Splunk Enterprise Security

How to create dashboard similiar to Enterprise Security's Security Posture?

cmeyers
Explorer

In Enterprise Security, there is a Security Posture dashboard. This dashboard shows the count of notable events that have occurred in the logs. As a result, I have two questions:

1) How do you create the templates for what makes a notable event? Ie. Unknown user logs in, notable event created.
2) How do you show the count of events without having all the queries for each notable event run every time you view that dashboard?

I have a feeling the answer to question 1 will help me conceptualize the answer to question 2.
So if anyone can at least point me in the right direction, any help is much appreciated! Thank you!

0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

If you wanted to hack together something like this, you might generate an alert on a search result match and that alert output might be something you could read back into splunk into its own index. You could then create a dashboard with counts and schedule those searches to run at some interval.

smoir_splunk
Splunk Employee
Splunk Employee

Hello @cmeyers -- it sounds like you don't have ES, but you want to make a Security Posture dashboard lookalike in Splunk Enterprise, is that correct?
1) Security Posture knows what a notable event is because it's a particular kind of event created by a correlation search. All notable events are added to the notable index, so they are a bit cordoned off from regular events. See http://docs.splunk.com/Documentation/ES/4.2.0/User/NotableEvents for more on notable events.
2) You would run searches (ES uses Key Indicator searches to do this) that go get the counts of the notable events, rather than running the searches to generate the notable events themselves. http://docs.splunk.com/Documentation/ES/4.2.0/User/KeyIndicators

Someone else may have a better suggestion of how to mimic this behavior with alerts and searches in Splunk Enterprise.

Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...