You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
500 lines
36 KiB
500 lines
36 KiB
|
|
|
|
[showcase_simple_search-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /unified-tours
|
|
label = Simple Search Showcase
|
|
type = image
|
|
imageName1 = example_item-Slide1.png
|
|
skipText = Skip tour
|
|
imageName2 = example_item-Slide2.png
|
|
imageName3 = example_item-Slide3.png
|
|
imageName4 = example_item-Slide4.png
|
|
imageName5 = example_item-Slide5.png
|
|
imageName6 = example_item-Slide6.png
|
|
imageName7 = example_item-Slide7.png
|
|
imageCaption1 = This is the search assistant for normal Splunk searches. In this app, you will also find search assistants that help shortcut difficult search concepts, but for this one we're just using normal Splunk search.
|
|
|
|
imageCaption2 = We've tried to provide as much context as possible, so you can understand the impact of an example, how it works, adapt it to the particulars of your environment, and to handle the alerts that will be sent afterward.
|
|
|
|
imageCaption3 = In the boxes at the top, you can find high-level details, including the ever-important 'Data Source' links. You can follow the 'Data Source' links for several popular technologies, not just a list of technologies that provide those data sources. Also, there's detailed installation documentation that will help you get up and running!
|
|
|
|
imageCaption4 = Beneath the boxes there's other contextual data, including how to implement and respond, as well as, other examples and related Splunk capabilities!
|
|
|
|
imageCaption5 = The default shows the types of results you will see from a search. If you want to get more techie, use the "Show Search" to see or help implement the search string. You can either view the line-by-line search documentation or turn on "Advanced SPL Mode" to always see all the detail. (Don't worry, we'll save that setting.)
|
|
|
|
imageCaption6 = In Advanced SPL mode, you'll be able to see the pre-requisite checks that make sure you have the right data on boarded, get the "Open in Search" buttons, and be able to click "Schedule Alert" to save this search right from the app.
|
|
|
|
imageCaption7 = One last item for the overview, in the upper right-hand corner is a list of what searches are available for each example. Often, there's just a demo and a live version, but some examples might have three or four different versions.
|
|
|
|
|
|
[showcase_first_seen_demo-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /showcase_first_seen_demo-tour
|
|
label = First Time Seen Showcase
|
|
type = image
|
|
skipText = Skip tour
|
|
imageName1 = Slide1.png
|
|
imageName2 = Slide2.png
|
|
imageName3 = Slide3.png
|
|
imageName4 = Slide4.png
|
|
imageName5 = Slide5.png
|
|
imageName6 = Slide6.png
|
|
imageName7 = Slide7.png
|
|
imageName8 = Slide8.png
|
|
imageCaption1 = This is the search assistant for 'First Time Seen' searches. The search language for detecting the first time something happened is tricky, so we packaged all the logic into this dashboard. All that's left is the easy part.
|
|
imageCaption2 = For our examples, we try to provide as much context as possible to help you understand the impact of an example and how it works, how to adapt it to the particulars of your environment, and to handle the alerts that will be sent afterward.
|
|
imageCaption3 = In the boxes at the top, we will show high level details, including the ever-important Data Source links. You can follow the Data Source Links to not just a list of technologies that provide those data sources, but for a several popular technologies we even have detailed installation documentation that will help you get up and running!
|
|
imageCaption4 = Beneath those boxes we will show other contextual data we have, including how to implement this example, how to respond to it, and for a few examples even other related Splunk capabilities!
|
|
imageCaption5 = By default, we show you the types of results you will see from a search. If you're a techy and you want to see the search string, or implement the search string, then expand "Show Search." You can either view the documented line-by-line search documentation, or you can turn on Advanced SPL Mode and always see all the detail. (Don't worry, we'll save that setting.)
|
|
imageCaption6 = To show what we mean when we described that this search automates the 'hard part' of detecting first time seen anomalies, we've highlighted the part of a search that we provided for a particular example, and the part that the dashboard provides. Much easier, right?
|
|
imageCaption7 = If you're in Advanced SPL mode, you will also be able to see the pre-requisite checks that make sure you have the right data onboard, you'll get the "Open in Search" buttons, and you'll even be able to click "Schedule Alert" to save this search right from the app.
|
|
imageCaption8 = One last item for the overview, up in the upper right-hand corner you can see we have a list of what searches are available for this example. Often, we just have a demo and a live version, but for some we might have three or four different versions.
|
|
|
|
|
|
[showcase_standard_deviation-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /showcase_standard_deviation-tour
|
|
label = First Time Seen Showcase
|
|
type = image
|
|
skipText = Skip tour
|
|
imageName1 = Slide1.png
|
|
imageName2 = Slide2.png
|
|
imageName3 = Slide3.png
|
|
imageName4 = Slide4.png
|
|
imageName5 = Slide5.png
|
|
imageName6 = Slide6.png
|
|
imageName7 = Slide7.png
|
|
imageName8 = Slide8.png
|
|
imageCaption1 = This is the search assistant for 'Time Series Spike' searches. The search language for detecting when a user or system starts doing things far more than usual is tricky, so we packaged all the logic into this dashboard. All that's left is the easy part.
|
|
imageCaption2 = For our examples, we try to provide as much context as possible to help you understand the impact of an example and how it works, how to adapt it to the particulars of your environment, and to handle the alerts that will be sent afterward.
|
|
imageCaption3 = In the boxes at the top, we will show high level details, including the ever-important Data Source links. You can follow the Data Source Links to not just a list of technologies that provide those data sources, but for a several popular technologies we even have detailed installation documentation that will help you get up and running!
|
|
imageCaption4 = Beneath those boxes we will show other contextual data we have, including how to implement this example, how to respond to it, and for a few examples even other related Splunk capabilities!
|
|
imageCaption5 = By default, we show you the types of results you will see from a search. If you're a techy and you want to see the search string, or implement the search string, then expand "Show Search." You can either view the documented line-by-line search documentation, or you can turn on Advanced SPL Mode and always see all the detail. (Don't worry, we'll save that setting.)
|
|
imageCaption6 = To show what we mean when we described that this search automates the hard part of detecting time series spikes, we've highlighted the part of a search that we provided for a particular example, and the part that the dashboard provides. Much easier, right?
|
|
imageCaption7 = If you're in Advanced SPL mode, you will also be able to see the pre-requisite checks that make sure you have the right data onboard, you'll get the "Open in Search" buttons, and you'll even be able to click "Schedule Alert" to save this search right from the app.
|
|
imageCaption8 = One last item for the overview, up in the upper right hand corner you can see we have a list of what searches are available for this example. Often we just have a demo and a live version, but for some we might have three or four different versions.
|
|
|
|
|
|
[dataavailabilitybaseline-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /unified-tours
|
|
label = Enable Data Availability Baseline Tour
|
|
type = image
|
|
skipText = Skip tour
|
|
doneText = Start Exploring
|
|
doneURL = /app/Splunk_Security_Essentials/
|
|
|
|
imageName1 = enabledsources_Slide1.png
|
|
imageCaption1 = Find the Configuration menu in the navigation.
|
|
imageName2 = scheduled_searches-Slide1.png
|
|
imageCaption2 = Under Enabled Sources you can turn on or off different apps. This will apply globally across the app.
|
|
|
|
[datainventory-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /unified-tours
|
|
label = Data Inventory Tour
|
|
type = image
|
|
skipText = Skip tour
|
|
doneText = Start Exploring
|
|
doneURL = /app/Splunk_Security_Essentials/data_inventory
|
|
|
|
imageName1 = data_inventory-Slide1.png
|
|
imageCaption1 = The Data Inventory dashboard allows you to configure what products you have in your environment. Products have a variety of metadata (sourcetypes, event volume, CIM compliance) and are connected with data source categories, allowing the app to show you what content can be turned on with your present data.
|
|
imageName2 = data_inventory-Slide2.png
|
|
imageCaption2 = Here's an example of several data source categories, under the EDR data source. DSCs are detailed categories that have been proven out through thousands of professional services engagements.
|
|
imageName3 = data_inventory-Slide3.png
|
|
imageCaption3 = When you first open this page, it will prompt you to use the automated scans. If you install SSE on your production search head, most of the work from this page is automated!
|
|
imageName4 = data_inventory-Slide4.png
|
|
imageCaption4 = There are four automated introspection steps that pulls a variety of data.
|
|
imageName5 = data_inventory-Slide5.png
|
|
imageCaption5 = For any sources or sourcetypes that are uncommon, you can tell the app what product it is.
|
|
imageName6 = data_inventory-Slide6.png
|
|
imageCaption6 = If you have a product that wasn't detected, or you aren't installing this app on your production search head, you can always manually add products by clicking Add Product. If you don't have data for a DSC, you can say No Data Present.
|
|
|
|
[enabledsources-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /unified-tours
|
|
label = Enabled Products Tour
|
|
type = image
|
|
skipText = Skip tour
|
|
doneText = Start Exploring
|
|
doneURL = /app/Splunk_Security_Essentials/
|
|
|
|
imageName1 = enabledsources_Slide1.png
|
|
imageCaption1 = Find the Configuration menu in the navigation.
|
|
imageName2 = enabledsources_Slide2.png
|
|
imageCaption2 = Under Enabled Sources you can turn on or off different apps. This will apply globally across the app.
|
|
|
|
[esintegration-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /unified-tours
|
|
label = Check for ES Integration Tour
|
|
type = image
|
|
skipText = Skip tour
|
|
doneText = Start Exploring
|
|
doneURL = /app/Splunk_Security_Essentials/
|
|
|
|
imageName1 = enabledsources_Slide1.png
|
|
imageCaption1 = Find the Configuration menu in the navigation.
|
|
imageName2 = esintegration-Slide1.png
|
|
imageCaption2 = Click Update ES and the app will push MITRE and Kill Chain configurations into the ES Incident Review dashboard.
|
|
|
|
[mltkpresent-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /unified-tours
|
|
label = Check for Machine Learning Toolkit Tour
|
|
type = image
|
|
skipText = Skip tour
|
|
doneText = Start Exploring
|
|
doneURL = /app/Splunk_Security_Essentials/
|
|
|
|
imageName1 = splunk_ml_toolkit-Slide1.png
|
|
imageCaption1 = This app requires the use of Splunk's Machine Learning Toolkit, which you can find on Splunkbase.
|
|
imageName2 = splunk_ml_toolkit-Slide2.png
|
|
imageCaption2 = Also on Splunkbase, required by the Splunk Machine Learning Toolkit itself, is Python for Scientific Computing from Splunkbase. Ensure that you have the version of the app that is specific for your environment (32 bit Linux, 64 bit Linux, Windows, or Mac).
|
|
|
|
[searchmapping-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /unified-tours
|
|
label = Correlation Search Introspection and Mapping Tour
|
|
type = image
|
|
skipText = Skip tour
|
|
doneText = Start Exploring
|
|
doneURL = /app/Splunk_Security_Essentials/bookmarked_content
|
|
|
|
imageName1 = manage_bookmarks-Slide1.png
|
|
imageCaption1 = Splunk Security Essentials uses bookmarking to track what content is active in your environment, or to just help you remember what content you want to deploy.
|
|
imageName2 = search_mapping-Slide1.png
|
|
imageCaption2 = To make the process of recording your active content easier if you've installed this app on your production search head, it contains a Correlation Search Introspection feature which walks you through marking active content.
|
|
imageName3 = search_mapping-Slide2.png
|
|
imageCaption3 = This introspection will pull a list of all of your enabled local scheduled searches that have an action associated with them. It will also automatically enable any directly enabled ES, ESCU, or SSE content.
|
|
imageName4 = search_mapping-Slide3.png
|
|
imageCaption4 = For most content, the introspection will provide you with the option to indicate that a search is not a security detection, search through all of the out-of-the-box content contained in the app, or create new custom content in the app. Any of these will help you accurately map data source, MITRE, and other metadata for your content.
|
|
imageName5 = search_mapping-Slide4.png
|
|
imageCaption5 = Splunk Security Essentials includes a search engine to help you search the app and map any detection search to all of the out-of-the-box content.
|
|
imageName6 = search_mapping-Slide5.png
|
|
imageCaption6 = For content that doesn't exist in Splunk out-of-the-box, you can create custom content. Custom content shows everywhere throughout the app, just like normal Splunk content.
|
|
imageName7 = search_mapping-Slide6.png
|
|
imageCaption7 = You can even define all of the same metadata content (such as MITRE ATT&CK, Kill Chain, data source categories, etc.). You can also add all the normal descriptive fields (how to respond, known false positives, etc.).
|
|
imageName8 = search_mapping-Slide7.png
|
|
imageCaption8 = If you don't have Splunk Security Essentials on your production environment, you can always individually mark content as installed, or bookmarked.
|
|
|
|
[analyze_es_risk-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /unified-tours
|
|
label = Analyze ES Risk Attributions Tour
|
|
type = image
|
|
skipText = Skip tour
|
|
doneText = Start Exploring
|
|
doneURL = /app/Splunk_Security_Essentials/analyze_es_risk
|
|
|
|
imageName1 = es_risk-Slide0.png
|
|
imageCaption1 = The Analyze ES Risk Attributions dashboard helps you understand the data provided by the Splunk Enterprise Security's Risk Analysis Framework. Most users will arrive here via a drilldown from a user or system, populating that user/system in the search box and focusing the analysis accordingly. That said, you can enter any search string to use the dashboard to analyze a network or even your entire organization.
|
|
imageName2 = es_risk-Slide1.png
|
|
imageCaption2 = Customers who get the most value out of ES Risk often use MITRE ATT&CK, which is why we provide a series of system-wide ATT&CK metrics on the left, and then on the number of hits per tactic for your provided user/system.
|
|
imageName3 = es_risk-Slide2.png
|
|
imageCaption3 = Beneath that, you will find a customized MITRE ATT&CK Matrix for this user/system, showing you which techniques have fired for the data you've selected in the search.
|
|
imageName4 = es_risk-Slide3.png
|
|
imageCaption4 = Aggregating risk attributions is the core strength of this dashboard. You'll next see a series of charts that aggregate risk by various metrics.
|
|
imageName5 = es_risk-Slide4.png
|
|
imageCaption5 = Finally, you'll see a straightforward sum of risk by object, which will let you see which objects are experiencing the greatest amount of risk.
|
|
|
|
[bookmark_export-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /unified-tours
|
|
label = Manage Bookmarks - Export Tour
|
|
type = image
|
|
skipText = Skip tour
|
|
doneText = Start Exploring
|
|
doneURL = /app/Splunk_Security_Essentials/bookmarked_content
|
|
|
|
imageName1 = manage_bookmarks-Slide1.png
|
|
imageCaption1 = The Manage Bookmark dashboard lets you track content in your environment, including content that you've just bookmarked, or content that you've marked as successfully implemented.
|
|
imageName2 = manage_bookmarks-Slide2.png
|
|
imageCaption2 = To export a list of this content, click the Export button in the upper right hand corner.
|
|
imageName3 = manage_bookmarks-Slide3.png
|
|
imageCaption3 = There are multiple export options. Most are very straightforward.
|
|
imageName4 = manage_bookmarks-Slide4.png
|
|
imageCaption4 = The most detailed export is the Print-to-PDF, where by default we want to include as much detail as we can. You can opt to disable this detail if you don't need it. (The app will remember what you selected.)
|
|
imageName5 = manage_bookmarks-Slide5.png
|
|
imageCaption5 = Print-to-PDF works by generating a printable page, and letting you save as PDF via your browser. This works best in Chrome.
|
|
|
|
[content_overview-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /unified-tours
|
|
label = Analytics Advisor Content Overview Tour
|
|
type = image
|
|
skipText = Skip tour
|
|
doneText = Start Exploring
|
|
doneURL = /app/Splunk_Security_Essentials/content_overview
|
|
|
|
imageName1 = content_overview-Slide1.png
|
|
imageCaption1 = The Content Overview dashboard is the centerpiece of the Analytics Advisor suite. This dashboard takes into account what data you have in your environment, what searches are active, and helps you see what content you can use next.
|
|
imageName2 = content_overview-Slide2.png
|
|
imageCaption2 = Each number in these dashboards represents a piece of content. In order to guide you through the dashboard, follow the headlines 1, 2 and 3 to find the content. You can also go directly to the full details for each piece of content by clicking the green button under heading 3.
|
|
imageName3 = content_overview-Slide3.png
|
|
imageCaption3 = Any content labeled Active means that you have content (detections, correlations etc.) enabled in your environment.
|
|
imageName4 = content_overview-Slide4.png
|
|
imageCaption4 = Any content labeled Available means that you have content that can be enabled with data already in Splunk.
|
|
imageName5 = content_overview-Slide5.png
|
|
imageCaption5 = Any content labeled Needs data means that the data to support the content is missing in Splunk.
|
|
imageName6 = content_overview-Slide6.png
|
|
imageCaption6 = The Available Content panel shows on a high level and how your environment stacks up against the content available. You can switch between the tabs to change the visualisation and change the Split by field to show different dimensions. Everything in this panel is clickable and will allow you to drill down further.
|
|
imageName7 = content_overview-Slide7.png
|
|
imageCaption7 = The Selected Content panel contains further filters that allow you to drill into individual pieces of content.
|
|
imageName8 = content_overview-Slide8.png
|
|
imageCaption8 = The View Content panel allows you to go directly to the view full details of the selection inside the Security Essentials general content page.
|
|
imageName9 = data_inventory-Slide1.png
|
|
imageCaption9 = These dashboards build on the Data Inventory and Correlation Search Introspection, so if you haven't configured those yet, make sure to visit those pages.
|
|
|
|
[contents-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /unified-tours
|
|
label = Security Contents Page Tour
|
|
type = image
|
|
skipText = Skip tour
|
|
doneText = Start Exploring
|
|
doneURL = /app/Splunk_Security_Essentials/contents
|
|
|
|
imageName1 = Contents-Slide1.png
|
|
imageCaption1 = We've provided an introduction for this page and a detailed description of the Search Journey Stages listed below. To get the full details just click "Show all lines".
|
|
imageName2 = Contents-Slide2.png
|
|
imageCaption2 = Use the filters below to find capabilities most relevant to you. For example, if you're just starting out with Splunk for security and want to know what to begin with, you might opt to view all featured Stage 1 searches.
|
|
imageName3 = Contents-Slide3.png
|
|
imageCaption3 = Focus on specific business concern: You can opt to select Stage 6 (all the Splunk Content)...
|
|
imageName4 = Contents-Slide4.png
|
|
imageCaption4 = Drill down: Focus on a single issue, like Insider Threat.
|
|
imageName5 = Contents-Slide5.png
|
|
imageCaption5 = Filter on specific data sources you already have in Splunk. For example, see some immediate detections you can deploy by filtering on the specific data source, such as, "Email Logs."
|
|
imageName6 = Contents-Slide6.png
|
|
imageCaption6 = In order to find and focus on exactly the examples you want adjust filters by hitting the menu icon. Don't worry - All the settings you configure will be retained every time you open the page in this browser.
|
|
imageName7 = Contents-Slide7.png
|
|
imageCaption7 = Splunk Security Essentials is not about the filters... it's about the different examples to help with your specific use cases. Scroll down below to see what examples match the filters you've configured and how to start getting value with Splunk.
|
|
imageName8 = Contents-Slide8.png
|
|
imageCaption8 = Each of the examples will give you a brief description, tell you the log sources, and also tell you any MITRE or Kill Chain phases.
|
|
imageName9 = Contents-Slide9.png
|
|
imageCaption9 = Click into an example to get more detail. With the examples that only need Splunk Enterprise, you'll also be able to view the full search string, along with detailed documentation. That's it for this tour! Start exploring the examples and see how to get the most from your data with Splunk.
|
|
|
|
[data_source-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /unified-tours
|
|
label = Data Source Onboarding Guides Tour
|
|
type = image
|
|
skipText = Skip tour
|
|
doneText = Start Exploring
|
|
doneURL = /app/Splunk_Security_Essentials/data_source
|
|
|
|
imageName1 = data_source-Slide1.png
|
|
imageCaption1 = This app contains 9 Data Source Onboarding Guides. You can find the full list at the top of the page.
|
|
imageName2 = data_source-Slide1.png
|
|
imageCaption2 = You can also choose to look at the categories below, and find a variety of products that Splunk commonly sees for each type of data.
|
|
imageName3 = data_source-Slide2.png
|
|
imageCaption3 = That data onboarding guides are written by Splunk field engineers, working in conjunction with Splunk Professional Services to make them as easy to use as possible while supporting your long term growth.
|
|
imageName4 = data_source-Slide3.png
|
|
imageCaption4 = You will see a variety of Splunk recommendations, usually with download-able apps or conf files.
|
|
imageName5 = data_source-Slide4.png
|
|
imageCaption5 = These guides step beyond just Splunk though, telling you how to configure the products to generate the data required to fire our detections.
|
|
|
|
[data_source_check-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /unified-tours
|
|
label = Data Source Check Tour
|
|
type = image
|
|
skipText = Skip tour
|
|
doneText = Start Exploring
|
|
doneURL = /app/Splunk_Security_Essentials/data_source_check
|
|
|
|
imageName1 = data_source_check-Slide1.png
|
|
imageCaption1 = The Data Source Check dashboard tells you what searches would be ready to run in your environment. Click Start Searches to get started.
|
|
imageName2 = data_source_check-Slide2.png
|
|
imageCaption2 = The dashboard will launch 60+ pre-req tests. Each is really quick -- the whole set should take less than 10 minutes and won't overwhelm your Splunk.
|
|
imageName3 = data_source_check-Slide3.png
|
|
imageCaption3 = As the searches run, you will get back Green Checks or Red Explanation Points. A green check indicates that the pre-req test found the exact data, sourcetypes, and fields that the detection is expecting.
|
|
imageName4 = data_source_check-Slide4.png
|
|
imageCaption4 = If you've run the dashboard checks in the past, you can always re-run them on your current data, or you can click Retrieve Result to pull back your last result.
|
|
|
|
[example_item-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /unified-tours
|
|
label = Example Content - Basic Brute Force Detection Tour
|
|
type = image
|
|
skipText = Skip tour
|
|
doneText = Start Exploring
|
|
doneURL = /app/Splunk_Security_Essentials/showcase_simple_search?ml_toolkit.dataset=Basic%20Brute%20Force%20-%20Demo
|
|
|
|
imageName1 = example_item-Slide2.png
|
|
imageCaption1 = When looking at Security Content, we've tried to provide as much context as possible, so you can understand the impact of an example, how it works, adapt it to the particulars of your environment, and to handle the alerts that will be sent afterward.
|
|
imageName2 = example_item-Slide3.png
|
|
imageCaption2 = In the boxes at the top, you can find high-level details, including the ever-important 'Data Source' links. You can follow the 'Data Source' links for several popular technologies, not just a list of technologies that provide those data sources. Also, there's detailed installation documentation that will help you get up and running!
|
|
imageName3 = example_item-Slide4.png
|
|
imageCaption3 = Beneath the boxes there's other contextual data, including how to implement and respond, as well as, other examples and related Splunk capabilities.
|
|
imageName4 = example_item-Slide5.png
|
|
imageCaption4 = The default shows the types of results you will see from a search. If you want to get more technical, use the "Line-by-Line SPL Documentation" to see or help implement the search string.
|
|
imageName5 = example_item-Slide6.png
|
|
imageCaption5 = In SPL mode, you'll be able to see the pre-requisite checks that make sure you have the right data on boarded, get the "Open in Search" buttons, and be able to click "Schedule Saved Search" to save this search right from the app.
|
|
imageName6 = example_item-Slide7.png
|
|
imageCaption6 = One last item for the overview, in the upper right-hand corner is a list of what searches are available for each example. Often, there's just a demo and a live version, but some examples might have three or four different versions.
|
|
|
|
[journey-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /unified-tours
|
|
label = Security Data Journey Tour
|
|
type = image
|
|
skipText = Skip tour
|
|
doneText = Start Exploring
|
|
doneURL = /app/Splunk_Security_Essentials/journey
|
|
|
|
imageName1 = Journey-Slide1.png
|
|
imageCaption1 = The Security Data Journey walks you though the path that we typically see newer customers walk as the mature. It details each stage with milestones and common challenges.
|
|
imageName2 = Journey-Slide2.png
|
|
imageCaption2 = The Journey also includes the data sources that we commonly seen at each stage of the journey for users pursuing Security Monitoring.
|
|
imageName3 = Journey-Slide3.png
|
|
imageCaption3 = Drag the slider-bar on the right side to view the details for other stages of the Journey.
|
|
imageName4 = Contents-Slide3.png
|
|
imageCaption4 = All of the content in Splunk Security Essentials is oriented towards this journey, so that if you're just getting started you can limit yourself to just Stage one.
|
|
|
|
[kill_chain_overview-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /unified-tours
|
|
label = Analytics Advisor Cyber Kill Chain Tour
|
|
type = image
|
|
skipText = Skip tour
|
|
doneText = Start Exploring
|
|
doneURL = /app/Splunk_Security_Essentials/kill_chain_overview
|
|
|
|
imageName1 = kill_chain_overview-Slide1.png
|
|
imageCaption1 = Like the Analytics Advisor Content Overview dashboard, the Kill Chain Oveview dashboard takes into account the data and active content in your environment to help you choose new and better content. See that dashboard for a full tour of the three steps in this dashboard.
|
|
imageName2 = content_overview-Slide2.png
|
|
imageCaption2 = Each number in these dashboards represents a piece of content. In order to guide you through the dashboard, follow the headlines 1, 2 and 3 to find the content. You can also go directly to the full details for each piece of content by clicking the green button under heading 3.
|
|
imageName3 = content_overview-Slide3.png
|
|
imageCaption3 = Any content labelled Active means that you have content (detections, correlations etc.) enabled in your environment.
|
|
imageName4 = content_overview-Slide4.png
|
|
imageCaption4 = Any content labelled Available means that you have content that can be enabled with data already in Splunk.
|
|
imageName5 = content_overview-Slide5.png
|
|
imageCaption5 = Any content labelled Needs data means that the data to support the content is missing in Splunk.
|
|
imageName6 = kill_chain_overview-Slide2.png
|
|
imageCaption6 = The Kill Chain tab shows the coverage in your environment against the Kill Chain steps. You can adjust what numbers are displayed in the visualisation to show Active/Available content.
|
|
imageName7 = kill_chain_overview-Slide3.png
|
|
imageCaption7 = The Chart View tab shows on a high level and how your environment stacks up against the content available and the Cyber Kill Chain specifically. You can switch between the tabs to change the visualisation and change the Split by field to show different dimensions. Everything in this panel is clickable and will allow you to drill down further.
|
|
imageName8 = content_overview-Slide7.png
|
|
imageCaption8 = The Selected Content panel contains further filters that allow you to drill into individual pieces of content.
|
|
imageName9 = content_overview-Slide8.png
|
|
imageCaption9 = The View Content panel allows you to go directly to the view full details of the selection inside the Security Essentials general content page.
|
|
imageName10 = data_inventory-Slide1.png
|
|
imageCaption10 = These dashboards build on the Data Inventory and Correlation Search Introspection, so if you haven't configured those yet, make sure to visit those pages.
|
|
|
|
[mitre_focused_content_recommendation-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /unified-tours
|
|
label = MITRE ATT&CK-based Content Recommendations Tour
|
|
type = image
|
|
skipText = Skip tour
|
|
doneText = Start Exploring
|
|
doneURL = /app/Splunk_Security_Essentials/mitre_focused_content_recommendation
|
|
|
|
imageName1 = mitre_content_recommendation-Slide1.png
|
|
imageCaption1 = Select a category of issue that you are concerned about. If desired, you can also adjust the default filters for data availability and popularity.
|
|
imageName2 = mitre_content_recommendation-Slide2.png
|
|
imageCaption2 = You will be greeted by a list of content that is tied to ATT&CK techniques MITRE reports as being popular with many threat groups.
|
|
imageName3 = data_inventory-Slide1.png
|
|
imageCaption3 = This dashboard is built on the Data Inventory and Correlation Search Introspection, so if you haven't configured those yet, make sure to visit those pages.
|
|
|
|
[mitre_overview-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /unified-tours
|
|
label = Analytics Advisor MITRE ATT&CK Framework Tour
|
|
type = image
|
|
skipText = Skip tour
|
|
doneText = Start Exploring
|
|
doneURL = /app/Splunk_Security_Essentials/mitre_overview
|
|
|
|
imageName1 = mitre_overview-Slide1.png
|
|
imageCaption1 = Like the Analytics Advisor Content Overview dashboard, the MITRE ATT&CK Framework dashboard takes into account the data and active content in your environment to help you choose new and better content. See that dashboard for a full tour of the three steps in this dashboard.
|
|
imageName2 = mitre_overview-Slide2.png
|
|
imageCaption2 = The MITRE ATT&CK Matrix tab shows the coverage in your environment against all techniques. By default the app will color the matrix based on all content (Total), but you can adjust the filters to show just what content is currently enabled in your environment (Active), what content is available to start using with your data (Available), or what content you could use if you ingested more data into Splunk (Needs Data).
|
|
imageName3 = mitre_overview-Slide3.png
|
|
imageCaption3 = You can also get insight into the threat groups that target you by selecting those a group. The app will add a red icon for each technique associated with that threat group. If you don't track a specific group, you can also filter for only the techniques popular with many groups.
|
|
imageName4 = mitre_overview-Slide4.png
|
|
imageCaption4 = Finally, you can also highlight a specific data source directly in the matrix. This allows you to show the incremental value you'd get by adding an additional data source to your environment.
|
|
imageName5 = mitre_overview-Slide5.png
|
|
imageCaption5 = The Chart View tab shows on a high level and how your environment stacks up against the content available and the MITRE ATT&CK Framework specifically. You can switch between the tabs to change the visualisation and change the Split by field to show different dimensions. Everything in this panel is clickable and will allow you to drill down further.
|
|
imageName6 = mitre_overview-Slide6.png
|
|
imageCaption6 = The Selected Content panel contains further filters that allow you to drill into individual pieces of content.
|
|
imageName7 = content_overview-Slide8.png
|
|
imageCaption7 = The View Content panel allows you to go directly to the view full details of the selection inside the Security Essentials general content page.
|
|
imageName8 = data_inventory-Slide1.png
|
|
imageCaption8 = These dashboards build on the Data Inventory and Correlation Search Introspection, so if you haven't configured those yet, make sure to visit those pages.
|
|
|
|
[rba_content_recommendation-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /unified-tours
|
|
label = RBA Content Recommendations Tour
|
|
type = image
|
|
skipText = Skip tour
|
|
doneText = Start Exploring
|
|
doneURL = /app/Splunk_Security_Essentials/rba_content_recommendation
|
|
|
|
imageName1 = rba_content_recommendation-Slide1.png
|
|
imageCaption1 = The Risk-based Alerting Content Recommendation dashboard is intended to provide you with a quick view of content related to a single category, that you can run with the data in your Splunk today. To start, select a category at the bottom -- you'll see how many pieces of content you already have deployed, and how many are available with your existing data.
|
|
imageName2 = rba_content_recommendation-Slide2.png
|
|
imageCaption2 = With one (or more) categories selected, the dashboard will then show you all of the content that you can leverage. You can click through to any of these to enable them, bookmark them, or more.
|
|
imageName3 = data_inventory-Slide1.png
|
|
imageCaption3 = This dashboard is built on the Data Inventory and Correlation Search Introspection, so if you haven't configured those yet, make sure to visit those pages.
|
|
|
|
[security_posture_dashboards-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /unified-tours
|
|
label = Security Posture Dashboards Tour
|
|
type = image
|
|
skipText = Skip tour
|
|
doneText = Start Exploring
|
|
doneURL = /app/Splunk_Security_Essentials/data_source_check
|
|
|
|
imageName1 = data_source_check-Slide4.png
|
|
imageCaption1 = The Security Posture dashboards only run on the data you have in your system, so make sure you run the Data Source Check searches first (or if you've run them before, click Retrieve Last Result.
|
|
imageName2 = data_source_check-Slide5.png
|
|
imageCaption2 = Once the checks are in place, you can click Create Posture Dashboards.
|
|
imageName3 = data_source_check-Slide6.png
|
|
imageCaption3 = There are three dashboards you can choose. Within each, some panels are enabled by default, some disabled, and some unavailable as you don't have the required data.
|
|
imageName4 = data_source_check-Slide7.png
|
|
imageCaption4 = If you want to see the intended result, you can click Use Demo Datasets and all the dashboards will use CSV demo data.
|
|
imageName5 = data_source_check-Slide8.png
|
|
imageCaption5 = After clicking Create Dashboards, you will get a link to each dashboard. They'll also be added to navigation.
|
|
imageName6 = data_source_check-Slide9.png
|
|
imageCaption6 = These are SimpleXML dashboards using Splunk best practices (with post-processing and using accelerated data models if possible). That makes them easy to customize, or copy-paste into your dashboards.
|
|
|
|
[sse_cim_compliance-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /unified-tours
|
|
label = CIM Compliance Check Tour
|
|
type = image
|
|
skipText = Skip tour
|
|
doneText = Start Exploring
|
|
doneURL = /app/Splunk_Security_Essentials/sse_cim_compliance
|
|
|
|
imageName1 = sse_cim_compliance-Slide1.png
|
|
imageCaption1 = The Common Information Model (CIM) Compliance Check dashboard is intended to check to see if your data aligns to Splunk's CIM. This is a common set of fields that can be shared across products, allowing you to know that a field like src_ip will bring back results regardless of what the original data looks like.
|
|
imageName2 = sse_cim_compliance-Slide2.png
|
|
imageCaption2 = You will see a list of the products that you've configured in Splunk Security Essentials broken out by data source category (e.g., Successful Authentication), and the CIM compliance status of each key field for that DSC.
|
|
imageName3 = sse_cim_compliance-Slide3.png
|
|
imageCaption3 = If you expand the row, you'll also be able to see the actual values returned when searching that data.
|
|
imageName4 = data_inventory-Slide1.png
|
|
imageCaption4 = This dashboard builds on the Data Inventory introspection, so if you haven't configured that yet, make sure to visit that page.
|
|
|
|
[sse_data_availability-tour]
|
|
context = Splunk_Security_Essentials
|
|
imgPath = /unified-tours
|
|
label = Data Availability Tour
|
|
type = image
|
|
skipText = Skip tour
|
|
doneText = Start Exploring
|
|
doneURL = /app/Splunk_Security_Essentials/sse_data_availability
|
|
|
|
imageName1 = data_availability-Slide1.png
|
|
imageCaption1 = The Data Availability dashboard shows you the products in your environment, and the most recent latency seen from each of them.
|
|
imageName2 = data_availability-Slide2.png
|
|
imageCaption2 = If you click on a product, it will tell you what detections depend on it along with the expected latency.
|
|
imageName3 = data_availability-Slide3.png
|
|
imageCaption3 = The dashboard will also throw a variety of errors in case you have any configuration issues.
|