SPLK-3001 Forensics, Glass Tables, and Navigation Control
Forensics, Glass Tables, and Navigation Control
Detailed list of SPLK-3001 knowledge points
- + ES Introduction
- + Monitoring and Investigation
- + Security Intelligence
- + Forensics, Glass Tables, and Navigation Control
- + ES Deployment
- + Installation and Configuration
- + Validating ES Data
- + Custom Add-ons
- + Tuning Correlation Searches
- + Creating Correlation Searches
- + Lookups and Identity Management
- + Threat Intelligence Framework
Forensics, Glass Tables, and Navigation Control Detailed Explanation
1. Forensics
Forensics is the process of looking deeply into what happened during a security incident. Splunk ES helps security analysts investigate by giving access to the full, raw data behind every alert.
Let’s explore how:
a. Raw Event Access
When you see a Notable Event in the Incident Review dashboard, you’re looking at a summary — not the whole picture.
With one click, Splunk allows you to:
Open the original raw log data that triggered the alert.
See full details like:
Usernames
IP addresses
Timestamps
Commands or actions taken
Why is this important?
Security incidents are rarely explained by summaries alone. To fully understand a threat, you need to see exactly what the attacker did — and that means reviewing raw logs.
b. Search Reconstruction
Analysts can use Splunk’s search features to rebuild the sequence of actions taken by a threat actor.
Example:
Attacker logs in
Runs commands
Transfers files
Logs out
Each of these steps is logged somewhere. Analysts use Splunk to:
Search logs by user or system
Filter by time
Find logs that connect to each other
This process helps you recreate the attack timeline — even if it happened hours or days ago.
c. Timeline Views
Splunk ES provides visual timelines that show:
Multiple events from different sources
In the order they happened
In one chronological view
This helps analysts:
Correlate events across systems
See cause and effect more clearly
Spot patterns that are not obvious in raw logs
Example:
A firewall log shows a connection from a foreign IP.
Five minutes later, Windows logs show a user logging in.
Timeline view lets you line up these two events and realize they are part of the same attack.
2. Glass Tables
Now let’s look at a more visual and strategic feature: Glass Tables.
These are graphical dashboards in Splunk ES that let you build visual representations of:
Key Performance Indicators (KPIs)
Notable Events
Risk Scores
Network or system components
a. What Makes Glass Tables Unique?
They are interactive and real-time.
You can drag and drop components to build your own view.
You can connect data to icons, charts, and custom visuals.
b. Who Uses Them?
Executives and senior security managers use them to:
Understand the overall security posture
Monitor high-level trends
Report to board members
Security teams can use them to:
Monitor critical assets or departments
Track response efforts visually
Get alerts when thresholds are crossed
Example:
A Glass Table might show:
A map of your IT network
Red icons on systems with active threats
A pie chart of events by category
Risk score gauges per business unit
This lets teams respond faster and smarter.
3. Navigation Control
Navigation Control refers to how Splunk ES admins can customize the user interface based on roles and workflows.
a. Role-Based Experience
Admins can define:
Which apps or dashboards each user sees
Which navigation links are available
What buttons or searches can be used
This helps:
Avoid overwhelming new users
Enforce strict access controls
Tailor the environment to the user's job (e.g., analyst vs. manager)
b. Workflow Enforcement
Admins can create a structured investigation flow. For example:
A user logs in and first sees the Security Posture Dashboard.
From there, they can click into Incident Review.
Then they can drill into raw logs or assign the event.
This ensures:
Analysts follow a consistent process
No critical steps are skipped
New users can work effectively without needing extensive training
Summary of “Forensics, Glass Tables, and Navigation Control”
| Component | Purpose |
|---|---|
| Forensics | Deep investigation through raw logs, timeline views, and search |
| Glass Tables | Real-time visual dashboards for security KPIs and executive views |
| Navigation Control | Custom UI experiences and workflow control based on user roles |
Together, these features make Splunk ES not just a detection tool, but a powerful investigation and decision-making platform.
Forensics, Glass Tables, and Navigation Control (Additional Content)
1. Practical SPL for Timeline-Based Forensics
One of the most powerful features in Splunk ES is the ability to reconstruct incidents across multiple log sources using simple, time-aligned searches.
Example: Multi-Source Timeline SPL
index=* sourcetype=WinEventLog OR sourcetype=pan:traffic
| table _time, user, src, dest, action
What this SPL does:
Searches across multiple log sources (Windows logs and Palo Alto firewall logs).
Selects only essential fields that help investigators reconstruct activity:
_time: When the event occurreduser: Who initiated itsrc/dest: Source and destination endpointsaction: The nature of the activity (login, block, allow, etc.)
Result: A chronological view of user or host behavior across different systems.
This is commonly used during timeline reconstruction to understand the sequence of events, for example:
A user logs into a workstation (Windows log)
Connects to an internal resource (firewall log)
Accesses a restricted system (another log source)
Such correlation helps determine whether the activity is expected or suspicious.
2. Navigation Control – Role-Based Experience Mapping
Splunk ES supports Navigation Control, which enables administrators to tailor the user interface based on a user's role within the security team. This ensures users only see the dashboards and tools relevant to their job function.
Example Role-Based Navigation Mapping
| Role Name | Default Landing Page | Accessible Features |
|---|---|---|
es_analyst |
Incident Review | Drilldown, Event Timeline, Investigation tools |
es_manager |
Security Posture Dashboard | Glass Tables, KPI Dashboards, Correlation Search Configuration |
Explanation:
es_analyst:Focused on real-time incident triage and log analysis.
Has access to Notable Events, raw logs, and visualization tools for forensic investigation.
es_manager:Oversees overall security posture and strategy.
Accesses high-level metrics and visual summaries such as risk scores and executive dashboards.
This mapping helps enforce workflow discipline, reduce UI clutter, and support least-privilege principles.
Summary of Enhancements
| Topic | Enhancement Description |
|---|---|
| Timeline SPL Example | Shows how to stitch together events from different sources using _time |
| Navigation Role Mapping | Defines how user roles map to ES features and entry points |
Frequently Asked Questions
What is the purpose of glass tables in Splunk Enterprise Security?
Glass tables provide customizable visual dashboards that display real-time operational or security status for systems, services, and infrastructure components.
Glass tables allow organizations to create visual monitoring panels representing infrastructure components such as servers, networks, or applications. Each component can display metrics like health status, event counts, or security alerts. These dashboards are commonly displayed in SOC monitoring environments to provide at-a-glance operational awareness. Unlike traditional dashboards, glass tables emphasize visual system mapping and status indicators rather than detailed analytics.
Demand Score: 66
Exam Relevance Score: 64
How are glass tables populated with data in Splunk Enterprise Security?
Glass tables retrieve data from searches, KPIs, or data sources configured within the Splunk ITSI or ES environment.
Administrators configure visual elements within a glass table and link them to underlying search queries or KPI metrics. These queries continuously update component states and metrics. The results are displayed as color indicators, icons, or metric panels on the dashboard. Proper configuration ensures that system health and security indicators update in near real time.
Demand Score: 60
Exam Relevance Score: 61
What role do forensic dashboards play in the investigation process?
Forensic dashboards allow analysts to analyze historical security events, identify patterns, and investigate suspicious activity across multiple data sources.
These dashboards provide curated visualizations and searches designed for investigative workflows. Analysts can explore historical event timelines, review user behavior patterns, and correlate activity across systems. Forensic dashboards typically rely on CIM data models to ensure consistent analysis across data sources. They serve as deeper investigation tools after a notable event has been identified.
Demand Score: 59
Exam Relevance Score: 66
Why is navigation control important when configuring dashboards in Splunk ES?
Navigation control ensures that only authorized users can access specific dashboards, views, or investigation tools within the ES interface.
Splunk ES environments often contain sensitive security information. Administrators configure role-based access controls to restrict which dashboards and navigation items are visible to users. Proper navigation control helps enforce least-privilege access and prevents unauthorized visibility into security monitoring or investigative data. Incorrect navigation permissions may expose sensitive operational dashboards to unintended users.
Demand Score: 55
Exam Relevance Score: 62
