[showcase_simple_search-tour] context = Splunk_Security_Essentials imgPath = /unified-tours label = Simple Search Showcase type = image imageName1 = example_item-Slide1.png skipText = Skip tour imageName2 = example_item-Slide2.png imageName3 = example_item-Slide3.png imageName4 = example_item-Slide4.png imageName5 = example_item-Slide5.png imageName6 = example_item-Slide6.png imageName7 = example_item-Slide7.png imageCaption1 = This is the search assistant for normal Splunk searches. In this app, you will also find search assistants that help shortcut difficult search concepts, but for this one we're just using normal Splunk search. imageCaption2 = We've tried to provide as much context as possible, so you can understand the impact of an example, how it works, adapt it to the particulars of your environment, and to handle the alerts that will be sent afterward. imageCaption3 = In the boxes at the top, you can find high-level details, including the ever-important 'Data Source' links. You can follow the 'Data Source' links for several popular technologies, not just a list of technologies that provide those data sources. Also, there's detailed installation documentation that will help you get up and running! imageCaption4 = Beneath the boxes there's other contextual data, including how to implement and respond, as well as, other examples and related Splunk capabilities! imageCaption5 = The default shows the types of results you will see from a search. If you want to get more techie, use the "Show Search" to see or help implement the search string. You can either view the line-by-line search documentation or turn on "Advanced SPL Mode" to always see all the detail. (Don't worry, we'll save that setting.) imageCaption6 = In Advanced SPL mode, you'll be able to see the pre-requisite checks that make sure you have the right data on boarded, get the "Open in Search" buttons, and be able to click "Schedule Alert" to save this search right from the app. imageCaption7 = One last item for the overview, in the upper right-hand corner is a list of what searches are available for each example. Often, there's just a demo and a live version, but some examples might have three or four different versions. [showcase_first_seen_demo-tour] context = Splunk_Security_Essentials imgPath = /showcase_first_seen_demo-tour label = First Time Seen Showcase type = image skipText = Skip tour imageName1 = Slide1.png imageName2 = Slide2.png imageName3 = Slide3.png imageName4 = Slide4.png imageName5 = Slide5.png imageName6 = Slide6.png imageName7 = Slide7.png imageName8 = Slide8.png imageCaption1 = This is the search assistant for 'First Time Seen' searches. The search language for detecting the first time something happened is tricky, so we packaged all the logic into this dashboard. All that's left is the easy part. imageCaption2 = For our examples, we try to provide as much context as possible to help you understand the impact of an example and how it works, how to adapt it to the particulars of your environment, and to handle the alerts that will be sent afterward. imageCaption3 = In the boxes at the top, we will show high level details, including the ever-important Data Source links. You can follow the Data Source Links to not just a list of technologies that provide those data sources, but for a several popular technologies we even have detailed installation documentation that will help you get up and running! imageCaption4 = Beneath those boxes we will show other contextual data we have, including how to implement this example, how to respond to it, and for a few examples even other related Splunk capabilities! imageCaption5 = By default, we show you the types of results you will see from a search. If you're a techy and you want to see the search string, or implement the search string, then expand "Show Search." You can either view the documented line-by-line search documentation, or you can turn on Advanced SPL Mode and always see all the detail. (Don't worry, we'll save that setting.) imageCaption6 = To show what we mean when we described that this search automates the 'hard part' of detecting first time seen anomalies, we've highlighted the part of a search that we provided for a particular example, and the part that the dashboard provides. Much easier, right? imageCaption7 = If you're in Advanced SPL mode, you will also be able to see the pre-requisite checks that make sure you have the right data onboard, you'll get the "Open in Search" buttons, and you'll even be able to click "Schedule Alert" to save this search right from the app. imageCaption8 = One last item for the overview, up in the upper right-hand corner you can see we have a list of what searches are available for this example. Often, we just have a demo and a live version, but for some we might have three or four different versions. [showcase_standard_deviation-tour] context = Splunk_Security_Essentials imgPath = /showcase_standard_deviation-tour label = First Time Seen Showcase type = image skipText = Skip tour imageName1 = Slide1.png imageName2 = Slide2.png imageName3 = Slide3.png imageName4 = Slide4.png imageName5 = Slide5.png imageName6 = Slide6.png imageName7 = Slide7.png imageName8 = Slide8.png imageCaption1 = This is the search assistant for 'Time Series Spike' searches. The search language for detecting when a user or system starts doing things far more than usual is tricky, so we packaged all the logic into this dashboard. All that's left is the easy part. imageCaption2 = For our examples, we try to provide as much context as possible to help you understand the impact of an example and how it works, how to adapt it to the particulars of your environment, and to handle the alerts that will be sent afterward. imageCaption3 = In the boxes at the top, we will show high level details, including the ever-important Data Source links. You can follow the Data Source Links to not just a list of technologies that provide those data sources, but for a several popular technologies we even have detailed installation documentation that will help you get up and running! imageCaption4 = Beneath those boxes we will show other contextual data we have, including how to implement this example, how to respond to it, and for a few examples even other related Splunk capabilities! imageCaption5 = By default, we show you the types of results you will see from a search. If you're a techy and you want to see the search string, or implement the search string, then expand "Show Search." You can either view the documented line-by-line search documentation, or you can turn on Advanced SPL Mode and always see all the detail. (Don't worry, we'll save that setting.) imageCaption6 = To show what we mean when we described that this search automates the hard part of detecting time series spikes, we've highlighted the part of a search that we provided for a particular example, and the part that the dashboard provides. Much easier, right? imageCaption7 = If you're in Advanced SPL mode, you will also be able to see the pre-requisite checks that make sure you have the right data onboard, you'll get the "Open in Search" buttons, and you'll even be able to click "Schedule Alert" to save this search right from the app. imageCaption8 = One last item for the overview, up in the upper right hand corner you can see we have a list of what searches are available for this example. Often we just have a demo and a live version, but for some we might have three or four different versions. [dataavailabilitybaseline-tour] context = Splunk_Security_Essentials imgPath = /unified-tours label = Enable Data Availability Baseline Tour type = image skipText = Skip tour doneText = Start Exploring doneURL = /app/Splunk_Security_Essentials/ imageName1 = enabledsources_Slide1.png imageCaption1 = Find the Configuration menu in the navigation. imageName2 = scheduled_searches-Slide1.png imageCaption2 = Under Enabled Sources you can turn on or off different apps. This will apply globally across the app. [datainventory-tour] context = Splunk_Security_Essentials imgPath = /unified-tours label = Data Inventory Tour type = image skipText = Skip tour doneText = Start Exploring doneURL = /app/Splunk_Security_Essentials/data_inventory imageName1 = data_inventory-Slide1.png imageCaption1 = The Data Inventory dashboard allows you to configure what products you have in your environment. Products have a variety of metadata (sourcetypes, event volume, CIM compliance) and are connected with data source categories, allowing the app to show you what content can be turned on with your present data. imageName2 = data_inventory-Slide2.png imageCaption2 = Here's an example of several data source categories, under the EDR data source. DSCs are detailed categories that have been proven out through thousands of professional services engagements. imageName3 = data_inventory-Slide3.png imageCaption3 = When you first open this page, it will prompt you to use the automated scans. If you install SSE on your production search head, most of the work from this page is automated! imageName4 = data_inventory-Slide4.png imageCaption4 = There are four automated introspection steps that pulls a variety of data. imageName5 = data_inventory-Slide5.png imageCaption5 = For any sources or sourcetypes that are uncommon, you can tell the app what product it is. imageName6 = data_inventory-Slide6.png imageCaption6 = If you have a product that wasn't detected, or you aren't installing this app on your production search head, you can always manually add products by clicking Add Product. If you don't have data for a DSC, you can say No Data Present. [enabledsources-tour] context = Splunk_Security_Essentials imgPath = /unified-tours label = Enabled Products Tour type = image skipText = Skip tour doneText = Start Exploring doneURL = /app/Splunk_Security_Essentials/ imageName1 = enabledsources_Slide1.png imageCaption1 = Find the Configuration menu in the navigation. imageName2 = enabledsources_Slide2.png imageCaption2 = Under Enabled Sources you can turn on or off different apps. This will apply globally across the app. [esintegration-tour] context = Splunk_Security_Essentials imgPath = /unified-tours label = Check for ES Integration Tour type = image skipText = Skip tour doneText = Start Exploring doneURL = /app/Splunk_Security_Essentials/ imageName1 = enabledsources_Slide1.png imageCaption1 = Find the Configuration menu in the navigation. imageName2 = esintegration-Slide1.png imageCaption2 = Click Update ES and the app will push MITRE and Kill Chain configurations into the ES Incident Review dashboard. [mltkpresent-tour] context = Splunk_Security_Essentials imgPath = /unified-tours label = Check for Machine Learning Toolkit Tour type = image skipText = Skip tour doneText = Start Exploring doneURL = /app/Splunk_Security_Essentials/ imageName1 = splunk_ml_toolkit-Slide1.png imageCaption1 = This app requires the use of Splunk's Machine Learning Toolkit, which you can find on Splunkbase. imageName2 = splunk_ml_toolkit-Slide2.png imageCaption2 = Also on Splunkbase, required by the Splunk Machine Learning Toolkit itself, is Python for Scientific Computing from Splunkbase. Ensure that you have the version of the app that is specific for your environment (32 bit Linux, 64 bit Linux, Windows, or Mac). [searchmapping-tour] context = Splunk_Security_Essentials imgPath = /unified-tours label = Correlation Search Introspection and Mapping Tour type = image skipText = Skip tour doneText = Start Exploring doneURL = /app/Splunk_Security_Essentials/bookmarked_content imageName1 = manage_bookmarks-Slide1.png imageCaption1 = Splunk Security Essentials uses bookmarking to track what content is active in your environment, or to just help you remember what content you want to deploy. imageName2 = search_mapping-Slide1.png imageCaption2 = To make the process of recording your active content easier if you've installed this app on your production search head, it contains a Correlation Search Introspection feature which walks you through marking active content. imageName3 = search_mapping-Slide2.png imageCaption3 = This introspection will pull a list of all of your enabled local scheduled searches that have an action associated with them. It will also automatically enable any directly enabled ES, ESCU, or SSE content. imageName4 = search_mapping-Slide3.png imageCaption4 = For most content, the introspection will provide you with the option to indicate that a search is not a security detection, search through all of the out-of-the-box content contained in the app, or create new custom content in the app. Any of these will help you accurately map data source, MITRE, and other metadata for your content. imageName5 = search_mapping-Slide4.png imageCaption5 = Splunk Security Essentials includes a search engine to help you search the app and map any detection search to all of the out-of-the-box content. imageName6 = search_mapping-Slide5.png imageCaption6 = For content that doesn't exist in Splunk out-of-the-box, you can create custom content. Custom content shows everywhere throughout the app, just like normal Splunk content. imageName7 = search_mapping-Slide6.png imageCaption7 = You can even define all of the same metadata content (such as MITRE ATT&CK, Kill Chain, data source categories, etc.). You can also add all the normal descriptive fields (how to respond, known false positives, etc.). imageName8 = search_mapping-Slide7.png imageCaption8 = If you don't have Splunk Security Essentials on your production environment, you can always individually mark content as installed, or bookmarked. [analyze_es_risk-tour] context = Splunk_Security_Essentials imgPath = /unified-tours label = Analyze ES Risk Attributions Tour type = image skipText = Skip tour doneText = Start Exploring doneURL = /app/Splunk_Security_Essentials/analyze_es_risk imageName1 = es_risk-Slide0.png imageCaption1 = The Analyze ES Risk Attributions dashboard helps you understand the data provided by the Splunk Enterprise Security's Risk Analysis Framework. Most users will arrive here via a drilldown from a user or system, populating that user/system in the search box and focusing the analysis accordingly. That said, you can enter any search string to use the dashboard to analyze a network or even your entire organization. imageName2 = es_risk-Slide1.png imageCaption2 = Customers who get the most value out of ES Risk often use MITRE ATT&CK, which is why we provide a series of system-wide ATT&CK metrics on the left, and then on the number of hits per tactic for your provided user/system. imageName3 = es_risk-Slide2.png imageCaption3 = Beneath that, you will find a customized MITRE ATT&CK Matrix for this user/system, showing you which techniques have fired for the data you've selected in the search. imageName4 = es_risk-Slide3.png imageCaption4 = Aggregating risk attributions is the core strength of this dashboard. You'll next see a series of charts that aggregate risk by various metrics. imageName5 = es_risk-Slide4.png imageCaption5 = Finally, you'll see a straightforward sum of risk by object, which will let you see which objects are experiencing the greatest amount of risk. [bookmark_export-tour] context = Splunk_Security_Essentials imgPath = /unified-tours label = Manage Bookmarks - Export Tour type = image skipText = Skip tour doneText = Start Exploring doneURL = /app/Splunk_Security_Essentials/bookmarked_content imageName1 = manage_bookmarks-Slide1.png imageCaption1 = The Manage Bookmark dashboard lets you track content in your environment, including content that you've just bookmarked, or content that you've marked as successfully implemented. imageName2 = manage_bookmarks-Slide2.png imageCaption2 = To export a list of this content, click the Export button in the upper right hand corner. imageName3 = manage_bookmarks-Slide3.png imageCaption3 = There are multiple export options. Most are very straightforward. imageName4 = manage_bookmarks-Slide4.png imageCaption4 = The most detailed export is the Print-to-PDF, where by default we want to include as much detail as we can. You can opt to disable this detail if you don't need it. (The app will remember what you selected.) imageName5 = manage_bookmarks-Slide5.png imageCaption5 = Print-to-PDF works by generating a printable page, and letting you save as PDF via your browser. This works best in Chrome. [content_overview-tour] context = Splunk_Security_Essentials imgPath = /unified-tours label = Analytics Advisor Content Overview Tour type = image skipText = Skip tour doneText = Start Exploring doneURL = /app/Splunk_Security_Essentials/content_overview imageName1 = content_overview-Slide1.png imageCaption1 = The Content Overview dashboard is the centerpiece of the Analytics Advisor suite. This dashboard takes into account what data you have in your environment, what searches are active, and helps you see what content you can use next. imageName2 = content_overview-Slide2.png imageCaption2 = Each number in these dashboards represents a piece of content. In order to guide you through the dashboard, follow the headlines 1, 2 and 3 to find the content. You can also go directly to the full details for each piece of content by clicking the green button under heading 3. imageName3 = content_overview-Slide3.png imageCaption3 = Any content labeled Active means that you have content (detections, correlations etc.) enabled in your environment. imageName4 = content_overview-Slide4.png imageCaption4 = Any content labeled Available means that you have content that can be enabled with data already in Splunk. imageName5 = content_overview-Slide5.png imageCaption5 = Any content labeled Needs data means that the data to support the content is missing in Splunk. imageName6 = content_overview-Slide6.png imageCaption6 = The Available Content panel shows on a high level and how your environment stacks up against the content available. You can switch between the tabs to change the visualisation and change the Split by field to show different dimensions. Everything in this panel is clickable and will allow you to drill down further. imageName7 = content_overview-Slide7.png imageCaption7 = The Selected Content panel contains further filters that allow you to drill into individual pieces of content. imageName8 = content_overview-Slide8.png imageCaption8 = The View Content panel allows you to go directly to the view full details of the selection inside the Security Essentials general content page. imageName9 = data_inventory-Slide1.png imageCaption9 = These dashboards build on the Data Inventory and Correlation Search Introspection, so if you haven't configured those yet, make sure to visit those pages. [contents-tour] context = Splunk_Security_Essentials imgPath = /unified-tours label = Security Contents Page Tour type = image skipText = Skip tour doneText = Start Exploring doneURL = /app/Splunk_Security_Essentials/contents imageName1 = Contents-Slide1.png imageCaption1 = We've provided an introduction for this page and a detailed description of the Search Journey Stages listed below. To get the full details just click "Show all lines". imageName2 = Contents-Slide2.png imageCaption2 = Use the filters below to find capabilities most relevant to you. For example, if you're just starting out with Splunk for security and want to know what to begin with, you might opt to view all featured Stage 1 searches. imageName3 = Contents-Slide3.png imageCaption3 = Focus on specific business concern: You can opt to select Stage 6 (all the Splunk Content)... imageName4 = Contents-Slide4.png imageCaption4 = Drill down: Focus on a single issue, like Insider Threat. imageName5 = Contents-Slide5.png imageCaption5 = Filter on specific data sources you already have in Splunk. For example, see some immediate detections you can deploy by filtering on the specific data source, such as, "Email Logs." imageName6 = Contents-Slide6.png imageCaption6 = In order to find and focus on exactly the examples you want adjust filters by hitting the menu icon. Don't worry - All the settings you configure will be retained every time you open the page in this browser. imageName7 = Contents-Slide7.png imageCaption7 = Splunk Security Essentials is not about the filters... it's about the different examples to help with your specific use cases. Scroll down below to see what examples match the filters you've configured and how to start getting value with Splunk. imageName8 = Contents-Slide8.png imageCaption8 = Each of the examples will give you a brief description, tell you the log sources, and also tell you any MITRE or Kill Chain phases. imageName9 = Contents-Slide9.png imageCaption9 = Click into an example to get more detail. With the examples that only need Splunk Enterprise, you'll also be able to view the full search string, along with detailed documentation. That's it for this tour! Start exploring the examples and see how to get the most from your data with Splunk. [data_source-tour] context = Splunk_Security_Essentials imgPath = /unified-tours label = Data Source Onboarding Guides Tour type = image skipText = Skip tour doneText = Start Exploring doneURL = /app/Splunk_Security_Essentials/data_source imageName1 = data_source-Slide1.png imageCaption1 = This app contains 9 Data Source Onboarding Guides. You can find the full list at the top of the page. imageName2 = data_source-Slide1.png imageCaption2 = You can also choose to look at the categories below, and find a variety of products that Splunk commonly sees for each type of data. imageName3 = data_source-Slide2.png imageCaption3 = That data onboarding guides are written by Splunk field engineers, working in conjunction with Splunk Professional Services to make them as easy to use as possible while supporting your long term growth. imageName4 = data_source-Slide3.png imageCaption4 = You will see a variety of Splunk recommendations, usually with download-able apps or conf files. imageName5 = data_source-Slide4.png imageCaption5 = These guides step beyond just Splunk though, telling you how to configure the products to generate the data required to fire our detections. [data_source_check-tour] context = Splunk_Security_Essentials imgPath = /unified-tours label = Data Source Check Tour type = image skipText = Skip tour doneText = Start Exploring doneURL = /app/Splunk_Security_Essentials/data_source_check imageName1 = data_source_check-Slide1.png imageCaption1 = The Data Source Check dashboard tells you what searches would be ready to run in your environment. Click Start Searches to get started. imageName2 = data_source_check-Slide2.png imageCaption2 = The dashboard will launch 60+ pre-req tests. Each is really quick -- the whole set should take less than 10 minutes and won't overwhelm your Splunk. imageName3 = data_source_check-Slide3.png imageCaption3 = As the searches run, you will get back Green Checks or Red Explanation Points. A green check indicates that the pre-req test found the exact data, sourcetypes, and fields that the detection is expecting. imageName4 = data_source_check-Slide4.png imageCaption4 = If you've run the dashboard checks in the past, you can always re-run them on your current data, or you can click Retrieve Result to pull back your last result. [example_item-tour] context = Splunk_Security_Essentials imgPath = /unified-tours label = Example Content - Basic Brute Force Detection Tour type = image skipText = Skip tour doneText = Start Exploring doneURL = /app/Splunk_Security_Essentials/showcase_simple_search?ml_toolkit.dataset=Basic%20Brute%20Force%20-%20Demo imageName1 = example_item-Slide2.png imageCaption1 = When looking at Security Content, we've tried to provide as much context as possible, so you can understand the impact of an example, how it works, adapt it to the particulars of your environment, and to handle the alerts that will be sent afterward. imageName2 = example_item-Slide3.png imageCaption2 = In the boxes at the top, you can find high-level details, including the ever-important 'Data Source' links. You can follow the 'Data Source' links for several popular technologies, not just a list of technologies that provide those data sources. Also, there's detailed installation documentation that will help you get up and running! imageName3 = example_item-Slide4.png imageCaption3 = Beneath the boxes there's other contextual data, including how to implement and respond, as well as, other examples and related Splunk capabilities. imageName4 = example_item-Slide5.png imageCaption4 = The default shows the types of results you will see from a search. If you want to get more technical, use the "Line-by-Line SPL Documentation" to see or help implement the search string. imageName5 = example_item-Slide6.png imageCaption5 = In SPL mode, you'll be able to see the pre-requisite checks that make sure you have the right data on boarded, get the "Open in Search" buttons, and be able to click "Schedule Saved Search" to save this search right from the app. imageName6 = example_item-Slide7.png imageCaption6 = One last item for the overview, in the upper right-hand corner is a list of what searches are available for each example. Often, there's just a demo and a live version, but some examples might have three or four different versions. [journey-tour] context = Splunk_Security_Essentials imgPath = /unified-tours label = Security Data Journey Tour type = image skipText = Skip tour doneText = Start Exploring doneURL = /app/Splunk_Security_Essentials/journey imageName1 = Journey-Slide1.png imageCaption1 = The Security Data Journey walks you though the path that we typically see newer customers walk as the mature. It details each stage with milestones and common challenges. imageName2 = Journey-Slide2.png imageCaption2 = The Journey also includes the data sources that we commonly seen at each stage of the journey for users pursuing Security Monitoring. imageName3 = Journey-Slide3.png imageCaption3 = Drag the slider-bar on the right side to view the details for other stages of the Journey. imageName4 = Contents-Slide3.png imageCaption4 = All of the content in Splunk Security Essentials is oriented towards this journey, so that if you're just getting started you can limit yourself to just Stage one. [kill_chain_overview-tour] context = Splunk_Security_Essentials imgPath = /unified-tours label = Analytics Advisor Cyber Kill Chain Tour type = image skipText = Skip tour doneText = Start Exploring doneURL = /app/Splunk_Security_Essentials/kill_chain_overview imageName1 = kill_chain_overview-Slide1.png imageCaption1 = Like the Analytics Advisor Content Overview dashboard, the Kill Chain Oveview dashboard takes into account the data and active content in your environment to help you choose new and better content. See that dashboard for a full tour of the three steps in this dashboard. imageName2 = content_overview-Slide2.png imageCaption2 = Each number in these dashboards represents a piece of content. In order to guide you through the dashboard, follow the headlines 1, 2 and 3 to find the content. You can also go directly to the full details for each piece of content by clicking the green button under heading 3. imageName3 = content_overview-Slide3.png imageCaption3 = Any content labelled Active means that you have content (detections, correlations etc.) enabled in your environment. imageName4 = content_overview-Slide4.png imageCaption4 = Any content labelled Available means that you have content that can be enabled with data already in Splunk. imageName5 = content_overview-Slide5.png imageCaption5 = Any content labelled Needs data means that the data to support the content is missing in Splunk. imageName6 = kill_chain_overview-Slide2.png imageCaption6 = The Kill Chain tab shows the coverage in your environment against the Kill Chain steps. You can adjust what numbers are displayed in the visualisation to show Active/Available content. imageName7 = kill_chain_overview-Slide3.png imageCaption7 = The Chart View tab shows on a high level and how your environment stacks up against the content available and the Cyber Kill Chain specifically. You can switch between the tabs to change the visualisation and change the Split by field to show different dimensions. Everything in this panel is clickable and will allow you to drill down further. imageName8 = content_overview-Slide7.png imageCaption8 = The Selected Content panel contains further filters that allow you to drill into individual pieces of content. imageName9 = content_overview-Slide8.png imageCaption9 = The View Content panel allows you to go directly to the view full details of the selection inside the Security Essentials general content page. imageName10 = data_inventory-Slide1.png imageCaption10 = These dashboards build on the Data Inventory and Correlation Search Introspection, so if you haven't configured those yet, make sure to visit those pages. [mitre_focused_content_recommendation-tour] context = Splunk_Security_Essentials imgPath = /unified-tours label = MITRE ATT&CK-based Content Recommendations Tour type = image skipText = Skip tour doneText = Start Exploring doneURL = /app/Splunk_Security_Essentials/mitre_focused_content_recommendation imageName1 = mitre_content_recommendation-Slide1.png imageCaption1 = Select a category of issue that you are concerned about. If desired, you can also adjust the default filters for data availability and popularity. imageName2 = mitre_content_recommendation-Slide2.png imageCaption2 = You will be greeted by a list of content that is tied to ATT&CK techniques MITRE reports as being popular with many threat groups. imageName3 = data_inventory-Slide1.png imageCaption3 = This dashboard is built on the Data Inventory and Correlation Search Introspection, so if you haven't configured those yet, make sure to visit those pages. [mitre_overview-tour] context = Splunk_Security_Essentials imgPath = /unified-tours label = Analytics Advisor MITRE ATT&CK Framework Tour type = image skipText = Skip tour doneText = Start Exploring doneURL = /app/Splunk_Security_Essentials/mitre_overview imageName1 = mitre_overview-Slide1.png imageCaption1 = Like the Analytics Advisor Content Overview dashboard, the MITRE ATT&CK Framework dashboard takes into account the data and active content in your environment to help you choose new and better content. See that dashboard for a full tour of the three steps in this dashboard. imageName2 = mitre_overview-Slide2.png imageCaption2 = The MITRE ATT&CK Matrix tab shows the coverage in your environment against all techniques. By default the app will color the matrix based on all content (Total), but you can adjust the filters to show just what content is currently enabled in your environment (Active), what content is available to start using with your data (Available), or what content you could use if you ingested more data into Splunk (Needs Data). imageName3 = mitre_overview-Slide3.png imageCaption3 = You can also get insight into the threat groups that target you by selecting those a group. The app will add a red icon for each technique associated with that threat group. If you don't track a specific group, you can also filter for only the techniques popular with many groups. imageName4 = mitre_overview-Slide4.png imageCaption4 = Finally, you can also highlight a specific data source directly in the matrix. This allows you to show the incremental value you'd get by adding an additional data source to your environment. imageName5 = mitre_overview-Slide5.png imageCaption5 = The Chart View tab shows on a high level and how your environment stacks up against the content available and the MITRE ATT&CK Framework specifically. You can switch between the tabs to change the visualisation and change the Split by field to show different dimensions. Everything in this panel is clickable and will allow you to drill down further. imageName6 = mitre_overview-Slide6.png imageCaption6 = The Selected Content panel contains further filters that allow you to drill into individual pieces of content. imageName7 = content_overview-Slide8.png imageCaption7 = The View Content panel allows you to go directly to the view full details of the selection inside the Security Essentials general content page. imageName8 = data_inventory-Slide1.png imageCaption8 = These dashboards build on the Data Inventory and Correlation Search Introspection, so if you haven't configured those yet, make sure to visit those pages. [rba_content_recommendation-tour] context = Splunk_Security_Essentials imgPath = /unified-tours label = RBA Content Recommendations Tour type = image skipText = Skip tour doneText = Start Exploring doneURL = /app/Splunk_Security_Essentials/rba_content_recommendation imageName1 = rba_content_recommendation-Slide1.png imageCaption1 = The Risk-based Alerting Content Recommendation dashboard is intended to provide you with a quick view of content related to a single category, that you can run with the data in your Splunk today. To start, select a category at the bottom -- you'll see how many pieces of content you already have deployed, and how many are available with your existing data. imageName2 = rba_content_recommendation-Slide2.png imageCaption2 = With one (or more) categories selected, the dashboard will then show you all of the content that you can leverage. You can click through to any of these to enable them, bookmark them, or more. imageName3 = data_inventory-Slide1.png imageCaption3 = This dashboard is built on the Data Inventory and Correlation Search Introspection, so if you haven't configured those yet, make sure to visit those pages. [security_posture_dashboards-tour] context = Splunk_Security_Essentials imgPath = /unified-tours label = Security Posture Dashboards Tour type = image skipText = Skip tour doneText = Start Exploring doneURL = /app/Splunk_Security_Essentials/data_source_check imageName1 = data_source_check-Slide4.png imageCaption1 = The Security Posture dashboards only run on the data you have in your system, so make sure you run the Data Source Check searches first (or if you've run them before, click Retrieve Last Result. imageName2 = data_source_check-Slide5.png imageCaption2 = Once the checks are in place, you can click Create Posture Dashboards. imageName3 = data_source_check-Slide6.png imageCaption3 = There are three dashboards you can choose. Within each, some panels are enabled by default, some disabled, and some unavailable as you don't have the required data. imageName4 = data_source_check-Slide7.png imageCaption4 = If you want to see the intended result, you can click Use Demo Datasets and all the dashboards will use CSV demo data. imageName5 = data_source_check-Slide8.png imageCaption5 = After clicking Create Dashboards, you will get a link to each dashboard. They'll also be added to navigation. imageName6 = data_source_check-Slide9.png imageCaption6 = These are SimpleXML dashboards using Splunk best practices (with post-processing and using accelerated data models if possible). That makes them easy to customize, or copy-paste into your dashboards. [sse_cim_compliance-tour] context = Splunk_Security_Essentials imgPath = /unified-tours label = CIM Compliance Check Tour type = image skipText = Skip tour doneText = Start Exploring doneURL = /app/Splunk_Security_Essentials/sse_cim_compliance imageName1 = sse_cim_compliance-Slide1.png imageCaption1 = The Common Information Model (CIM) Compliance Check dashboard is intended to check to see if your data aligns to Splunk's CIM. This is a common set of fields that can be shared across products, allowing you to know that a field like src_ip will bring back results regardless of what the original data looks like. imageName2 = sse_cim_compliance-Slide2.png imageCaption2 = You will see a list of the products that you've configured in Splunk Security Essentials broken out by data source category (e.g., Successful Authentication), and the CIM compliance status of each key field for that DSC. imageName3 = sse_cim_compliance-Slide3.png imageCaption3 = If you expand the row, you'll also be able to see the actual values returned when searching that data. imageName4 = data_inventory-Slide1.png imageCaption4 = This dashboard builds on the Data Inventory introspection, so if you haven't configured that yet, make sure to visit that page. [sse_data_availability-tour] context = Splunk_Security_Essentials imgPath = /unified-tours label = Data Availability Tour type = image skipText = Skip tour doneText = Start Exploring doneURL = /app/Splunk_Security_Essentials/sse_data_availability imageName1 = data_availability-Slide1.png imageCaption1 = The Data Availability dashboard shows you the products in your environment, and the most recent latency seen from each of them. imageName2 = data_availability-Slide2.png imageCaption2 = If you click on a product, it will tell you what detections depend on it along with the expected latency. imageName3 = data_availability-Slide3.png imageCaption3 = The dashboard will also throw a variety of errors in case you have any configuration issues.