H classification is Threat, even though I chose en...

tuts · ‎07-10-2024

2024-07-10 21_41_02-SPLUNK - VMware Workstation.jpg

Hello everyone, I do not know why the classification is Threat, even though I chose endpoin

gcusello · ‎07-10-2024

Hi @tuts ,

go in the ES menu item [Settings > Configure > Contents]

choose the related Correlation Search and see in the Notable Section what's the configured Security Domain.

probably the Threat Security Domain is associated to your Correlation Search and it's bundled in the CS name.

In this case you have to clone the CS, using the correct Security Domain and delete the old one.

Ciao.

Giuseppe

tuts · ‎07-11-2024

I did the same steps and still have the same problem

2024-07-11 12_20_23-Incident Review _ Splunk and 17 more pages - Profile 1 - Microsoft Edge.jpg

2024-07-11 12_19_35-Edit Correlation Search _ Splunk and 17 more pages - Profile 1 - Microsoft Edge.jpg

2024-07-11 12_19_11-Content Management _ Splunk and 17 more pages - Profile 1 - Microsoft Edge.jpg

2024-07-11 12_11_35-Content Management _ Splunk and 14 more pages - Profile 1 - Microsoft Edge.jpg

2024-07-11 12_11_55-Content Management _ Splunk and 14 more pages - Profile 1 - Microsoft Edge.jpg

tuts · ‎07-11-2024

2024-07-11 11_10_35-SPLUNK - VMware Workstation.jpg

This is the search, but whatever you choose from a domain, it categorizes it as a threat

gcusello · ‎07-11-2024

Hi @tuts ,

as I said, the Threat Security Domain is in the name of the Correlation Search.

Clone your CS and change the Security Domain.

You'll have a new CS with the correct name.

Ciao.

Giuseppe

tuts · ‎07-11-2024

2024-07-11 12_01_43-Content Management _ Splunk and 12 more pages - Profile 1 - Microsoft Edge.jpg

If you mean that, I did it and still have the same problem.

tuts · ‎07-11-2024

I am new in this field, is it possible to explain the solution step by step?

gcusello · ‎07-11-2024

Hi @tuts ,

please try this:

from the list of the Correlation Searches, clone your one (link on the right side),
edit the new Correlation Search using the correct Security Domain,
Save it.
disable and then delete the old Correlatin Search.

Ciao.

Giuseppe

tuts · ‎07-11-2024

I did the same steps and still have the same problem

2024-07-11 12_11_55-Content Management _ Splunk and 14 more pages - Profile 1 - Microsoft Edge.jpg

2024-07-11 12_11_35-Content Management _ Splunk and 14 more pages - Profile 1 - Microsoft Edge.jpg

tuts · ‎07-11-2024

2024-07-11 11_49_07-Edit Lookup _ Splunk and 13 more pages - Profile 1 - Microsoft Edge.jpg

2024-07-11 11_47_43-Content Management _ Splunk and 13 more pages - Profile 1 - Microsoft Edge.jpg

here

tuts · ‎07-11-2024

2024-07-11 10_16_19-SPLUNK - VMware Workstation.jpg

2024-07-11 10_17_41-SPLUNK - VMware Workstation.jpg

I really don't know what to do, all I want is to adopt the security domains that I want

tuts · ‎07-11-2024

2024-07-11 10_11_03-SPLUNK - VMware Workstation.jpg

Welcome to you engineer I did not understand where to go can you explain to me more I am new to splunk and about two months I am looking for a solution to the problem

H classification is Threat, even though I chose endpoin

administration

configuration

search

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform