Splunk Enterprise Security

Tune out blocks for Threat Activity Detected in ES.

jbillings
SplunkTrust
SplunkTrust

I'm a bit of a rookie and trying to tune the "Threat Activity Detected" correlation search in ES. I would like to take the output of the default search and compare the src, dest, _time from a search on the firewall. I would also output the action= from the firewall and if action=allowed then alert. I plan to create the same for repeat attempts, but trying to get past the comparison.

Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...