Skip to main content
Lantern Home
 
 
Splunk Lantern

Comparing security domain dashboards in Enterprise Security

  1. Last updated
  2. Save as PDF

 

Your organization has just experienced a security breach. You have Splunk Enterprise Security and know that you can use the security domain dashboards to:

  • Drill down into root causes of notable events
  • Examine events related to an asset or identity 
  • Evaluate the status of security-related events

You need a quick overview of the purpose of each security domain dashboard to know where to start your forensic investigation.

Solution 

Access the Security Domain dashboards from the Security Domains menu or the field Action menu in Incident Review search results. Then select from the following based on your needs.

  • Access. Use this for information about authentication attempts and access control related events (login, access allowed, access failure). You can use the tools on this dashboard to research:
    • Brute force attacks
    • Privileged account misuse
    • Access by rare or new accounts
    • Access by expired or disabled accounts
    • Access by unusual applications (for example, SSH or VNC)
  • EndpointUse this for information about malware infections, system configuration, system state, patch status and history, and time synchronization. The endpoint domain watches over user systems such as:
    • Workstations, PCs, notebooks
    • Handheld devices
    • Point-of-sale systems
  • Network. Use this for information about network traffic such as port scanning, suspicious DNS activity, unusual ports being opened, vulnerabilities, and suspicious activity spotted by the intrusion detection systems. The network domain watches over user systems such as:
    • Firewalls
    • Routers
    • Network-based intrusion detection systems
    • Hosts
  • Identity. Use this to examine data about the assets and identities defined in Splunk Enterprise Security so you can troubleshoot the network sessions by device or user. You can view them by:
    • Priority level
    • Business unit
    • Category

Next steps

If you found this article useful and want to advance your skills, Splunk Education offers a 13.5-hour, instructor-led course on using Splunk Enterprise Security. The hands-on labs in the course will teach you how to:

  • Security monitoring and incident investigation
  • Risk-based alerting
  • Assets and identities
  • Security domain dashboards
  • User intelligence
  • Web intelligence
  • Threat intelligence
  • Protocol intelligence

Click here for the course catalog where you can read the details about this and other Splunk Enterprise Security courses, as well as register.