dashboard
WEEK_2 · DAY_13 · 1 HOUR
Dashboards & Visualizations
Build SOC dashboards with Studio, tokens, drilldowns, scheduled PDFs
Learning Objectives
- ›Build a SOC dashboard from scratch in Dashboard Studio
- ›Wire time pickers and dropdowns with tokens
- ›Configure drilldowns for click-through investigation
- ›Schedule reports as PDF for executives
Module 1 — Dashboard Studio vs Classic
Classic (Simple XML) — code-first, mature, 99% of legacy dashboards.
Studio — drag-and-drop, modern, what you'll build new dashboards in today.
Module 2 — Tokens & Inputs
Tokens are variables: $time.earliest$, $sourcetype$.
Time picker, dropdown, multi-select, text input — all set tokens.
Use them in panel SPL: index=$src$ earliest=$time.earliest$.
Module 3 — Drilldowns
Click on a chart bar → open another search/dashboard with context passed via tokens.
Essential for pivoting from KPI to root cause.
Module 4 — Scheduled Delivery
Reports can be scheduled via cron, emailed as PDF, or pushed to Slack/Teams via SOAR.
Lab 13 — Build a SOC Dashboard
- Open Splunk → Posture (or Search → New Dashboard).
- Build 4 panels: notable count by urgency, trend over 7d, top 10 sources, top 10 ATT&CK techniques.
- Add a time picker that updates all panels.
- Configure drilldown from any bar → Incident Review filtered.
Key Takeaways
- ✓Tokens make dashboards interactive
- ✓Drilldowns turn dashboards into investigation tools
- ✓Schedule = SOC reaches the boardroom automatically