Splunk Enterprise Security

How to create dashboard similiar to Enterprise Security's Security Posture?

cmeyers
Explorer

In Enterprise Security, there is a Security Posture dashboard. This dashboard shows the count of notable events that have occurred in the logs. As a result, I have two questions:

1) How do you create the templates for what makes a notable event? Ie. Unknown user logs in, notable event created.
2) How do you show the count of events without having all the queries for each notable event run every time you view that dashboard?

I have a feeling the answer to question 1 will help me conceptualize the answer to question 2.
So if anyone can at least point me in the right direction, any help is much appreciated! Thank you!

0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

If you wanted to hack together something like this, you might generate an alert on a search result match and that alert output might be something you could read back into splunk into its own index. You could then create a dashboard with counts and schedule those searches to run at some interval.

smoir_splunk
Splunk Employee
Splunk Employee

Hello @cmeyers -- it sounds like you don't have ES, but you want to make a Security Posture dashboard lookalike in Splunk Enterprise, is that correct?
1) Security Posture knows what a notable event is because it's a particular kind of event created by a correlation search. All notable events are added to the notable index, so they are a bit cordoned off from regular events. See http://docs.splunk.com/Documentation/ES/4.2.0/User/NotableEvents for more on notable events.
2) You would run searches (ES uses Key Indicator searches to do this) that go get the counts of the notable events, rather than running the searches to generate the notable events themselves. http://docs.splunk.com/Documentation/ES/4.2.0/User/KeyIndicators

Someone else may have a better suggestion of how to mimic this behavior with alerts and searches in Splunk Enterprise.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...