Splunk Enterprise Security

How to create dashboard similiar to Enterprise Security's Security Posture?

cmeyers
Explorer

In Enterprise Security, there is a Security Posture dashboard. This dashboard shows the count of notable events that have occurred in the logs. As a result, I have two questions:

1) How do you create the templates for what makes a notable event? Ie. Unknown user logs in, notable event created.
2) How do you show the count of events without having all the queries for each notable event run every time you view that dashboard?

I have a feeling the answer to question 1 will help me conceptualize the answer to question 2.
So if anyone can at least point me in the right direction, any help is much appreciated! Thank you!

0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

If you wanted to hack together something like this, you might generate an alert on a search result match and that alert output might be something you could read back into splunk into its own index. You could then create a dashboard with counts and schedule those searches to run at some interval.

smoir_splunk
Splunk Employee
Splunk Employee

Hello @cmeyers -- it sounds like you don't have ES, but you want to make a Security Posture dashboard lookalike in Splunk Enterprise, is that correct?
1) Security Posture knows what a notable event is because it's a particular kind of event created by a correlation search. All notable events are added to the notable index, so they are a bit cordoned off from regular events. See http://docs.splunk.com/Documentation/ES/4.2.0/User/NotableEvents for more on notable events.
2) You would run searches (ES uses Key Indicator searches to do this) that go get the counts of the notable events, rather than running the searches to generate the notable events themselves. http://docs.splunk.com/Documentation/ES/4.2.0/User/KeyIndicators

Someone else may have a better suggestion of how to mimic this behavior with alerts and searches in Splunk Enterprise.

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...