Splunk Enterprise Security

Discussions

Thread Info

Rules/Correlation Searches that must have at SOC!

Hello my little friends!  In your opinion what correlation searches must have SOC?

by Builder in

Splunk Enterprise Security: Why are correlation searches not saving in search head cluster?

I am using search head cluster and trying to create a correlation search by selecting application context as "DA-ESS-...

by Explorer in

Centralized Splunk config synchronization like rsync over HTTPS

I have a customer with a very unique network environment. They will have multiple ES clusters worldwide. The only way...

by Builder in

"Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'fe_cef_syslog' and lookup table 'fireeye_severity_lookup'" - how to fix?

We are on Splunk Cloud 6.4. We have Splunk Enterprise Security too. FireEye App for Splunk Enterprise v3 (ver 3.0...

by New Member in

Ratios based on field values in Stats

I am looking to get a ratio in something akin to the following method but this is throwing errors from Splunk ES: ...

by Explorer in

How do I update Palo Alto app and threat metadata in Splunk Enterprise Security

pancontentpack is supposed to get app and threat metadata from Panorama. I noticed that pancontentpack is only par...

by Builder in

Best way to filter out events within Splunk Enterprise Security Incident Review?

I am seeing a number of events for abnormally high number of HTTP POST requests in our enterprise security incident r...

by Engager in

Enterprise Security 4.7 - Threat Intel Downloads Won't Stop Despite Disabling

I upgraded the ES app from 4.5 to 4.7. I work on a closed system so I do not make use of the Threat Intel downloads. ...

by Explorer in

Whitelisting values for notable events

Hi All, I've just got Enterprise Security configured and im now trying to reduce the amount of false alarms create...

by Path Finder in

Windows Logs by default gets tagged to alert data model

Hi All, I just found that each logs of windows AD get tagged to alert data model, When i accelerate the data model...

by Explorer in

Search Notables by Time of Comments

In working with Enterprise Security's notables I am wondering if there is a way that you can search by the time that ...

by Explorer in

Field aliases don't always return the same number of results as the field being aliased

Hi, I'm using Splunk 6.6.3 with the Enterprise Security app, with access only to the web interface. I have two ...

by Explorer in

how to save adaptive response in adaptive response in incident review after correlation search is executed

Hi, I have created correlation search and added Run a script adaptive response and notable adaptive response. I could...

by SplunkTrust in

What are the key details I should pay attention to when rewriting searches to correlation searches?

Hello all! What should I do or what should I know, (maybe some tricks or magic) if I need to quickly rewrite my searc...

by Builder in

How do I stop datamodel accelerations from turning themselves back on?

I have an instance where I want to keep data model accelerations disabled but they seem to keep turning back on if I ...

by Communicator in

How do I add to Splunk Enterprise Security license?

I have a 50GB Splunk licence and equivalent 50GB ES licence. I have been asked to install a 25GB ES licence in prepar...

by Engager in

How to view threatlist via REST

Is there any way to view actual contents of a threatlist via REST? I've found references to: | rest /services/data...

by Explorer in

Why cant Enterprise Security App see data from a specific index despite having correct tags?

Hi, When I search all indexed data against "Intrusion Detection" data model from Search & reporting app's context,...

by Builder in

Can Splunk Enterprise Security 4.7 be installed on a Windows search head?

Hi Can ES 4.7 be installed on a Windows SH? I know the documentation excludes ES with SHC on Windows, but it does ...

by Influencer in

How does one remove the Enterprise Security Suite?

I tried $SPLUNK_HOME$/bin/splunk remove app SplunkEnterpriseSecuritySuite and it tells me "app doesn't exist" -- It d...

by Communicator in

What is the best process to uninstall Splunk Enterprise Security Suite?

uninstall Splunk Enterprise Security Suite?

by Explorer in

Splunk Enterprise Security: Can you explain more about the configuration for Threat Intelligence?

We have this config: [threatlist://ransomware_ip_blocklist] delim_regex = : description = abuse.ch Ransomware Bl...

by Builder in

Splunk Enterprise Security: SA-NetworkProtection -- Can we update a CSV to include src_up and dest_ip columns?

Pondering if the prohibited_traffic.csv lookup used by SA-NetworkProtection in Enterprise Security could be updated t...

by Path Finder in

How do you tag a user with watchlist in Splunk Enterprise Security?

If I have a notable event is there a way within incident review to tag the user with watchlist?

by Engager in

Splunk Enterprise Security: For items in My Investigations, do they get saved in the KV Store?

I am looking for advices on how to plan the backup and storage of "My Investigations" data in the Splunk Enterprise S...

by Path Finder in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Rules/Correlation Searches that must have at SOC!

Splunk Enterprise Security: Why are correlation searches not saving in search head cluster?

Centralized Splunk config synchronization like rsync over HTTPS

"Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'fe_cef_syslog' and lookup table 'fireeye_severity_lookup'" - how to fix?

Ratios based on field values in Stats

How do I update Palo Alto app and threat metadata in Splunk Enterprise Security

Best way to filter out events within Splunk Enterprise Security Incident Review?

Enterprise Security 4.7 - Threat Intel Downloads Won't Stop Despite Disabling

Whitelisting values for notable events

Windows Logs by default gets tagged to alert data model

Search Notables by Time of Comments

Field aliases don't always return the same number of results as the field being aliased

how to save adaptive response in adaptive response in incident review after correlation search is executed

What are the key details I should pay attention to when rewriting searches to correlation searches?

How do I stop datamodel accelerations from turning themselves back on?

How do I add to Splunk Enterprise Security license?

How to view threatlist via REST

Why cant Enterprise Security App see data from a specific index despite having correct tags?

Can Splunk Enterprise Security 4.7 be installed on a Windows search head?

How does one remove the Enterprise Security Suite?

What is the best process to uninstall Splunk Enterprise Security Suite?

Splunk Enterprise Security: Can you explain more about the configuration for Threat Intelligence?

Splunk Enterprise Security: SA-NetworkProtection -- Can we update a CSV to include src_up and dest_ip columns?

How do you tag a user with watchlist in Splunk Enterprise Security?

Splunk Enterprise Security: For items in My Investigations, do they get saved in the KV Store?

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Clarification on UBA Capability in Splunk Enterpri...

Findings Comments

Sendalert risk does not populate source_guid / sou...

Asset Identity Framework subnet does not match ip-...

Palo Alto apps and add-ons for splunk

Splunk Enterprise Security

Are you a member of the Splunk Community?

Discussions