Skip to main content
 
 
Splunk Lantern

Customizing Enterprise Security dashboards to improve security monitoring

 

While Splunk Enterprise Security provides powerful out-of-the-box functionality, it is also open and extensible, offering integrations that will deepen security context to improve your investigations. As you begin working in Splunk Enterprise Security, you'll start taking advantage of those, as well as other customizability options. By modifying defaults to suit your environment and issues, analysts can work more efficiently. This article describes five features you or your administrator should examine to ensure they are configured in the best way possible for your security monitoring needs.  

Solution 

Feature Description Customization

Key indicators

Key indicators (KIs) on the security dashboard provide a view of notable event status over the last 24 hours. By default, KIs do not have a threshold set.

In the upper-left corner of the KI display, click Edit. Then do any of the following:

  • Add or remove KIs
  • Drag and drop KIs to rearrange them
  • Enter threshold values
Urgency levels As shown in the Incident Review dashboard, the urgency level for a notable event ranges from unknown to critical. This value is calculated based on the severity of the event and the priority of the associated asset or identity. To edit the urgency level, go to Configure > Content > Content Management. Open the Urgency Levels lookup and make changes as needed.
Statuses Statuses apply to both notable events and investigations. There are six default statuses, four of which can be edited.

To edit statuses, go to Configure > Incident Management > Status Configuration. Click a status to edit it. You can:

  • Change the name or description
  • Designate a new Default or End status
  • Select which user roles can transition certain statuses

On the main Status Configuration page, you can also click New to add a custom status.

Incident review

The Incident Review dashboard displays notable events and their current status. Analysts can use the dashboard to gain insight into the severity of events occurring in their system or network. They can also triage new notable events, assign events to analysts for review, and examine notable event details for investigative leads.

To edit this dashboard, go to Configure > Incident Management > Incident Review Settings. Then change any of the following:

  • Allow Overriding of Urgency. Allow analysts to change notable urgency.
  • Comments. Change from the default off to required and set a minimum length.
  • Default Time Range. Change from the default of the last 24 hours.
  • Table Attributes. Add, remove, or reorder columns in Incident Review.
  • Event Attributes. Add or remove fields that display in notable event details in Incident Review.
Notable events

A notable event represents one or more anomalous incidents detected by a correlation search across data sources. It includes custom metadata fields to assist in the investigation of the alert conditions and to track event remediation.

You might want to create ad hoc notable events when there is an event in Splunk Enterprise Security that has not been detected by a correlation search, but you think it
should be investigated. To do so:

  1. From a Splunk search, expand an event.
  2. Select Event Actions.
  3. Select Create notable event.
  4. Enter the desired data for the notable event.
  5. Click Save.

You might want to suppress notable events from appearing in the Incident Review dashboard when you think the related assets have been misconfigured, or there is otherwise something that makes the notable event misleading.

  1. From the action menu for a notable event, click Suppress Notable Events.
  2. Enter a Suppression Name.
  3. Complete the optional fields if applicable.
  4. Click Save.

Next steps

If you found this article useful and want to advance your skills, Splunk Education offers a 13.5-hour, instructor-led course on administering Splunk Enterprise Security. The hands-on labs in the course will teach you how to:

  • Examine how Splunk Enterprise Security functions, including data models, correlation searches, notable events, and dashboards
  • Create custom correlation searches
  • Customize the Investigation Workbench
  • Learn how to install or upgrade Splunk Enterprise Security
  • Learn the steps to setting up inputs using technology add-ons
  • Fine tune Splunk Enterprise Security Global Settings
  • Customize risk and configure threat intelligence

Click here for the course catalog where you can read the details about this and other Splunk Enterprise Security courses, as well as register.