Digital Forensics and Incident Response (DFIR) professionals know that speed and efficiency are critical during investigations. TheĀ Splunk DFIR Dashboard CollectionĀ is a treasure trove of ready-to-use Splunk dashboards designed to streamline forensic analysis and provide immediate insights into collected log data.
šĀ Whatās Inside?
This GitHub repository contains a curated set ofĀ tested, production-ready Splunk dashboard XML filesĀ built specifically for DFIR investigations. These dashboards were developed and refined over years of real-world incident response cases, ensuring they meet the needs of analysts dealing with:
Windows Event Logs (EVTX)
Plaso timelines
CSV/JSON logs from EDRs & triage tools
Other forensic artifacts
ā Ā Key Features
āĀ Case-Based Dropdown SelectorĀ ā Quickly switch between different investigation indexes.
āĀ Plug-and-Play FunctionalityĀ ā Just ingest logs into a designated index, and the dashboards auto-parse them.
āĀ Automated AnalysisĀ ā Pre-built searches and visualizations highlight key forensic artifacts.
āĀ Flexible Data SupportĀ ā Works with EVTX, CSV, JSON, NDJSON, and more.
āĀ Optimized for Splunk EnterpriseĀ ā No Splunk Cloud dependencies.
šĀ How to Use These Dashboards
1ļøā£ Install Splunk Enterprise
If you donāt already have Splunk running, download and install it from:
šĀ https://www.splunk.com
2ļøā£ Ingest Your Forensic Data
Use SplunkāsĀ “Add Data”Ā interface or CLI to load logs into a case-specific index (e.g.,Ā
case_july2025_ransomware).
3ļøā£ Import the Dashboards
Option A:Ā Copy/paste the XML into SplunkāsĀ “Import Dashboard”Ā feature.
Option B:Ā Manually place theĀ
.xmlĀ files into:$SPLUNK_HOME/etc/apps/YOUR_APP_NAME/default/data/ui/views/
4ļøā£ Start Analyzing!
Open the dashboard, select your case index, and explore:
Event Log Triage
Process Timelines
Logon Activity
Detection Hits by Rule
Plaso Timeline Analysis
š Ā Dashboard Types Available
| Dashboard | Purpose |
|---|---|
| š„ļø DFIR Linux Security Event Overview | Linux Security Event Analysis |
| š¾ DFIR Plaso Dashboard | Parse and visualize Plaso timelines |
| š”ļø DFIR Windows Security Event Overview | Windows Security Event Analysis |
šĀ Additional Resources
Splunk DocumentationĀ ā For setup and customization.
- https://github.com/Truvis/SplunkDashboards/tree/master
š¤Ā Contributions & Feedback Welcome!
This project isĀ community-driven. If you:
Have enhancement ideas
Spot bugs or false positives
Want to contribute your own dashboards
šĀ Open an Issue or Submit a Pull Request!
Why This Repository Matters
DFIR analysts often spend hours building custom dashboards for each case. This collectionĀ eliminates that overhead, allowing responders to focus onĀ analysis rather than setup. Whether you’re investigating ransomware, insider threats, or malware outbreaks, these dashboards provideĀ immediate visibilityĀ into critical forensic data.
šĀ Check out the repo here:Ā GitHub – Splunk DFIR Dashboard Collection