Prescriptive Adoption Motion - Visualizations and reports
Splunk Enterprise Security includes a number of built-in dashboards that provide real-time visibility into security events and help security analysts identify and respond to security threats. Here are some of the key built-in dashboards:
- Incident Review. View a summary of all security incidents and allows analysts to drill down into individual incidents to investigate and respond to security threats.
- Asset Investigator. See a comprehensive view of all assets in your IT infrastructure, including hosts, applications, and users, and investigate asset-related security incidents.
- Threat Activity. Get a real-time view of threat activity across your IT infrastructure, allowing you to identify potential threats and respond to them quickly.
- Endpoint. View endpoint activity across your IT infrastructure, including activity related to malware infections and other security threats.
- Network. See network activity across your IT infrastructure, including activity related to network intrusion attempts and data exfiltration.
- Identity. Access user and identity-related activity across your IT infrastructure.
- Risk Analysis. Understand the risk associated with different assets in your IT infrastructure, allowing you to prioritize your security efforts based on the level of risk.
- Compliance. Assess your compliance posture, allowing you to monitor compliance with regulatory standards and best practices.
- Investigative. Access a flexible workspace for analysts to explore and investigate security events and incidents.
Splunk Enterprise Security provides a number of benefits in terms of visualizations and reports that can help organizations detect and respond to security threats more effectively.
Some of the key benefits are:
- Real-time visibility. See security events in real-time through interactive dashboards and visualizations. This enables you to quickly detect anomalies, investigate incidents, and respond to threats as they happen.
- Actionable insights. The visualizations and reports in Splunk Enterprise Security provide actionable insights into security events, allowing security analysts to identify patterns and trends that may indicate a potential security breach.
- Customizable reports. Splunk Enterprise Security comes with a range of built-in reports that cover a variety of security use cases, but you can also customize these reports to meet your specific needs. This can help you get a more accurate and comprehensive view of your security posture.
- Compliance reporting. Splunk Enterprise Security provides built-in compliance reporting capabilities, allowing you to easily generate reports that demonstrate compliance with regulatory requirements such as PCI DSS, HIPAA, and GDPR.
- Integration with third-party tools. Splunk Enterprise Security integrates with a wide range of third-party tools, including threat intelligence feeds, vulnerability scanners, and incident response platforms. These integrations allow you to correlate security events across multiple data sources, and respond to threats more quickly and effectively.
Aim and strategy
You can use visualizations and reports to quickly assess your security posture and SOC operations. This gives your teams and executives real-time insights into environmental security and how incidents are being triaged and processed. Having easy access to this high-level roll-up of information allows for quick action and reporting, and keeps the key stakeholders informed at all times.
Common use cases
Overall number of security events trend
- Mean time to triage
- Mean time to resolution
- Top infected hosts
- Overall threat activity
- Investigations created
User roles
| Role | Responsibilities |
|---|---|
|
Lead Security Analyst |
Defines security use cases and analyst workflows, correlation searches, and content development strategy |
| SOC Analyst | Conducts investigations and incident triage |
| Splunk Admin |
Applies configuration changes and data onboarding |
| Information Security Management | Supplies operational insight and strategy |
Preparation
1. Prerequisites
- Data source onboarding. The data that is ingested directly feeds the ability to report and visualize the status of your security posture.
- CIM compliance. Improving the quality of the data and ensuring it aligns with how the dashboards and reports use it will ensures that you have the most accurate insights.
2. Recommended training
- Splunk EDU: Using Splunk Enterprise Security
- Splunk EDU: Administering Splunk Enterprise Security
3. Resources
- Professional Services
- On-Demand Services (ODS)
- Assigned Expert (AE)
- Self-Service
- Getting Started Guide: Setting up dashboards and reporting in ES
- Blog: Speeding detection, investigation, and response with Splunk for Security
Implementation guide
The built-in dashboards in Splunk Enterprise Security are automatically installed and configured when you install the Splunk Enterprise Security app. However, there are a few steps you can take to ensure that the dashboards are set up correctly and that you are getting the most out of them. Here are some general steps you can follow:
- Ensure that your data sources are configured correctly.The dashboards in Splunk Enterprise Security rely on data from your IT infrastructure, so it's important to make sure that your data sources are properly configured. This may include configuring data inputs from your network devices, servers, applications, and security tools.
- Configure the CIM. The Common Information Model (CIM) consists of data models that provide a standard way of organizing and categorizing data in Splunk Enterprise Security. It's important to make sure that your data sources are properly mapped to the CIM so that the dashboards can accurately reflect your security posture.
- Configure event types and tags. Event types and tags allow you to categorize your security events and make them easier to search and analyze in dashboards that display the data you need.
- Configure the correlation search. The correlation search is a key component of Splunk Enterprise Security that identifies potential security threats by correlating data from multiple sources. You can configure the correlation search to ensure that it captures the events and data that are relevant to your organization.
- Configure the notable event workflow. Notable events are security incidents that require investigation or response. You can configure the notable event workflow to ensure that your security team is alerted to notable events in a timely manner and that incidents are properly triaged and investigated.
Depending on your specific environment and requirements, you may need to take additional steps to ensure that the dashboards are set up correctly and that you get the most out of them.
For additional information, please refer to the documentation for the introduction to dashboards in ES and administering ES.
Success measurement
When implementing this guidance, you should see improvements in the following:
- Mean time to triage
- Mean time to resolution
- Insight into overall security posture