Entity analysis dashboard
The Entity analysis dashboard is a centralized security operations interface in Splunk Enterprise Security that consolidates asset and user analysis, attribution, and anomaly discovery into a single, unified workflow. Security analysts can move fluidly between analyzing individual assets and users and reviewing attribution patterns.
The dashboard draws on aggregated data from different sources, including log files, network devices, cloud services, workstations, servers, and databases, to build a continuously updated view of every asset and user on your network. From this shared data foundation, the dashboard surfaces both targeted details and broad attribution signals. The dashboard is shared across Exposure Analytics and UEBA, and what it displays depends on how an entity was discovered.
Note: The information displayed for an entity depends on its discovery source. Entities discovered by Exposure Analytics display the full set of fields, along with Attributions and Attack surface tabs. Entities found only in Asset and Identity lookups (and not in entity discovery) display a limited set of fields only. The Attributions and Attack surface tabs are not available for these entities.
The dashboard provides the following core capabilities:
- Analyze individual assets and users using multi-tab views of attributions, findings, and attack surface.
- Visualize asset relationships and attack surface exposure through an interactive graph explorer.
- Examine subnet context for unseen or partially characterized IP addresses.
- Attribute IP addresses and findings to specific assets and users at a point in time.
- Surface anomalous behavioral patterns, including dormant asset reactivation, short-lived assets, and credential anomalies.