Splunk Enterprise Security

Context is not updated for the 'Substantial Increase in Port Activity' ES Correlation Search

New Member

The search "Network - Port Activity By Destination Port - Gen Context" returns more than 65000 dest_port, however the context is not updated with all ports.

What could be failing?

0 Karma