Splunk Enterprise Security

Discussions

Thread Info

Using Inputlookup to Eliminate Search Results

Been banging my head on this and need some assistance. Trying to use a csv to eliminate some search results with no s...

by Explorer in

Why are the dashboards not displaying any data in the Enterprise Security app?

So I recently had to nuke the search head that our Enterprise Security app was running on. I have reinstalled everyth...

by Path Finder in

Notable events stopped updating in Incidnet Review in ES app

Hi Splunkers, we are not able to see any notable events from yesterday in ES app even though we have not made chan...

by New Member in

How to retrieve open incidents from splunk enterprise security?

Is it the proper way to get incidents through a webhook that searchs for notable events and send them to our api? ...

by Engager in

Rule_id's missing in incident_review_lookup for Correlation Search

Hi, I am reviewing the results for the 'ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule' cor...

by Path Finder in

Why eStreamer data from sourcefire is not getting tagged for IDS_Attacks datamodel?

Hi, We are indexing eStreamer logs from sourcefire and have the app, "eStreamer for Splunk" (2.2.1) and add-on, "S...

by Builder in

Splunk Enterprise Security API is not allowed for admin

I have admin, user, power roles on Splunk Enterprise Security instance but it still requires authentication and it do...

by Engager in

Failed to find the target event with valid host and source values error

When using Enterprise Security we get the following error "Failed to find the target event with valid host and source...

by Path Finder in

is it possible to install other Splunk Apps (CIM compliant and non compliant) on the same search head which contains Enterprise security ?

If it isn't possible to install other apps that aren't CIM Compliant on the Sh machine that has the Enterprise securi...

by Explorer in

Data Model rebuild loose any kind of data from indexers?

If I am rebuilding existing data model in ES then it may be possible to loose any kind of data from indexers?

by Path Finder in

Is Extreme Search still available?

I no longer see Extreme Search on Splunkbase. Is it part of Splunk or Enterprise Security? (We are a few version ...

by Path Finder in

Why are the notable events from Symantec not accurate?

Hi Community, Not sure how to explain this... But the whole timeline looks like this: A user plugs in a USB sti...

by New Member in

How to enable and send an email notification when an incident has been assigned in Splunk Enterprise?

Dear Team, In splunk ES if the incident is assigned to someone an email notification needs to be sent that the incide...

by Engager in

why do we not have setup.xml in add-on's created by add-on builder?

Greetings I am using the latest version of add-on builder (2.2.0) and can create an alert action/adaptive response...

by Influencer in

How to get (or generate) Splunk ES notable event titles as seen on Incident Review dashboard

I would like to create a dashboard that displays notable event titles as seen on the Incident Review dashboard. Is th...

by Explorer in

Splunk Enterprise Security Default Workflow Actions

Are the Workflow Actions listed in the Enterprise Security Sandbox installed by default with a new Enterprise Securit...

by New Member in

How to make cluster map drilldown link to related search?

<title>Registered Devices (Map)</title> <search> <query>| devicesearch query="$sensor_sea...

by New Member in

Need help to update "Notable -Substantial Increase In Port Activity" to establish a base line for each destination port

We have not been using the Splunk ES for long and the “xswhere” used for this notable is an extreme search. The extre...

by Contributor in

Create event type as alert action

Splunk Enterprise Security uses "event types" as a means to suppress future alerting on a set of field values. We lik...

by Path Finder in

How can I get the description column of my custom lookup to show up in our Splunk Enterprise Security Incident Review queue?

In our Splunk Enterprise Incident review queue, I have a custom lookup that is being used for our threat intelligence...

by Explorer in

Format an asset list in Splunk Enterprise Security

Hi Splunkers, As it's stated in documentation, fields like ip, mac, dns in Asset lookup should be "A pipe-delimite...

by Contributor in

Can you run a correlation search as an adaptive response or can you run a correlation search from a python script?

Hi all, I have created an adaptive response collects information from a host and indexes it. I have attached th...

by Communicator in

Splunk Enterprise Security - How do you add asset fields in new search automatically?

Hi, I'm working on adding new data in CIM and putting tags in Communication and network with required fields. Of c...

by Engager in

Is the webhook option supported for adaptive response actions in Enterprise Security?

The webhook opiont is only available under Search & Reporting alert actions. This option in not available in the adap...

by Engager in

Time-based Assignment of Notable Events

Hello Is it possible to assign the default owner of the notable event based on a time schedule? For example, if...

by Engager in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Using Inputlookup to Eliminate Search Results

Why are the dashboards not displaying any data in the Enterprise Security app?

Notable events stopped updating in Incidnet Review in ES app

How to retrieve open incidents from splunk enterprise security?

Rule_id's missing in incident_review_lookup for Correlation Search

Why eStreamer data from sourcefire is not getting tagged for IDS_Attacks datamodel?

Splunk Enterprise Security API is not allowed for admin

Failed to find the target event with valid host and source values error

is it possible to install other Splunk Apps (CIM compliant and non compliant) on the same search head which contains Enterprise security ?

Data Model rebuild loose any kind of data from indexers?

Is Extreme Search still available?

Why are the notable events from Symantec not accurate?

How to enable and send an email notification when an incident has been assigned in Splunk Enterprise?

why do we not have setup.xml in add-on's created by add-on builder?

How to get (or generate) Splunk ES notable event titles as seen on Incident Review dashboard

Splunk Enterprise Security Default Workflow Actions

How to make cluster map drilldown link to related search?

Need help to update "Notable -Substantial Increase In Port Activity" to establish a base line for each destination port

Create event type as alert action

How can I get the description column of my custom lookup to show up in our Splunk Enterprise Security Incident Review queue?

Format an asset list in Splunk Enterprise Security

Can you run a correlation search as an adaptive response or can you run a correlation search from a python script?

Splunk Enterprise Security - How do you add asset fields in new search automatically?

Is the webhook option supported for adaptive response actions in Enterprise Security?

Time-based Assignment of Notable Events

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

How to handle Defender Incidents/Alerts with ES No...

Splunk Enterprise Security API support for update ...

Clarification on UBA Capability in Splunk Enterpri...

KV Store communication fails with TLS errors after...

Findings Comments

Splunk Enterprise Security

Are you a member of the Splunk Community?

Discussions