Splunk Enterprise Security

Tune out blocks for Threat Activity Detected in ES.


I'm a bit of a rookie and trying to tune the "Threat Activity Detected" correlation search in ES. I would like to take the output of the default search and compare the src, dest, _time from a search on the firewall. I would also output the action= from the firewall and if action=allowed then alert. I plan to create the same for repeat attempts, but trying to get past the comparison.


Re up, i also facing the same issues


0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...