Splunk Enterprise Security

Notable Events in Incident Management Review not properly generated

xnx_1012
Explorer

Hi to whomever find this

The incident management review settings has repeated events

What I did?

I purpose logged in with the wrong information to some device, but I only did it once. Howver, the result shown below is generated twice in the Incident Management Review

xnx_1012_1-1631763262095.png

My settings for this correlation search

xnx_1012_2-1631763368743.png

Also, the things I have specified, such as:

  • Severity
  • Default Status
  • Recommended Actions

were not shown whenever the event is generated

Result

xnx_1012_5-1631764081898.png

 

Settings

xnx_1012_4-1631764053324.png

xnx_1012_6-1631764150353.png

 

 

 

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...