Dashboards & Visualizations

I do the reporting for Company X. How can I do that?

test_qweqwe
Builder

Hallo my little friends.
This question is kinda specific.
Where can I find Splunk report for random company? I understand, such in the open access is practically impossible to find. But maybe I'm wrong and there are reports (anonymized or not). Maybe some your insides 😄
I will be very grateful.

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

AHA! This really is a great question!

There's a couple of things you'll need for this. Here's what I'd suggest -

Determining what data to show:
You'll first want to do some googling to get some basic ideas about things that might be useful. Another good place to get ideas from would be to talk to a few folks who would be using the resultant dashboards or reports
- they'll have some ideas on what THEY want to see. Counts of whatever it is you decide are your critical events - maybe a timechart of intrusions blocked, viruses, possible exfiltration via DNS, touches to sites on threatlists, - whatever it is you are measuring or monitoring would be good candidates to display.

At this time these don't have to be perfect, they only need to be a reasonable place to start. These can be adjusted or changed later, and a feedback loop with a few choice users will help with this a lot.

Build the dashboard panels*
Since you have multiple companies, plan on having a drop-down input that will contain your companies so you can select which one you want to show at any time. Since you'll be doing that, your searches don't need to filter on company - just make them generic and we'll use the dashboard input to filter.

So, create a few searches - again perfection isn't necessary, just get something reasonable put into a dashboard. This involves one of the more fun parts. Start exploring the data you think you want to show. Change visualizations around but don't get too caught up in making them "perfect". Also resist making them too "pretty". I mean, pretty is good, but if they aren't useful no one will look at them. So donut charts aren't as readable as some other chart types, right? Look for simple clarity in presenting data. Timecharts are good, trending is great, single-value KPIs (with or without trendlines) are also great. Searching the internet for screenshots of Splunk Enterprise Security could be useful here to give you ideas.

Build some navigation/filtering using a drop-down input. This is probably the hardest thing to get right "technically" because it has to be right at the start. (Things like the actual dashboard panels just need to be placeholders to get you started that you can tweak later.)

Another good resource for this part will be the Dashboards and Visualizations section of the Documentation.

Get feedback and make it better
Here's the fun part! Get a few of your SOC people and "clients" helping you refine what is displaying. Once you have a working model, that will get them really thinking about what they need to display that will provide the information they need. The back and forth here will possibly lead to all sorts of things, but this is where you'll go from "A few lame dashboard panels" to "a useful and awesome view of the information they need". Because let's face it, this isn't for you, it's for the people reading the dashboard.

After that, you can export these for them or do other things with it, but getting the data on there is the first step.

Hope this helps!

View solution in original post

Richfez
SplunkTrust
SplunkTrust

AHA! This really is a great question!

There's a couple of things you'll need for this. Here's what I'd suggest -

Determining what data to show:
You'll first want to do some googling to get some basic ideas about things that might be useful. Another good place to get ideas from would be to talk to a few folks who would be using the resultant dashboards or reports
- they'll have some ideas on what THEY want to see. Counts of whatever it is you decide are your critical events - maybe a timechart of intrusions blocked, viruses, possible exfiltration via DNS, touches to sites on threatlists, - whatever it is you are measuring or monitoring would be good candidates to display.

At this time these don't have to be perfect, they only need to be a reasonable place to start. These can be adjusted or changed later, and a feedback loop with a few choice users will help with this a lot.

Build the dashboard panels*
Since you have multiple companies, plan on having a drop-down input that will contain your companies so you can select which one you want to show at any time. Since you'll be doing that, your searches don't need to filter on company - just make them generic and we'll use the dashboard input to filter.

So, create a few searches - again perfection isn't necessary, just get something reasonable put into a dashboard. This involves one of the more fun parts. Start exploring the data you think you want to show. Change visualizations around but don't get too caught up in making them "perfect". Also resist making them too "pretty". I mean, pretty is good, but if they aren't useful no one will look at them. So donut charts aren't as readable as some other chart types, right? Look for simple clarity in presenting data. Timecharts are good, trending is great, single-value KPIs (with or without trendlines) are also great. Searching the internet for screenshots of Splunk Enterprise Security could be useful here to give you ideas.

Build some navigation/filtering using a drop-down input. This is probably the hardest thing to get right "technically" because it has to be right at the start. (Things like the actual dashboard panels just need to be placeholders to get you started that you can tweak later.)

Another good resource for this part will be the Dashboards and Visualizations section of the Documentation.

Get feedback and make it better
Here's the fun part! Get a few of your SOC people and "clients" helping you refine what is displaying. Once you have a working model, that will get them really thinking about what they need to display that will provide the information they need. The back and forth here will possibly lead to all sorts of things, but this is where you'll go from "A few lame dashboard panels" to "a useful and awesome view of the information they need". Because let's face it, this isn't for you, it's for the people reading the dashboard.

After that, you can export these for them or do other things with it, but getting the data on there is the first step.

Hope this helps!

test_qweqwe
Builder

Oh thanks! I'll take it into consideration! )

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Thanks for clarifying your question @test_qweqwe, and awesome answers @rich7177!

0 Karma

test_qweqwe
Builder

@lfedak @rich7177
for example, I'm working in SOC team at Security Company X and I need to make report for Company X
about how we cool SOC team and how we monitoring by Splunk their critical/basic events
ideally, it should be dashboards, statistics, results

the main problem that I don't know how should look such report in the structure and I wanna see It in another company as examples xd Perhaps it should be divided into some sections, many clever words, which only a technical person will understand. I wanna look how another more professional people submit information

it's like when u making profile in Linked, you have 5 years experience, but you don't know how to describe beautifully what you are doing and what you can do. And you start looking for profiles of people with the same specialty as you have to look how they described themselves 😄

Richfez
SplunkTrust
SplunkTrust

Allow me to perhaps simplify @lfedak's questions.

What do you mean by "Splunk report" for "random company".

a) a report of if Splunk is used by some unnamed company X?
b) the dashboards/reports/searches some unnamed company X has at this time.
c) reports that may be from Splunk about company X?
d) I do the reporting for Company X. How can I do that?

Let me start with this:
Splunk is a little like Google the search engine, but ONLY for the data it can see. It's NOT Google in that each Splunk install has access to only that data that it has been set up to see (i.e. it can't see the entire internet). There's no "master" Splunk install that can report on random other places. But, it's worth saying that if you have the DATA from company X (legally, you'd likely have to be an employee or contractor that's supposed to see all that data), then ... well, then you'd be able to search on company X. But X isn't really random at that point, is it?

Specific answers
a) Ask your rep. They will be VERY VERY unlikely to be able to tell you.
b) Nope. Not going to happen.
c) Also not going to happen.
d) AHA! This is a MUCH more fun and useful question! It might be worth a different question, though!

lfedak_splunk
Splunk Employee
Splunk Employee

Hi @test_qwewe, are you looking for a customer brief sort of document? Can you link to the website of the company you're referencing and I can see if we have any assets on the website? If you explain what sort of content you're looking for we might also have other related content that can help you.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...