and steps might not apply. For additional assistance on this use case with ES 8.x, Splunk Professional Services can help.

Access the Security Domain dashboards from the Security Domains menu or the field Action menu in Incident Review search results. Then select from the following based on your needs.

  • Access. Use this for information about authentication attempts and access control related events (login, access allowed, access failure). You can use the tools on this dashboard to research:
    • Brute force attacks
    • Privileged account misuse
    • Access by rare or new accounts
    • Access by expired or disabled accounts
    • Access by unusual applications (for example, SSH or VNC)
  • EndpointUse this for information about malware infections, system configuration, system state, patch status and history, registry changed, running processes and services, and time synchronization. The endpoint domain watches over user systems such as:
    • Workstations, PCs, notebooks
    • Handheld devices
    • Point-of-sale systems
  • Network. Use this for information about network traffic such as port scanning, suspicious DNS activity, unusual ports being opened, vulnerabilities, and suspicious activity spotted by the intrusion detection systems. The network domain watches over user systems such as:
    • Firewalls
    • Routers
    • Network-based intrusion detection systems
    • Hosts
  • Identity. Use this to examine data about the assets and identities defined in Splunk Enterprise Security so you can troubleshoot the network sessions by device or user. You can view them by:
    • Priority level
    • Business unit
    • Category

Next steps

If you found this article useful and want to advance your skills, Splunk Education offers a 13.5-hour, instructor-led course on using Splunk Enterprise Security. The hands-on labs in the course will teach you how to:

  • Security monitoring and incident investigation
  • Risk-based alerting
  • Assets and identities
  • Security domain dashboards
  • User intelligence
  • Web intelligence
  • Threat intelligence
  • Protocol intelligence

Click here for the course catalog where you can read the details about this and other Splunk Enterprise Security courses, as well as register.