Analytics Advisor Content Overview

The Analytics Advisor dashboards are designed to help you understand what content you might want to deploy inside of Splunk based on the content you already have and the data that’s present in your environment. You will find a number of visualizations geared toward simplifying the process of selecting content, and a drilldown to the Security Contents Page to start bookmarking and deploying it. There are also paired dashboards for MITRE ATT&CK and the Kill Chain, with purpose-built visualizations for those industry-standard models!

  1. The Content Overview dashboard is the centerpiece of the Analytics Advisor suite. This dashboard takes into account what data you have in your environment, what searches are active, and helps you see what content you can use next.
  2. Each number in these dashboards represents a piece of content. In order to guide you through the dashboard, follow the headlines 1, 2 and 3 to find the content. You can also go directly to the full details for each piece of content by clicking the green button under heading 3.
  3. Any content labeled Active means that you have content (detections, correlations etc.) enabled in your environment.
  4. Any content labeled Available means that you have content that can be enabled with data already in Splunk.
  5. Any content labeled Needs data means that the data to support the content is missing in Splunk.
  6. The Available Content panel shows on a high level and how your environment stacks up against the content available. You can switch between the tabs to change the visualisation and change the Split by field to show different dimensions. Everything in this panel is clickable and will allow you to drill down further.
  7. The Selected Content panel contains further filters that allow you to drill into individual pieces of content.
  8. The View Content panel allows you to go directly to the view full details of the selection inside the Security Essentials general content page.
  9. These dashboards build on the Data Inventory and Correlation Search Introspection, so if you haven’t configured those yet, make sure to visit those pages.