Splunk Enterprise Security

Ask a Question

Discussions

Thread Info

Event ID 4738 - How to alert when source user and target user are the same ?

Greetings all, I am currently using a simple Splunk query to return all changes to a user account. sourcetype...

by Path Finder in

Which Data Model are need to update if I use Zscaler add-on

Hello All, I used the Splunk Add-on for Zscaler (https://splunkbase.splunk.com/app/3865/). But what are the data-m...

by Path Finder in

what is recommended sourcetype for Oracle OIM/OAM servers logs - server are running on windows server

what is recommended sourcetype for Oracle OIM/OAM servers logs - server are running on windows server Logs are col...

by Path Finder in

how much is enterprise security 4.7?

please provide pricing for Enterprise Security App.

by New Member in

Duplicate logs cause incorrect data in dashboard

Hi, I use various dashboards which include in Splunk Enterprise Security app. In case of duplicate logs in my envi...

by Path Finder in

Detect CSRF attack on access log of Application Server

Please can anyone help in suggest search SPL command line to issue on an URL field in order to detect a CSRF attack o...

by New Member in

How do I use Splunk ES's default lookups?

All, Mind is drawing a blank. I want to normalize netstat output and then do a lookup on the destination fields t...

by Builder in

tstats errors with Splunk 7.1 + Enterprise Security 5.1?

Hi. We've just upgraded to Splunk 7.1 on our ES search head, as well as upgrading ES from 5.0 to 5.1 to meet the comp...

by Path Finder in

Splunk ES Integration with Manage Engine Service Desk Plus

How can we Integrate them so that both (Manage Engine and Splunk ES Incident review) works in sync

by Communicator in

Splunk ES correlation searches problem

Hello, I have figured out a strange behavior of Splunk correlation searches. I'm using Splunk Enterprise version 7...

by Engager in

Why does the alert action I created with Add-on builder fire in Test, but not as an alert action for a Correlation Search?

I created an alert action using the latest verison of Add-on Builder (v2.2) using some other Splunk answers posts as ...

by Explorer in

Post Processing Search as default

I have multiple logs with the same unique field. for instance: Time: 10:00:00 Log-id: 0x1212 Message: ABCD Time: 1...

by Path Finder in

Vulnerbaility data model information is mismatch with datamodel acceleration

Hi, using this query | from datamodel:"Vulnerabilities"."Vulnerabilities" |stats count by signature getting result...

by New Member in

Splunk Enterprise Security: Why are notable events not created and notable alert_action is not triggered?

One of my Splunk Enterprise Security customer's complained that sometimes the notable events are not created even whe...

by Splunk Employee in

Excessive Failed Logins Correlation Search

Hi guys, Im not sure how to go about this. We currently have the Excessive Failed Logins Correlation Search enable...

by New Member in

Review account activity for accounts which have been flagged.

Let me first say, I'm sure I could write a search that essentially returns what I'm looking for, however due to the a...

by Communicator in

forwarding from index_a to index_b

If events are coming in from heavy forwarder 1 to heavy forwarder 2, is is possible to change the index name on HF B ...

by Engager in

How to include two 'like' eval expressions in splunk

I am working on eval expression. I have a set of data and I want to evaluate a field such that I only extract login a...

by New Member in

How to generate an event when a risk score above 100 is generated?

So basically I'm trying to generate an event when a risk score above 100 is generated, I've come up with the below se...

by New Member in

When does uploaded threat intelligence expire?

When a file is manually uploaded in Enterprise Security(ES), you can (and have to) define File Name, File to be uploa...

by Engager in

Add additional log types to a dataset

In the Threat Activity Detected IR correlation search, it calls for stuff from the "Threat Intelligence" Data Model. ...

by New Member in

How do I look for domains that aren't in the Alexa top 1 million?

I am trying to find non-alexa top 1 million domain requests. I am getting alexa_by_str.csv from https://s3.amazona...

by Builder in

Search string used for creating event type for data modelling marked as invalid search by Splunk

I am working on aligning my own data to Splunk Enterprise Security's data model. Big error 1: I draft out my sear...

by New Member in

Disable TLS version 1.1 and below?

I have a need to disable any version of tls below version 1.2. I've done this at the main splunk server, but there ap...

by New Member in

Why is the download link disabled in Symantec ATP Add-on for Splunk?

Is it only me or the following apps are not downloadable : https://splunkbase.splunk.com/app/3454/ https://splunkb...

by New Member in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Event ID 4738 - How to alert when source user and target user are the same ?

Which Data Model are need to update if I use Zscaler add-on

what is recommended sourcetype for Oracle OIM/OAM servers logs - server are running on windows server

how much is enterprise security 4.7?

Duplicate logs cause incorrect data in dashboard

Detect CSRF attack on access log of Application Server

How do I use Splunk ES's default lookups?

tstats errors with Splunk 7.1 + Enterprise Security 5.1?

Splunk ES Integration with Manage Engine Service Desk Plus

Splunk ES correlation searches problem

Why does the alert action I created with Add-on builder fire in Test, but not as an alert action for a Correlation Search?

Post Processing Search as default

Vulnerbaility data model information is mismatch with datamodel acceleration

Splunk Enterprise Security: Why are notable events not created and notable alert_action is not triggered?

Excessive Failed Logins Correlation Search

Review account activity for accounts which have been flagged.

forwarding from index_a to index_b

How to include two 'like' eval expressions in splunk

How to generate an event when a risk score above 100 is generated?

When does uploaded threat intelligence expire?

Add additional log types to a dataset

How do I look for domains that aren't in the Alexa top 1 million?

Search string used for creating event type for data modelling marked as invalid search by Splunk

Disable TLS version 1.1 and below?

Why is the download link disabled in Symantec ATP Add-on for Splunk?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

How to handle Defender Incidents/Alerts with ES No...

Splunk Enterprise Security API support for update ...

Clarification on UBA Capability in Splunk Enterpri...

Findings Comments

Sendalert risk does not populate source_guid / sou...

Splunk Enterprise Security

Are you a member of the Splunk Community?

Discussions