Splunk Enterprise Security

Discussions

Thread Info

Search Notables by Time of Comments

In working with Enterprise Security's notables I am wondering if there is a way that you can search by the time that ...

by Explorer in

Field aliases don't always return the same number of results as the field being aliased

Hi, I'm using Splunk 6.6.3 with the Enterprise Security app, with access only to the web interface. I have two ...

by Explorer in

how to save adaptive response in adaptive response in incident review after correlation search is executed

Hi, I have created correlation search and added Run a script adaptive response and notable adaptive response. I could...

by SplunkTrust in

What are the key details I should pay attention to when rewriting searches to correlation searches?

Hello all! What should I do or what should I know, (maybe some tricks or magic) if I need to quickly rewrite my searc...

by Builder in

How do I stop datamodel accelerations from turning themselves back on?

I have an instance where I want to keep data model accelerations disabled but they seem to keep turning back on if I ...

by Communicator in

How do I add to Splunk Enterprise Security license?

I have a 50GB Splunk licence and equivalent 50GB ES licence. I have been asked to install a 25GB ES licence in prepar...

by Engager in

How to view threatlist via REST

Is there any way to view actual contents of a threatlist via REST? I've found references to: | rest /services/data...

by Explorer in

Why cant Enterprise Security App see data from a specific index despite having correct tags?

Hi, When I search all indexed data against "Intrusion Detection" data model from Search & reporting app's context,...

by Builder in

Can Splunk Enterprise Security 4.7 be installed on a Windows search head?

Hi Can ES 4.7 be installed on a Windows SH? I know the documentation excludes ES with SHC on Windows, but it does ...

by Influencer in

How does one remove the Enterprise Security Suite?

I tried $SPLUNK_HOME$/bin/splunk remove app SplunkEnterpriseSecuritySuite and it tells me "app doesn't exist" -- It d...

by Communicator in

What is the best process to uninstall Splunk Enterprise Security Suite?

uninstall Splunk Enterprise Security Suite?

by Explorer in

Splunk Enterprise Security: Can you explain more about the configuration for Threat Intelligence?

We have this config: [threatlist://ransomware_ip_blocklist] delim_regex = : description = abuse.ch Ransomware Bl...

by Builder in

Splunk Enterprise Security: SA-NetworkProtection -- Can we update a CSV to include src_up and dest_ip columns?

Pondering if the prohibited_traffic.csv lookup used by SA-NetworkProtection in Enterprise Security could be updated t...

by Path Finder in

How do you tag a user with watchlist in Splunk Enterprise Security?

If I have a notable event is there a way within incident review to tag the user with watchlist?

by Engager in

Splunk Enterprise Security: For items in My Investigations, do they get saved in the KV Store?

I am looking for advices on how to plan the backup and storage of "My Investigations" data in the Splunk Enterprise S...

by Path Finder in

How do you detect WannaCry by Splunk Enterprise Security Content Updates?

It's impossible to detect WannaCry by app ES Content Updates? Someone have experience in this? app: https://splunk...

by Builder in

Splunk Enterprise Security: notable suppression history

Hello All, I'm looking to find a history of what notables have been suppressed after the suppression has expired. ...

by Path Finder in

Splunk Enterprise Security: Correlation search lookup not working, yet -- works in normal search

I am running a ESS Correlation search in App Context Enterprise Security. I verified the lookup and it exists in the ...

by Explorer in

Extra Visualizations not showing in Enterprise Security

I have installed extra visualization (e.g. Sankey). The visualization option is available in the search app and the s...

by Communicator in

Need help modifying this correlation search

This correlation search detects a "substantial increase in port activity" and it works well. How can I tune/modify it...

by Builder in

Splunk Enterprise Security: How to clone and modify the Incident Review dashboard?

Hi Is it possible to clone/duplicate Incident Review in the Splunk Enterprise Security app? I would like to create...

by Explorer in

Are there best practices for CIM datamodel mapping for PaloAlto firewalls?

Are there best practices when mapping PaloAlto firewall logs to CIM datamodels? One think that I noticed is that Netw...

by Builder in

Throttle unless count increases

In an Enterprise Security Correlation Search I have a report that emails out when an email address is seen across mul...

by Engager in

Why is there excessive memory usage on indexers after upgrading to Enteprise Security 4.7.x

There many reports of high CPU or memory utilization on the indexers after upgrading Spunk Enterprise Security (ES) t...

by Splunk Employee in

Splunk Stream Built-in stream populating Dashboard vs Protocol Events

Hi there, I have deployed Splunk Stream on a distributed environment. SH ES > Stream App + Stream TA IDX > Str...

by Path Finder in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Search Notables by Time of Comments

Field aliases don't always return the same number of results as the field being aliased

how to save adaptive response in adaptive response in incident review after correlation search is executed

What are the key details I should pay attention to when rewriting searches to correlation searches?

How do I stop datamodel accelerations from turning themselves back on?

How do I add to Splunk Enterprise Security license?

How to view threatlist via REST

Why cant Enterprise Security App see data from a specific index despite having correct tags?

Can Splunk Enterprise Security 4.7 be installed on a Windows search head?

How does one remove the Enterprise Security Suite?

What is the best process to uninstall Splunk Enterprise Security Suite?

Splunk Enterprise Security: Can you explain more about the configuration for Threat Intelligence?

Splunk Enterprise Security: SA-NetworkProtection -- Can we update a CSV to include src_up and dest_ip columns?

How do you tag a user with watchlist in Splunk Enterprise Security?

Splunk Enterprise Security: For items in My Investigations, do they get saved in the KV Store?

How do you detect WannaCry by Splunk Enterprise Security Content Updates?

Splunk Enterprise Security: notable suppression history

Splunk Enterprise Security: Correlation search lookup not working, yet -- works in normal search

Extra Visualizations not showing in Enterprise Security

Need help modifying this correlation search

Splunk Enterprise Security: How to clone and modify the Incident Review dashboard?

Are there best practices for CIM datamodel mapping for PaloAlto firewalls?

Throttle unless count increases

Why is there excessive memory usage on indexers after upgrading to Enteprise Security 4.7.x

Splunk Stream Built-in stream populating Dashboard vs Protocol Events

Index This | What’s a riddle wrapped in an enigma?

BORE at .conf25

OpenTelemetry for Legacy Apps? Yes, You Can!

Palo Alto apps and add-ons for splunk

Dashboard PNG schedule export setting is not viewa...

Incident_updates_lookup not updating urgency and r...

Create Investigation SOAR

Correlation Search: Next Step: Ping - NSLOOKUP - R...

Splunk Enterprise Security

Are you a member of the Splunk Community?

Discussions