Splunk Enterprise Security

Discussions

Thread Info

Splunk Enterprise Security - How to use the Incident Review event page

I have an incident which reads - "Activity from Expired User Identity" CRITICAL Please can someone work me through ho...

by New Member in

I would like to create a Workflow action (using a POST link) using the rule_title field and cannot figure out how to expand the tokens in the field.

When constructing the post data from a Notable Event in Enterprise Security Incident Review dashboard as an event act...

by Engager in

Splunk port scan detection

Hi team! It's my very first time and I need help. I want to detect a port scan. I did that but I dont know how ...

by Path Finder in

IIS and ES application & CIM

Hello, I have set up ES and I am trying to input information from IIS. While the information is being parsed corre...

by Path Finder in

Is there a troubleshooting guide for Enterprise Security or ITSI specifically?

Is there a troubleshooting guide for Enterprise Security or ITSI specifically? I know that Splunk has a manual for...

by Explorer in

Where should the Cisco AMP for Endpoints Add-Ons be installed?

Where should the "Cisco AMP for Endpoints CIM Add-On" and the "Cisco AMP for Endpoints Events Input" be installed? ...

by Engager in

Why is our Splunk-ES iplocation src returning 192.168.xxx.xxx addresses in the "Access Anomalies" dashboard?

Why is our Splunk-ES iplocation src returning 192.168.xxx.xxx addresses in the "Access Anomalies" dashboard? Why ...

by Path Finder in

How do I call a non-Splunk REST API in an Event Action?

Microsoft Exchange Online has an API available to return Message Details of an email. There's currently an app in Spl...

by Communicator in

Problem dynamically specifying colors in specific order - geomapping sequential/categorical

Hey fellow Splunkers. I'm working on mapping some of my data and ran into a bit of a snag.. With the first search exa...

by New Member in

Can you update the default collection or create a custom collection of swimlanes for the investigator dashboards for Splunk Enterprise Security?

Is there a way to update the default collection or create a custom collection of swimlanes for the investigator dashb...

by Communicator in

How to modify field values?

Hi I have the following fields (FileName and FileSize) that I'd like to turn into the example table below. How ca...

by Engager in

incorrect query field of dat_version

……. [EPOEvents].[AnalyzerVersion] as [product_version], [EPOEvents].[AnalyzerEngineVersion] as [engine_version], [E...

by New Member in

Getting null values for some events for O365 messagetrace events

Getting null values of some event fields for sourcetype="ms:o365:reporting:messagetrace" , data is onboraded via Micr...

by Path Finder in

adaptive response action handling multiple results

Hello, A question about "Example adaptive response action" given in dev.splunk.com/view/enterprise-security/SP-CAA...

by Path Finder in

Windows Events to Epoch

My goal was to filter out Windows Security Events Event Code 4616 for entries that were less than a second. I thought...

by Engager in

Mac OS high sierra USB monitoring

Is there a way to Monitor USB activity for all Mac books and systems on an enterprise level? For example maybe use lo...

by New Member in

How to make an incident review dashboard based on how many cases are open and resolved on the month.

Hi All, I am trying to create a dashboard for notable events that has been opened on the month and how many events...

by New Member in

Top Notable Event regarding Potential Security Risks

I have searched across Splunk Answers, Docs, and the YouTube channel but I haven't found nothing of interesting so I'...

by New Member in

Force Threat Intelligence download

Greetings, For ES, is there a way to force the threat intelligence feeds to download? I think they default run on ...

by New Member in

Splunk Enterprise Security: Adding exclusions to my Correlation Search for IPS?

Splunk 6.5.1 Splunk Enterprise Security (ES) 4.2.0 I wrote the correlation search below (show sources that trigger...

by New Member in

Sub search return value that's not in main search

I have a Splunk sub search similar to index=index1 type="example" [ search index=index2 type="other" | eval nowti...

by Explorer in

need help with multivalue fields for chmod and find linux commands

Good evening, I'm having trouble parsing this events as multivalue fields: Jun 18 01:05:00 : oracle : command n...

by Communicator in

Remove Search Head roles from an Indexer

Hello to the community! I was wondering if there is any best practices regarding the removal of Search Head role f...

by Communicator in

IS IIS and Apache logs of any use in enterprise security

I was looking at our enterprise security and wondering weather IIS or apache logs are playing any significant role in...

by Communicator in

Why are fields not being extracted running TA-squid with the Splunk App for Enterprise Security?

Hi all, I am struggling with the field extractions in TA-squid. I have tried the TA-squid with Splunk 6.0 (which ...

by Path Finder in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Splunk Enterprise Security - How to use the Incident Review event page

I would like to create a Workflow action (using a POST link) using the rule_title field and cannot figure out how to expand the tokens in the field.

Splunk port scan detection

IIS and ES application & CIM

Is there a troubleshooting guide for Enterprise Security or ITSI specifically?

Where should the Cisco AMP for Endpoints Add-Ons be installed?

Why is our Splunk-ES iplocation src returning 192.168.xxx.xxx addresses in the "Access Anomalies" dashboard?

How do I call a non-Splunk REST API in an Event Action?

Problem dynamically specifying colors in specific order - geomapping sequential/categorical

Can you update the default collection or create a custom collection of swimlanes for the investigator dashboards for Splunk Enterprise Security?

How to modify field values?

incorrect query field of dat_version

Getting null values for some events for O365 messagetrace events

adaptive response action handling multiple results

Windows Events to Epoch

Mac OS high sierra USB monitoring

How to make an incident review dashboard based on how many cases are open and resolved on the month.

Top Notable Event regarding Potential Security Risks

Force Threat Intelligence download

Splunk Enterprise Security: Adding exclusions to my Correlation Search for IPS?

Sub search return value that's not in main search

need help with multivalue fields for chmod and find linux commands

Remove Search Head roles from an Indexer

IS IIS and Apache logs of any use in enterprise security

Why are fields not being extracted running TA-squid with the Splunk App for Enterprise Security?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

How to handle Defender Incidents/Alerts with ES No...

Splunk Enterprise Security API support for update ...

Clarification on UBA Capability in Splunk Enterpri...

Findings Comments

Sendalert risk does not populate source_guid / sou...

Splunk Enterprise Security

Are you a member of the Splunk Community?

Discussions