Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: Why are all my notable events showing "0"?

jgorman_THG
Explorer
‎10-25-2016 07:47 AM

Hello,

Under security posture, all my notable events are showing 0 and I am not sure if it is working but we just haven't had a notable event, or if it isn't working.

Can someone tell me how I can confirm that this part of ES is working?

Thanks,

JG

0 Karma
Reply

smoir_splunk
Splunk Employee
Splunk Employee
‎10-25-2016 09:44 AM

Hello @jgorman_THG,

I'd check a couple things:
* Are there notable events on incident review, but not security posture?
* If there are no notable events on incident review or on security posture, make sure that you have correlation searches enabled. Check the Content Management page (Configure > Content Management).

Let me know what you find on incident review and content management!

Reply

jgorman_THG
Explorer
‎10-25-2016 04:25 PM

Hi!

Looks like the correlation searches were not enabled.

Am I safe to enable all of them? Do I need to make any changes?

Thanks,

JG

0 Karma
Reply

smoir_splunk
Splunk Employee
Splunk Employee
‎10-25-2016 04:47 PM

Hello JG,
Do not enable all of them, you only want to enable the ones that fit your security use cases, and the data that you have in Splunk Enterprise Security. For example, if you have endpoint logs and care about malware infections, you can enable the correlation searches that pertain to malware activity detection. You have to understand the data in your system, then make a decision about which correlation searches to enable (and thus which alerts your analysts should see).
See more here: http://docs.splunk.com/Documentation/ES/4.5.0/User/ConfigureCorrelationSearches (this advice mostly applies even if you're not running 4.5.0)

Let me know if you have any questions!
Thanks,
Sarah

Reply

jgorman_THG
Explorer
‎10-26-2016 07:24 AM

Hi,

Thanks a lot for your help.

So I've activated them and under activities I can see that the jobs are running, but they're all coming up with '0' results.

Under the security domains, there is data coming in.

Is it possible I just haven't had any notable events in the time since I activated them?

Thanks,

JG

0 Karma
Reply

smoir_splunk
Splunk Employee
Splunk Employee
‎10-26-2016 09:56 AM

Hello JG,

That is possible. One thing you could also check is the Content Profile dashboard to see which data models have data in them, and then which knowledge objects you can use with those data models.

  • If you enabled correlation searches for data models without accelerated data, you still won't see notable events.
  • If the correlation searches (identified on the content profile page by - - Rule) are enabled for data models that have data, then it's likely that you don't have any notable events since you enabled the correlation searches.

Let me know if that helps!
Thanks,
Sarah

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...