Splunk Enterprise Security

Discussions

Thread Info

tstats errors with Splunk 7.1 + Enterprise Security 5.1?

Hi. We've just upgraded to Splunk 7.1 on our ES search head, as well as upgrading ES from 5.0 to 5.1 to meet the comp...

by Path Finder in

Splunk ES Integration with Manage Engine Service Desk Plus

How can we Integrate them so that both (Manage Engine and Splunk ES Incident review) works in sync

by Communicator in

Splunk ES correlation searches problem

Hello, I have figured out a strange behavior of Splunk correlation searches. I'm using Splunk Enterprise version 7...

by Engager in

Why does the alert action I created with Add-on builder fire in Test, but not as an alert action for a Correlation Search?

I created an alert action using the latest verison of Add-on Builder (v2.2) using some other Splunk answers posts as ...

by Explorer in

Post Processing Search as default

I have multiple logs with the same unique field. for instance: Time: 10:00:00 Log-id: 0x1212 Message: ABCD Time: 1...

by Path Finder in

Vulnerbaility data model information is mismatch with datamodel acceleration

Hi, using this query | from datamodel:"Vulnerabilities"."Vulnerabilities" |stats count by signature getting result...

by New Member in

Splunk Enterprise Security: Why are notable events not created and notable alert_action is not triggered?

One of my Splunk Enterprise Security customer's complained that sometimes the notable events are not created even whe...

by Splunk Employee in

Excessive Failed Logins Correlation Search

Hi guys, Im not sure how to go about this. We currently have the Excessive Failed Logins Correlation Search enable...

by New Member in

Review account activity for accounts which have been flagged.

Let me first say, I'm sure I could write a search that essentially returns what I'm looking for, however due to the a...

by Communicator in

forwarding from index_a to index_b

If events are coming in from heavy forwarder 1 to heavy forwarder 2, is is possible to change the index name on HF B ...

by Engager in

How to include two 'like' eval expressions in splunk

I am working on eval expression. I have a set of data and I want to evaluate a field such that I only extract login a...

by New Member in

How to generate an event when a risk score above 100 is generated?

So basically I'm trying to generate an event when a risk score above 100 is generated, I've come up with the below se...

by New Member in

When does uploaded threat intelligence expire?

When a file is manually uploaded in Enterprise Security(ES), you can (and have to) define File Name, File to be uploa...

by Engager in

Add additional log types to a dataset

In the Threat Activity Detected IR correlation search, it calls for stuff from the "Threat Intelligence" Data Model. ...

by New Member in

How do I look for domains that aren't in the Alexa top 1 million?

I am trying to find non-alexa top 1 million domain requests. I am getting alexa_by_str.csv from https://s3.amazona...

by Builder in

Search string used for creating event type for data modelling marked as invalid search by Splunk

I am working on aligning my own data to Splunk Enterprise Security's data model. Big error 1: I draft out my sear...

by New Member in

Disable TLS version 1.1 and below?

I have a need to disable any version of tls below version 1.2. I've done this at the main splunk server, but there ap...

by New Member in

Why is the download link disabled in Symantec ATP Add-on for Splunk?

Is it only me or the following apps are not downloadable : https://splunkbase.splunk.com/app/3454/ https://splunkb...

by New Member in

Splunk Enterprise Security: Is there a way to force a notable event to be critical?

Is there a way to force a notable event in Splunk Enterprise Security to be critical? We have certain notables that a...

by Explorer in

Where I can find changes made related to log source or indexed data?

Hi Guys I am looking for do a report on any log source or index setting was changed in last 7 days, where can I get t...

by Communicator in

Splunk Enterprise Security: Is there a way to write a search to identify when there is already an existing notable event?

If this has already been covered, please provide a link, but I haven't seen anything. My organization uses Splunk Clo...

by Explorer in

traffic fails regularly

Hello all I have a problem on my splunk. The monitoring console illustrates the forwarded traffic from forwarders to ...

by Engager in

how to use ip_intel ?

I have a search that returns a set of source and dest IP addresses. Index= ..... | table src, dest I want to...

by New Member in

Splunk Enterprise Security: What happens to host_* fields in notable events?

I have a correlation search that includes the field host and is enriched with all the usual fields such as host_nt_ho...

by Contributor in

I have installed the IP reputation App , But not getting any data , How to get it reolved

I have installed new app IP reputation , but not getting any data , Do i need to change any configurations or search ...

by Explorer in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

tstats errors with Splunk 7.1 + Enterprise Security 5.1?

Splunk ES Integration with Manage Engine Service Desk Plus

Splunk ES correlation searches problem

Why does the alert action I created with Add-on builder fire in Test, but not as an alert action for a Correlation Search?

Post Processing Search as default

Vulnerbaility data model information is mismatch with datamodel acceleration

Splunk Enterprise Security: Why are notable events not created and notable alert_action is not triggered?

Excessive Failed Logins Correlation Search

Review account activity for accounts which have been flagged.

forwarding from index_a to index_b

How to include two 'like' eval expressions in splunk

How to generate an event when a risk score above 100 is generated?

When does uploaded threat intelligence expire?

Add additional log types to a dataset

How do I look for domains that aren't in the Alexa top 1 million?

Search string used for creating event type for data modelling marked as invalid search by Splunk

Disable TLS version 1.1 and below?

Why is the download link disabled in Symantec ATP Add-on for Splunk?

Splunk Enterprise Security: Is there a way to force a notable event to be critical?

Where I can find changes made related to log source or indexed data?

Splunk Enterprise Security: Is there a way to write a search to identify when there is already an existing notable event?

traffic fails regularly

how to use ip_intel ?

Splunk Enterprise Security: What happens to host_* fields in notable events?

I have installed the IP reputation App , But not getting any data , How to get it reolved

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Has anyone used finding-based detection on ES 8.0 ...

Anatomy of a Successful Migration with Pizza Hut

ES Notable Security Domain Issue

adding a custom field to notable and update the va...

es_notable_events Query

Splunk Enterprise Security

Are you a member of the Splunk Community?

Discussions