All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

H classification is Threat, even though I chose endpoin

tuts
Path Finder
‎07-10-2024 12:58 PM

2024-07-10 21_41_02-SPLUNK - VMware Workstation.jpg

 

 Hello everyone, I do not know why the classification is Threat, even though I chose endpoin

Labels (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-10-2024 11:04 PM

Hi @tuts ,

go in the ES menu item [Settings > Configure > Contents]

choose the related Correlation Search and see in the Notable Section what's the configured Security Domain.

probably the Threat Security Domain is associated to your Correlation Search and it's bundled in the CS name.

In this case you have to clone the CS, using the correct Security Domain and delete the old one.

Ciao.

Giuseppe

0 Karma
Reply

tuts
Path Finder
‎07-11-2024 02:23 AM

I did the same steps and still have the same problem


2024-07-11 12_20_23-Incident Review _ Splunk and 17 more pages - Profile 1 - Microsoft​ Edge.jpg

2024-07-11 12_19_35-Edit Correlation Search _ Splunk and 17 more pages - Profile 1 - Microsoft​ Edge.jpg

2024-07-11 12_19_11-Content Management _ Splunk and 17 more pages - Profile 1 - Microsoft​ Edge.jpg

2024-07-11 12_11_35-Content Management _ Splunk and 14 more pages - Profile 1 - Microsoft​ Edge.jpg

2024-07-11 12_11_55-Content Management _ Splunk and 14 more pages - Profile 1 - Microsoft​ Edge.jpg

  

0 Karma
Reply

tuts
Path Finder
‎07-11-2024 01:12 AM

2024-07-11 11_10_35-SPLUNK - VMware Workstation.jpg

 This is the search, but whatever you choose from a domain, it categorizes it as a threat

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-11-2024 01:44 AM

Hi @tuts ,

as I said, the Threat Security Domain is in the name of the Correlation Search.

Clone your CS and change the Security Domain.

You'll have a new CS with the correct name.

Ciao.

Giuseppe

0 Karma
Reply

tuts
Path Finder
‎07-11-2024 02:02 AM

 

2024-07-11 12_01_43-Content Management _ Splunk and 12 more pages - Profile 1 - Microsoft​ Edge.jpg

 If you mean that, I did it and still have the same problem. 

 

 

0 Karma
Reply

tuts
Path Finder
‎07-11-2024 01:59 AM

I am new in this field, is it possible to explain the solution step by step?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-11-2024 02:05 AM

Hi @tuts ,

please try this:

  • from the list of the Correlation Searches, clone your one (link on the right side),
  • edit the new Correlation Search using the correct Security Domain,
  • Save it.
  • disable and then delete the old Correlatin Search.

Ciao.

Giuseppe

0 Karma
Reply

tuts
Path Finder
‎07-11-2024 02:26 AM

I did the same steps and still have the same problem

 

2024-07-11 12_20_23-Incident Review _ Splunk and 17 more pages - Profile 1 - Microsoft​ Edge.jpg

I did the same steps and still have the same problem

2024-07-11 12_11_55-Content Management _ Splunk and 14 more pages - Profile 1 - Microsoft​ Edge.jpg

2024-07-11 12_11_35-Content Management _ Splunk and 14 more pages - Profile 1 - Microsoft​ Edge.jpg

0 Karma
Reply

tuts
Path Finder
‎07-11-2024 01:51 AM

2024-07-11 11_49_07-Edit Lookup _ Splunk and 13 more pages - Profile 1 - Microsoft​ Edge.jpg

2024-07-11 11_47_43-Content Management _ Splunk and 13 more pages - Profile 1 - Microsoft​ Edge.jpg

  here

 

0 Karma
Reply

tuts
Path Finder
‎07-11-2024 12:21 AM

2024-07-11 10_16_19-SPLUNK - VMware Workstation.jpg

2024-07-11 10_17_41-SPLUNK - VMware Workstation.jpg

  I really don't know what to do, all I want is to adopt the security domains that I want 

 

0 Karma
Reply

tuts
Path Finder
‎07-11-2024 12:12 AM

2024-07-11 10_11_03-SPLUNK - VMware Workstation.jpg

 Welcome to you engineer I did not understand where to go can you explain to me more I am new to splunk and about two months I am looking for a solution to the problem

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...