Customizing Enterprise Security dashboards to improve security monitoring
While Splunk Enterprise Security provides powerful out-of-the-box functionality, it is also open and extensible, offering integrations that will deepen security context to improve your investigations. As you begin working in Splunk Enterprise Security, you'll start taking advantage of those, as well as other customizability options. By modifying defaults to suit your environment and issues, analysts can work more efficiently. This article describes five features you or your administrator should examine to ensure they are configured in the best way possible for your security monitoring needs.
Solution
| Feature | Description | Customization |
|---|---|---|
| Key indicators (KIs) on the security dashboard provide a view of notable event status over the last 24 hours. By default, KIs do not have a threshold set. |
In the upper-left corner of the KI display, click Edit. Then do any of the following:
|
|
| Urgency levels | As shown in the Incident Review dashboard, the urgency level for a notable event ranges from unknown to critical. This value is calculated based on the severity of the event and the priority of the associated asset or identity. | To edit the urgency level, go to Configure > Content > Content Management. Open the Urgency Levels lookup and make changes as needed. |
| Statuses | Statuses apply to both notable events and investigations. There are six default statuses, four of which can be edited. |
To edit statuses, go to Configure > Incident Management > Status Configuration. Click a status to edit it. You can:
On the main Status Configuration page, you can also click New to add a custom status. |
| Incident review |
The Incident Review dashboard displays notable events and their current status. Analysts can use the dashboard to gain insight into the severity of events occurring in their system or network. They can also triage new notable events, assign events to analysts for review, and examine notable event details for investigative leads. |
To edit this dashboard, go to Configure > Incident Management > Incident Review Settings. Then change any of the following:
|
| Notable events |
A notable event represents one or more anomalous incidents detected by a correlation search across data sources. It includes custom metadata fields to assist in the investigation of the alert conditions and to track event remediation. |
You might want to create ad hoc notable events when there is an event in Splunk that has not been detected by a correlation search, but you think it
You might want to suppress notable events from appearing in the Incident Review dashboard when you think the related assets have been misconfigured, or there is otherwise something that makes the notable event misleading.
|
Next steps
If you found this article useful and want to advance your skills, Splunk Education offers a 13.5-hour, instructor-led course on administering Splunk Enterprise Security. The hands-on labs in the course will teach you how to:
- Examine how Splunk Enterprise Security functions, including data models, correlation searches, notable events, and dashboards
- Create custom correlation searches
- Customize the Investigation Workbench
- Learn how to install or upgrade Splunk Enterprise Security
- Learn the steps to setting up inputs using technology add-ons
- Fine tune Splunk Enterprise Security Global Settings
- Customize risk and configure threat intelligence
Click here for the course catalog where you can read the details about this and other Splunk Enterprise Security courses, as well as register.