topic Re: Splunk issue report: Error in security domain settings in correlation searches and Incident Review page in Security https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693272#M17993 <P>1. Don't just enable all Correlation Rules. You'll kill your ES installation</P><P>2. Try this to find the rule which creates your notables</P><PRE>| rest /services/saved/searches<BR />| search action.notable.param.rule_title="Access - * - Rule"<BR />| table title action.notable.param.rule_title action.notable.param.security_domain disabled eao:acl.app eai:acl.owner eai:acl.sharing |</PRE><P>&nbsp;</P> Sat, 13 Jul 2024 19:17:19 GMT PickleRick 2024-07-13T19:17:19Z Splunk issue report: Error in security domain settings in correlation searches and Incident Review page https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693257#M17988 <P>While using Splunk ES, we noticed that correlation searches were set<BR />To an incorrect security field on the Incident Review page. This leads to inaccurate classifications of events<BR />Security and affects the decision-making process<BR /><BR />The first step is to set security Domain = Access</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tuts_0-1720872572968.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31733iF449748F69C79802/image-size/medium?v=v2&amp;px=400" role="button" title="tuts_0-1720872572968.png" alt="tuts_0-1720872572968.png" /></span></P><P><BR />The problem is that instead of being classified as security Domain = Access, it is classified as Theret, and so all cases are classified as Theret<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tuts_1-1720872610012.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31734i74644E9960DB5606/image-size/medium?v=v2&amp;px=400" role="button" title="tuts_1-1720872610012.png" alt="tuts_1-1720872610012.png" /></span></P><P><BR /><BR />This causes us a problem with the values ​​not appearing on the Security Posture page<BR /><BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tuts_2-1720872678035.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31735iEFAD613EEA97BE24/image-size/medium?v=v2&amp;px=400" role="button" title="tuts_2-1720872678035.png" alt="tuts_2-1720872678035.png" /></span></P><P>&nbsp;</P><P><BR /><BR /><BR /></P> Sat, 13 Jul 2024 12:15:00 GMT https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693257#M17988 tuts 2024-07-13T12:15:00Z Re: Splunk issue report: Error in security domain settings in correlation searches and Incident Review page https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693259#M17989 <P>1. Maybe someone tampered with your installation. This is from my lab with default settings:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PickleRick_0-1720878447531.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31736i4C7552FFD1A7F7F7/image-size/medium?v=v2&amp;px=400" role="button" title="PickleRick_0-1720878447531.png" alt="PickleRick_0-1720878447531.png" /></span></P><P>2. Anyway, even if there was an error, the proper channel to report it is to create a Support case. This is a community-driven forum, not a support channel</P> Sat, 13 Jul 2024 13:48:20 GMT https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693259#M17989 PickleRick 2024-07-13T13:48:20Z Re: Splunk issue report: Error in security domain settings in correlation searches and Incident Review page https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693262#M17990 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tuts_0-1720881668246.jpeg" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31737iAD8CCF6AAF2BA62B/image-size/medium?v=v2&amp;px=400" role="button" title="tuts_0-1720881668246.jpeg" alt="tuts_0-1720881668246.jpeg" /></span></P><P>I have the same settings, it categorizes all...<BR />Correlation with the value Threat&nbsp;&nbsp;</P><P>&nbsp;</P> Sat, 13 Jul 2024 14:43:08 GMT https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693262#M17990 tuts 2024-07-13T14:43:08Z Re: Splunk issue report: Error in security domain settings in correlation searches and Incident Review page https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693265#M17991 <P>I'm tempted to say you're looking at a wrong correlation search. The one we're both looking into is a standard search defined in SA-AccessProtection called "Excessive Failed Logins", right?</P><P>And it should produce a notable with a title "Excessive Failed Logins". But your notables have a title "Access - login splunk - Rule". It is most probably something created in your environment (even more so because splunk is spelled with lowercase "S" so it's definitely not something provided by Splunk.</P><P>&nbsp;</P> Sat, 13 Jul 2024 17:15:28 GMT https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693265#M17991 PickleRick 2024-07-13T17:15:28Z Re: Splunk issue report: Error in security domain settings in correlation searches and Incident Review page https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693268#M17992 <P class="lia-align-right">Yes, exactly, this is what I am surprised about, why does it add Access - login splunk - Rule although I did not modify the address is there a solution to this problem for me and I will be</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2024-07-13 21_14_12-Content Management _ Splunk and 21 more pages - Profile 1 - Microsoft​ Edge.jpg" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31738i34AFAE10C7B2B98A/image-size/medium?v=v2&amp;px=400" role="button" title="2024-07-13 21_14_12-Content Management _ Splunk and 21 more pages - Profile 1 - Microsoft​ Edge.jpg" alt="2024-07-13 21_14_12-Content Management _ Splunk and 21 more pages - Profile 1 - Microsoft​ Edge.jpg" /></span></P><P> </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2024-07-13 21_15_17-Content Management _ Splunk and 21 more pages - Profile 1 - Microsoft​ Edge.jpg" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31739i47FC82EF770E2795/image-size/medium?v=v2&amp;px=400" role="button" title="2024-07-13 21_15_17-Content Management _ Splunk and 21 more pages - Profile 1 - Microsoft​ Edge.jpg" alt="2024-07-13 21_15_17-Content Management _ Splunk and 21 more pages - Profile 1 - Microsoft​ Edge.jpg" /></span></P><P><BR />I activated every rule but still the same problem all the results categorize Threat</P><P><BR /><BR /> </P><P class="lia-align-right">grateful to you</P> Sat, 13 Jul 2024 18:17:41 GMT https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693268#M17992 tuts 2024-07-13T18:17:41Z Re: Splunk issue report: Error in security domain settings in correlation searches and Incident Review page https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693272#M17993 <P>1. Don't just enable all Correlation Rules. You'll kill your ES installation</P><P>2. Try this to find the rule which creates your notables</P><PRE>| rest /services/saved/searches<BR />| search action.notable.param.rule_title="Access - * - Rule"<BR />| table title action.notable.param.rule_title action.notable.param.security_domain disabled eao:acl.app eai:acl.owner eai:acl.sharing |</PRE><P>&nbsp;</P> Sat, 13 Jul 2024 19:17:19 GMT https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693272#M17993 PickleRick 2024-07-13T19:17:19Z Re: Splunk issue report: Error in security domain settings in correlation searches and Incident Review page https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693276#M17994 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2024-07-13 23_07_29-Search _ Splunk 9.2.1 and 15 more pages - Profile 1 - Microsoft​ Edge.jpg" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31742i2BF4B7B890CF571A/image-size/medium?v=v2&amp;px=400" role="button" title="2024-07-13 23_07_29-Search _ Splunk 9.2.1 and 15 more pages - Profile 1 - Microsoft​ Edge.jpg" alt="2024-07-13 23_07_29-Search _ Splunk 9.2.1 and 15 more pages - Profile 1 - Microsoft​ Edge.jpg" /></span></P><P> No results found</P> Sat, 13 Jul 2024 20:08:19 GMT https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693276#M17994 tuts 2024-07-13T20:08:19Z Re: Splunk issue report: Error in security domain settings in correlation searches and Incident Review page https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693277#M17995 <P>Try</P><PRE>/serviceNS/-/-/</PRE><P>instead of</P><PRE>/services/</PRE> Sat, 13 Jul 2024 22:44:42 GMT https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693277#M17995 PickleRick 2024-07-13T22:44:42Z Re: Splunk issue report: Error in security domain settings in correlation searches and Incident Review page https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693280#M17996 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2024-07-14 08_49_28-Search _ Splunk 9.2.1 and 17 more pages - Profile 1 - Microsoft​ Edge.jpg" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31743i0716537EF000C91F/image-size/medium?v=v2&amp;px=400" role="button" title="2024-07-14 08_49_28-Search _ Splunk 9.2.1 and 17 more pages - Profile 1 - Microsoft​ Edge.jpg" alt="2024-07-14 08_49_28-Search _ Splunk 9.2.1 and 17 more pages - Profile 1 - Microsoft​ Edge.jpg" /></span></P><P> No results found</P> Sun, 14 Jul 2024 05:51:36 GMT https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693280#M17996 tuts 2024-07-14T05:51:36Z Re: Splunk issue report: Error in security domain settings in correlation searches and Incident Review page https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693283#M17997 <P>Sorry, my typo. It's servicesNS (plural).</P> Sun, 14 Jul 2024 09:14:21 GMT https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693283#M17997 PickleRick 2024-07-14T09:14:21Z Re: Splunk issue report: Error in security domain settings in correlation searches and Incident Review page https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693297#M17998 <P>What should I do now to solve the problem</P> Sun, 14 Jul 2024 17:10:59 GMT https://community.splunk.com/t5/Security/Splunk-issue-report-Error-in-security-domain-settings-in/m-p/693297#M17998 tuts 2024-07-14T17:10:59Z