Splunk Enterprise Security

Thread Info

How do I create a search which detects password changes and finds the last time the password was changed?

Hello, I am working on a Splunk search to see which users have changed their passwords more than a specific number...

by Engager in

Can you help me create a search that returns Audit AD Login\Logoff data?

I need to perform a security audit on a particular user. I need to enter in specific username = example mydomain\...

by New Member in

Splunk TA installation location

I am trying to install the Rapid 7 TA. The document doesn't really give any good information. There are no searches, ...

by New Member in

Active Directory - Event ID 4738 - Message Fields

I seem to be having some issues working with AD event ID 4738. Unless I am doing or reading something wrong, one of t...

by Path Finder in

Splunk ES: Why are all Security Indicators under Threat Activity reporting '0'?

Hi, Under Threat Activity, all the indicators report "0" all the time regardless of the search parameters. When cl...

by Builder in

How to add an extra event field to the ePO query using DB connect 2.4 and ePO 5.3?

Additional information: I'm not confident on the left join syntax, but the query appears to fail before it gets to th...

by Explorer in

In Splunk Enterprise, I use |rest /services/authentication/users/ to get a list of users. How can I do the same in Splunk-ES?

I need a list of admins and also users from Splunk-ES to list in an audit dashboard.

by New Member in

Does Splunk_TA_microsoft_dns need to be deployed to every domain controller?

All, I am looking at Splunk_TA_microsoft_dns. We deployed it to every domain controller, but I was wondering if w...

by Builder in

Why is the Splunk Enterprise Security Malware Center not displaying infection counts?

All, I have installed Splunk Enterprise Security (ES) and the Clam AV apps. Searching tag=malware tag=attack work...

by Builder in

Is there a way to add entire roles as collaborators to an investigation rather than just one at a time?

Hi all, I'm using ES 4.7.3 and as far as I know there is only the option to add collaborators one at a time to an ...

by Path Finder in

How to onboard System32\winevt\Logs\Microsoft-Windows-DNSServer%4Audit.evtx

In my server I want to onboard DNS Audit logs in addition to DNS Events. DNS Audit logs are getting created in C:\Wi...

by Explorer in

Splunk ES Incident dashboard not working with Splunk Enterprise 7.1.2

We upgraded our Splunk enterprise to 7.1.2 from 7.0 version in a SH that has Splunk ES version 4.7.2. After the upgr...

by Communicator in

Splunk enterprise security in VM

What is the system requirement for Virtual Machines for installing Splunk Enterprise Security?

by Communicator in

How to capture value between two dates and a time string?

Hi, How can I capture the the text between the first and second date and time strings. Using the example event...

by Explorer in

Aggregate function ignore null values

Hello all, I am new to splunk, By following string i get a graph of risk: index="iniatva_linux" Risk=Criti...

by New Member in

Difference between the results from a visualizations and a regular search

Hi there, I have a strange situation. When I'm using a base search into a dashboard, I have displayed only 4 devic...

by New Member in

AWS SQS - Api calls using http only?

I have configured the AWS Add-On for Splunk and want to ingest logs from an S3 bucket by following the Splunk recomme...

by Explorer in

What is the best method of calculating variance, Extreme Search or just Stats?

I currently have several behavioral anomaly searches that report users exhibiting authentication behavior that is X n...

by Path Finder in

When upgrading to ES 5.1.0 the "Related Events" disappeared.

After upgrading to Splunk 7.1.2 and ES 5.1.0 I no longer see the "Related Events" drilldown option on the incident re...

by Path Finder in

Using Boolean operators in datamodel

I would like to use the Network_Traffic datamodel and exclude all internal source network traffic by using the NOT op...

by New Member in

Getting error when trying to update notables after upgrade from 5.0 to 5.1

After upgrading to 5.1 (and 7.1.2) from 5.0 (and 7.0.2), we are noticing errors when trying to edit notables. Steps t...

by Path Finder in

How to separate field values from a single field into two unique values?

Hi, Using the following event log which has not been extracted, is it possible to seperate the current 'Name:' fi...

by Explorer in

How to make a report of unsuccessful connection attempts

Hello I'm new to this community and my first question is this: How to make a report of unsuccessful connection attemp...

by Engager in

How can I do a graph with multiple data?

Hi team! It's my very first time here and I need a bit of help! I want to make a graph with multiple lanes. ...

by Path Finder in

ES Asset and Identity lookups only support a single pipe delimited field...???

Here is the link to the documentation page for the ES Asset and Identities lookups: http://docs.splunk.com/Documen...

by Builder in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Splunk Enterprise Security

Discussions

How do I create a search which detects password changes and finds the last time the password was changed?

Can you help me create a search that returns Audit AD Login\Logoff data?

Splunk TA installation location

Active Directory - Event ID 4738 - Message Fields

Splunk ES: Why are all Security Indicators under Threat Activity reporting '0'?

How to add an extra event field to the ePO query using DB connect 2.4 and ePO 5.3?

In Splunk Enterprise, I use |rest /services/authentication/users/ to get a list of users. How can I do the same in Splunk-ES?

Does Splunk_TA_microsoft_dns need to be deployed to every domain controller?

Why is the Splunk Enterprise Security Malware Center not displaying infection counts?

Is there a way to add entire roles as collaborators to an investigation rather than just one at a time?

How to onboard System32\winevt\Logs\Microsoft-Windows-DNSServer%4Audit.evtx

Splunk ES Incident dashboard not working with Splunk Enterprise 7.1.2

Splunk enterprise security in VM

How to capture value between two dates and a time string?

Aggregate function ignore null values

Difference between the results from a visualizations and a regular search

AWS SQS - Api calls using http only?

What is the best method of calculating variance, Extreme Search or just Stats?

When upgrading to ES 5.1.0 the "Related Events" disappeared.

Using Boolean operators in datamodel

Getting error when trying to update notables after upgrade from 5.0 to 5.1

How to separate field values from a single field into two unique values?

How to make a report of unsuccessful connection attempts

How can I do a graph with multiple data?

ES Asset and Identity lookups only support a single pipe delimited field...???

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...

Has anyone used finding-based detection on ES 8.0 ...

Anatomy of a Successful Migration with Pizza Hut

ES Notable Security Domain Issue

adding a custom field to notable and update the va...

es_notable_events Query

Splunk Enterprise Security

Are you a member of the Splunk Community?

Discussions