Splunk Enterprise Security

Thread Info

How can I filter and track events from users accessing organizations laptop in foreign countries.

Hello, I am new to splunk and I need help BIG TIME. I have been struggling to write a search that can filter e...

by New Member in

Delete notable event history?

All, How can I delete the notable event history? Nothing in there I care about. We had a few were testing and now...

by Builder in

How to filter logs in Windows Server to decrease the quota of data in Splunk Enterprise Security (ES)?

I using Splunk ES and I need filter logs in Windows Server(probably 200 servers) to decrease the quota of data. In Wi...

by Path Finder in

Why is there a following error in 'lookup' command "Lookups: The lookup table 'event_time_field=temp_time' does not exist or is not available"?

Evidently this is well-known in support circles but not on the internet yet, so I am sharing my pain for your gain. W...

by Esteemed Legend in

Context is not updated for the 'Substantial Increase in Port Activity' ES Correlation Search

The search "Network - Port Activity By Destination Port - Gen Context" returns more than 65000 dest_port, however the...

by Engager in

Need to delete a knowledge object for extremesearch

created context using step 4 in link https://docs.splunk.com/Documentation/ES/5.1.0/Admin/Extremesearchexample and we...

by Splunk Employee in

How to access data from a Lookup table in another app to a custom dashboard in ES?

Trying to access data from a lookup table in another app (TA_recordedfuture-cyber) to a custom dashboard we've create...

by Path Finder in

Getting hundreds of credit card numbers from Splunk PII corelation search in enterprise security, wondering if this is false positive or do we actually collect these CC numbers inadvertently

I am getting CC issuer names (Visa, master, discover etc.) and also numbers and wondering if this is actual data or i...

by Communicator in

ASP Net Core 2.1 App throws intermittent SSL error while logging to Splunk

we have a .net core app which we recently migragated to 2.1 from 1.x. Post migration we have seen that the app hangs ...

by New Member in

Splunk Enterprise Security 5.0 warning messages

Hi, Newbie here. We recently had professional services setup and installed Splunk a few months back. It's been runnin...

by Explorer in

Infoblox CIM unknown fields

Hi there, In order to make certain dashboards fill up in Enterprise Security we need to have dns.message_type show...

by Path Finder in

Inputlookup Form

Hello, I am trying to create a Splunk Form that takes as an input a CSV file and displays the number of results fo...

by New Member in

Splunk ES Error Message

All, Any guesses why I am getting the following error message in the Splunk ES GUI? splunkd log isn't telling me ...

by Builder in

Get daily license usage from remote search head

Is there a way to view daily license usage on a remote search head, instead of going to the deployment server/license...

by Explorer in

how to ensure that splunk correlation rules are running continuously in background

I see some searches apparently are running but since the user activity is less these days so cant confirm if those ev...

by Communicator in

Comparison of Splunk enterprise and Splunk enterprise security

HI! Is Splunk enterprise security contains all the features of Splunk enterprise as well other than its advanced s...

by Explorer in

Splunk Enterprise Security: Why do I receive "command="xswhere", [Errno 13] Permission denied" error when trying to perform a correlation search?

Hello, some correlation searches don't trigger. when I copy the search and tried to run on search window, I am gettin...

by Explorer in

UF installation on 2016 Symantec Server

Installation fails on 2016 SEP server. I've disable local SEP protection and ran the installation as admin from the c...

by New Member in

Self study resources for certification

Hi, I want to get certification in spunk as a splunk admin and architect. I would like to know about the study mat...

by New Member in

Do I have to disable asset_lookup_by_cidr?

Hi Splunkers, In our alerts related to Network domain (IDS, netflow, etc), where in logs there's only IP address a...

by Contributor in

How to make a graph of the following query

Hi team! It's my very first time with Splunk and I need help. This is my query and I would like to make a graph...

by Path Finder in

ES - Completely Inactive Account false positive alerts?

Hi, I am trying to clean out a little the correlation alerts in ES. Currently focusing on the Completely Inactive ...

by Communicator in

Splunk Enterprise Security - How to use the Incident Review event page

I have an incident which reads - "Activity from Expired User Identity" CRITICAL Please can someone work me through ho...

by New Member in

I would like to create a Workflow action (using a POST link) using the rule_title field and cannot figure out how to expand the tokens in the field.

When constructing the post data from a Notable Event in Enterprise Security Incident Review dashboard as an event act...

by Engager in

Splunk port scan detection

Hi team! It's my very first time and I need help. I want to detect a port scan. I did that but I dont know how ...

by Path Finder in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Splunk Enterprise Security

Discussions

How can I filter and track events from users accessing organizations laptop in foreign countries.

Delete notable event history?

How to filter logs in Windows Server to decrease the quota of data in Splunk Enterprise Security (ES)?

Why is there a following error in 'lookup' command "Lookups: The lookup table 'event_time_field=temp_time' does not exist or is not available"?

Context is not updated for the 'Substantial Increase in Port Activity' ES Correlation Search

Need to delete a knowledge object for extremesearch

How to access data from a Lookup table in another app to a custom dashboard in ES?

Getting hundreds of credit card numbers from Splunk PII corelation search in enterprise security, wondering if this is false positive or do we actually collect these CC numbers inadvertently

ASP Net Core 2.1 App throws intermittent SSL error while logging to Splunk

Splunk Enterprise Security 5.0 warning messages

Infoblox CIM unknown fields

Inputlookup Form

Splunk ES Error Message

Get daily license usage from remote search head

how to ensure that splunk correlation rules are running continuously in background

Comparison of Splunk enterprise and Splunk enterprise security

Splunk Enterprise Security: Why do I receive "command="xswhere", [Errno 13] Permission denied" error when trying to perform a correlation search?

UF installation on 2016 Symantec Server

Self study resources for certification

Do I have to disable asset_lookup_by_cidr?

How to make a graph of the following query

ES - Completely Inactive Account false positive alerts?

Splunk Enterprise Security - How to use the Incident Review event page

I would like to create a Workflow action (using a POST link) using the rule_title field and cannot figure out how to expand the tokens in the field.

Splunk port scan detection

Important Update to Data Management Pipeline Builders: RE2 to PCRE2 Migration

Buttercup Games: Further Dashboarding Techniques (Part 4)

What You Read The Most: Splunk Lantern’s Most Popular Articles!

ES Notable Security Domain Issue

Risk-Based Alerting FAQs

Splunk Enterprise Security Install Error In Deploy...

Enterprise Security - Correlation Search - Notable...

Threat Intelligence Management - Wrong threat matc...