In Enterprise Security, there is a Security Posture dashboard. This dashboard shows the count of notable events that have occurred in the logs. As a result, I have two questions:
1) How do you create the templates for what makes a notable event? Ie. Unknown user logs in, notable event created.
2) How do you show the count of events without having all the queries for each notable event run every time you view that dashboard?
I have a feeling the answer to question 1 will help me conceptualize the answer to question 2.
So if anyone can at least point me in the right direction, any help is much appreciated! Thank you!
Hello @cmeyers -- it sounds like you don't have ES, but you want to make a Security Posture dashboard lookalike in Splunk Enterprise, is that correct?
1) Security Posture knows what a notable event is because it's a particular kind of event created by a correlation search. All notable events are added to the notable index, so they are a bit cordoned off from regular events. See http://docs.splunk.com/Documentation/ES/4.2.0/User/NotableEvents for more on notable events.
2) You would run searches (ES uses Key Indicator searches to do this) that go get the counts of the notable events, rather than running the searches to generate the notable events themselves. http://docs.splunk.com/Documentation/ES/4.2.0/User/KeyIndicators
Someone else may have a better suggestion of how to mimic this behavior with alerts and searches in Splunk Enterprise.
If you wanted to hack together something like this, you might generate an alert on a search result match and that alert output might be something you could read back into splunk into its own index. You could then create a dashboard with counts and schedule those searches to run at some interval.