Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create dashboard similiar to Enterprise Security's Security Posture?

cmeyers
Explorer
‎08-10-2016 10:20 AM

In Enterprise Security, there is a Security Posture dashboard. This dashboard shows the count of notable events that have occurred in the logs. As a result, I have two questions:

1) How do you create the templates for what makes a notable event? Ie. Unknown user logs in, notable event created.
2) How do you show the count of events without having all the queries for each notable event run every time you view that dashboard?

I have a feeling the answer to question 1 will help me conceptualize the answer to question 2.
So if anyone can at least point me in the right direction, any help is much appreciated! Thank you!

0 Karma
Reply

jstoner_splunk
Splunk Employee
Splunk Employee
‎08-24-2016 04:26 PM

If you wanted to hack together something like this, you might generate an alert on a search result match and that alert output might be something you could read back into splunk into its own index. You could then create a dashboard with counts and schedule those searches to run at some interval.

Reply

smoir_splunk
Splunk Employee
Splunk Employee
‎08-10-2016 10:30 AM

Hello @cmeyers -- it sounds like you don't have ES, but you want to make a Security Posture dashboard lookalike in Splunk Enterprise, is that correct?
1) Security Posture knows what a notable event is because it's a particular kind of event created by a correlation search. All notable events are added to the notable index, so they are a bit cordoned off from regular events. See http://docs.splunk.com/Documentation/ES/4.2.0/User/NotableEvents for more on notable events.
2) You would run searches (ES uses Key Indicator searches to do this) that go get the counts of the notable events, rather than running the searches to generate the notable events themselves. http://docs.splunk.com/Documentation/ES/4.2.0/User/KeyIndicators

Someone else may have a better suggestion of how to mimic this behavior with alerts and searches in Splunk Enterprise.

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...