Splunk Enterprise Security

Discussions

Thread Info

How can I make an ES Incident Review copy of my Notables?

How can we halt duplicate notables from being created on the Enterprise security Incident Review page for the same ev...

by New Member in

How to duplicate Notables in ES Incident Review?

Hi All, How can we stop duplicate notables which are getting generated in the Incident Review page for same event ...

by Loves-to-Learn Lots in

How to add new field for filtering in Splunk ES incident review?

Hi all, I would like to ask is that a way to add a another field for filtering in the Splunk ES incident review pa...

by New Member in

Failed to fetch data: Unable to get wmi classes from host '192.168.1.131'. This host may not be reachable or WMI may be

Hello, i have installed Splunk on windows machines and trying to get data from another windows machines using remot...

by Engager in

Unable to access Splunk ES?

I have abruptly been unable to access Splunk ES with the error message as "Fetch failed: authentication/current-conte...

by Engager in

Trouble with Enterprise Security configuration

Hi All, We have recently installed Enterprise Security but strangely the default dashboard doesn't display the inde...

by Path Finder in

Notable info could not be obtained: : unidentified in content management adaptive response actions?

Hi All, we have newly installed ES cluster where we cannot see the any action populating in adaptive response. We ...

by Path Finder in

Why is the ES Incident Review page still lists deleted Correlation Searches in the Multiselect box "Correlation Search Name"?

The ES Incident Review page still lists deleted Correlation Searches Names in the Multiselect box "Correlation Search...

by Splunk Employee in

Enterprise Security - Correlation Search - Notable - "default owner" missing users

I'm attempting to auto-assign users to certain types of Notable events under "Default Owner". For some reason only 20...

by Communicator in

Enterprise Security Incident Review Default Filter: What conf file is that store in?

In Incident Review, one can create a filter and save it as a default. Where does it store that configuration so I ca...

by Path Finder in

Where can I find powershell commands?

G'day, Can someone please help me to understand how I can find the powershell commands (if any) an adversary has r...

by Loves-to-Learn Lots in

Using "sendalert risk" from saved search fails?

A saved search that ends with | sendalert risk param._risk_score=risk_score runs fine, but fails when run as a ...

by SplunkTrust in

Timechart with multiple values?

Hello!I'm trying to make a timechart day wise action by unique user for the proxy logs like this one below, but I'm u...

by Explorer in

How to get multiple issues when enabling ssl on Splunk web with 3rd party certs with requiredClientCert = true?

Hi All, I want enable mTLS in splunk cluster on all the communication channels. I have peer certificate that works...

by Path Finder in

How to make the Splunk ES Risk-Based Alerting risk threshold search case insensitive

We've starter lookin into Risk-Based Alerting (RBA) in Splunk ES, and noticed that the logic for the risk notables is...

by Builder in