topic Re: how do I make splunk es to check my uploaded logs in Splunk Enterprise Security https://community.splunk.com/t5/Splunk-Enterprise-Security/how-do-I-make-splunk-es-to-check-my-uploaded-logs/m-p/689731#M11998 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/268709">@testttt</a>&nbsp;There&nbsp;are&nbsp;no&nbsp;notable&nbsp;events&nbsp;that&nbsp;you&nbsp;can&nbsp;produce&nbsp;because&nbsp;you&nbsp;have&nbsp;uploaded&nbsp;sample&nbsp;events&nbsp;to&nbsp;Splunk.&nbsp;Could&nbsp;you&nbsp;please&nbsp;create&nbsp;an&nbsp;instance,&nbsp;send&nbsp;the&nbsp;logs&nbsp;to&nbsp;Splunk,&nbsp;and&nbsp;attempt&nbsp;to&nbsp;produce&nbsp;the&nbsp;notable&nbsp;events? such&nbsp;as&nbsp;unsuccessful&nbsp;login&nbsp;attempts&nbsp;and&nbsp;bruteforce&nbsp;attacks.</P> Wed, 05 Jun 2024 16:32:29 GMT kiran_panchavat 2024-06-05T16:32:29Z how do I make splunk es to check my uploaded logs https://community.splunk.com/t5/Splunk-Enterprise-Security/how-do-I-make-splunk-es-to-check-my-uploaded-logs/m-p/689688#M11997 <P><SPAN>I have installed splunk es app and uploaded botsv1.stream_http.json (<A href="https://github.com/splunk/attack_data" target="_blank">https://github.com/splunk/attack_data</A>)</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="336788958-05898aa7-26ac-4db7-ac9f-9cc72fb6feb2.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31156i4B1E6EC4AE26799B/image-size/large?v=v2&amp;px=999" role="button" title="336788958-05898aa7-26ac-4db7-ac9f-9cc72fb6feb2.png" alt="336788958-05898aa7-26ac-4db7-ac9f-9cc72fb6feb2.png" /></span><BR /><SPAN>but incident_review and ess_security_posture is not hitting any event</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="336789872-68990f35-2468-4ef5-82e8-1da409d20585.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31155i9013FBAB35965A7A/image-size/large?v=v2&amp;px=999" role="button" title="336789872-68990f35-2468-4ef5-82e8-1da409d20585.png" alt="336789872-68990f35-2468-4ef5-82e8-1da409d20585.png" /></span></P><P><SPAN>how do I make splunk es to check my uploaded logs and generate a list of alerts like below. Please note that I am not checking the logs forwarded by agent, but the log files uploaded on the browser side</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="336793300-1a8315ea-8ac6-47e2-98d2-eaf79ce0391d.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31157i1BA851B8F6FC8ED6/image-size/large?v=v2&amp;px=999" role="button" title="336793300-1a8315ea-8ac6-47e2-98d2-eaf79ce0391d.png" alt="336793300-1a8315ea-8ac6-47e2-98d2-eaf79ce0391d.png" /></span></P><P><SPAN>thank you</SPAN></P> Wed, 05 Jun 2024 11:09:34 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/how-do-I-make-splunk-es-to-check-my-uploaded-logs/m-p/689688#M11997 testttt 2024-06-05T11:09:34Z Re: how do I make splunk es to check my uploaded logs https://community.splunk.com/t5/Splunk-Enterprise-Security/how-do-I-make-splunk-es-to-check-my-uploaded-logs/m-p/689731#M11998 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/268709">@testttt</a>&nbsp;There&nbsp;are&nbsp;no&nbsp;notable&nbsp;events&nbsp;that&nbsp;you&nbsp;can&nbsp;produce&nbsp;because&nbsp;you&nbsp;have&nbsp;uploaded&nbsp;sample&nbsp;events&nbsp;to&nbsp;Splunk.&nbsp;Could&nbsp;you&nbsp;please&nbsp;create&nbsp;an&nbsp;instance,&nbsp;send&nbsp;the&nbsp;logs&nbsp;to&nbsp;Splunk,&nbsp;and&nbsp;attempt&nbsp;to&nbsp;produce&nbsp;the&nbsp;notable&nbsp;events? such&nbsp;as&nbsp;unsuccessful&nbsp;login&nbsp;attempts&nbsp;and&nbsp;bruteforce&nbsp;attacks.</P> Wed, 05 Jun 2024 16:32:29 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/how-do-I-make-splunk-es-to-check-my-uploaded-logs/m-p/689731#M11998 kiran_panchavat 2024-06-05T16:32:29Z Re: how do I make splunk es to check my uploaded logs https://community.splunk.com/t5/Splunk-Enterprise-Security/how-do-I-make-splunk-es-to-check-my-uploaded-logs/m-p/689819#M12000 <P>I created a dvwa application and used SplunkUniversalForwarder to forward the log to port 9997, containing events such as sql injection and brute force cracking,</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="微信截图_20240606163504.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31187iA90D026552567841/image-size/large?v=v2&amp;px=999" role="button" title="微信截图_20240606163504.png" alt="微信截图_20240606163504.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="微信截图_20240606163352.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31188i748E16F72C277673/image-size/large?v=v2&amp;px=999" role="button" title="微信截图_20240606163352.png" alt="微信截图_20240606163352.png" /></span></P><P>but incident_review and ess_security_posture is not hitting any event</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="微信截图_20240606163605.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31186i6F486FB1B9FCA07B/image-size/large?v=v2&amp;px=999" role="button" title="微信截图_20240606163605.png" alt="微信截图_20240606163605.png" /></span></P> Thu, 06 Jun 2024 09:00:27 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/how-do-I-make-splunk-es-to-check-my-uploaded-logs/m-p/689819#M12000 testttt 2024-06-06T09:00:27Z