Analytics Advisor Cyber Kill Chain

The Analytics Advisor dashboards are designed to help you understand what content you might want to deploy inside of Splunk based on the content you already have and the data that’s present in your environment. The Kill Chain Overview dashboard even includes a custom vizualization designed to show what content is tied to different parts of the Kill Chain.

  1. Like the Analytics Advisor Content Overview dashboard, the Kill Chain Oveview dashboard takes into account the data and active content in your environment to help you choose new and better content. See that dashboard for a full tour of the three steps in this dashboard.
  2. Each number in these dashboards represents a piece of content. In order to guide you through the dashboard, follow the headlines 1, 2 and 3 to find the content. You can also go directly to the full details for each piece of content by clicking the green button under heading 3.
  3. Any content labelled Active means that you have content (detections, correlations etc.) enabled in your environment.
  4. Any content labelled Available means that you have content that can be enabled with data already in Splunk.
  5. Any content labelled Needs data means that the data to support the content is missing in Splunk.
  6. The Kill Chain tab shows the coverage in your environment against the Kill Chain steps. You can adjust what numbers are displayed in the visualisation to show Active/Available content.
  7. The Chart View tab shows on a high level and how your environment stacks up against the content available and the Cyber Kill Chain specifically. You can switch between the tabs to change the visualisation and change the Split by field to show different dimensions. Everything in this panel is clickable and will allow you to drill down further.
  8. The Selected Content panel contains further filters that allow you to drill into individual pieces of content.
  9. The View Content panel allows you to go directly to the view full details of the selection inside the Security Essentials general content page.
  10. These dashboards build on the Data Inventory and Correlation Search Introspection, so if you haven’t configured those yet, make sure to visit those pages.