Splunk Enterprise Security

Discussions

Thread Info

Splunk Enterprise Security: For items in My Investigations, do they get saved in the KV Store?

I am looking for advices on how to plan the backup and storage of "My Investigations" data in the Splunk Enterprise S...

by Path Finder in

How do you detect WannaCry by Splunk Enterprise Security Content Updates?

It's impossible to detect WannaCry by app ES Content Updates? Someone have experience in this? app: https://splunk...

by Builder in

Splunk Enterprise Security: notable suppression history

Hello All, I'm looking to find a history of what notables have been suppressed after the suppression has expired. ...

by Path Finder in

Splunk Enterprise Security: Correlation search lookup not working, yet -- works in normal search

I am running a ESS Correlation search in App Context Enterprise Security. I verified the lookup and it exists in the ...

by Explorer in

Extra Visualizations not showing in Enterprise Security

I have installed extra visualization (e.g. Sankey). The visualization option is available in the search app and the s...

by Communicator in

Need help modifying this correlation search

This correlation search detects a "substantial increase in port activity" and it works well. How can I tune/modify it...

by Builder in

Splunk Enterprise Security: How to clone and modify the Incident Review dashboard?

Hi Is it possible to clone/duplicate Incident Review in the Splunk Enterprise Security app? I would like to create...

by Explorer in

Are there best practices for CIM datamodel mapping for PaloAlto firewalls?

Are there best practices when mapping PaloAlto firewall logs to CIM datamodels? One think that I noticed is that Netw...

by Builder in

Throttle unless count increases

In an Enterprise Security Correlation Search I have a report that emails out when an email address is seen across mul...

by Engager in

Why is there excessive memory usage on indexers after upgrading to Enteprise Security 4.7.x

There many reports of high CPU or memory utilization on the indexers after upgrading Spunk Enterprise Security (ES) t...

by Splunk Employee in

Splunk Stream Built-in stream populating Dashboard vs Protocol Events

Hi there, I have deployed Splunk Stream on a distributed environment. SH ES > Stream App + Stream TA IDX > Str...

by Path Finder in

Help ! add manual data to a sourcetype

Hi, I am creating an dashboard and want to know, if we have any possibility to add data manually to sourcetype. ...

by Communicator in

Can we use the powershell/ APT for integration of Rights Management Service/ Office 365 (RMS) data to Splunk

Hi All I'm looking for informations or methods on integrating RMS (Rights Management service/Office365) into Splun...

by Explorer in

Splunk Enterprise Security: Content Management and Incident Review page not showing anything after upgrade

We just recently upgraded to the latest version of ES 4.7.2 from 4.5.2 However after upgrading the page content manag...

by Path Finder in

How do I add fields to a data-model from the CIM without rebuilding my data-models?

I want to add some fields to a data-model that comes with the Common Information Model app but I want to avoid rebuil...

by Champion in

Tripwire TA that integrates with Splunk Enterprise Security?

The last post I see on this subject is almost three years old. Does anyone know if there is a Tripwire TA that integr...

by Path Finder in

Is the Tripwire Enterprise App for Splunk ES compatible with the Splunk App for Enterprise Security?

by New Member in

Getting F5 data into the data model of enterprise security

The F5 logs are sent through the syslog to Splunk. However, the messages are not likely correctly cut out because man...

by New Member in

Questions about getting started with Splunk Enterprise Security

Hi, I'm new to Splunk Enterprise Security but we do have Splunk to monitor and alert on our application logs. A...

by Explorer in

Splunk Common Information Model (CIM): Why is data model acceleration not working for Email data model?

We are running the latest versions of Splunk Enterprise, Splunk Enterprise Security, and Splunk Common Information Mo...

by Path Finder in

How can I test for high or critical notable events?

I have read this article which describes searching for high or critical notable events. https://answers.splunk.com...

by Path Finder in

Create indexer app purely for index configs and splitting hot\warm paths - what considerations when ES Splunk_TA_ForIndexers is used ?

allo, I have inherited a scenario of 1 x SH, 1 DS, 1 IDX, 1HF The SH has an instance of ES installed. I'm looki...

by Path Finder in

How can I accelerate my DataModel Query below to work better for an Alert?

I am trying to speed up my data model search for an alert that checks every 5 minutes (for the last 5 minutes) for "e...

by Explorer in

Setting Multiple severity level for same Correlation search

Hi, Is it possible to set two different severity level for same Correlation search. For Eg My search output li...

by New Member in

Repeat offenders risk

I have a weighted score for repeat offenders using the following formula | table _time id priority.name username h...

by Explorer in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Splunk Enterprise Security: For items in My Investigations, do they get saved in the KV Store?

How do you detect WannaCry by Splunk Enterprise Security Content Updates?

Splunk Enterprise Security: notable suppression history

Splunk Enterprise Security: Correlation search lookup not working, yet -- works in normal search

Extra Visualizations not showing in Enterprise Security

Need help modifying this correlation search

Splunk Enterprise Security: How to clone and modify the Incident Review dashboard?

Are there best practices for CIM datamodel mapping for PaloAlto firewalls?

Throttle unless count increases

Why is there excessive memory usage on indexers after upgrading to Enteprise Security 4.7.x

Splunk Stream Built-in stream populating Dashboard vs Protocol Events

Help ! add manual data to a sourcetype

Can we use the powershell/ APT for integration of Rights Management Service/ Office 365 (RMS) data to Splunk

Splunk Enterprise Security: Content Management and Incident Review page not showing anything after upgrade

How do I add fields to a data-model from the CIM without rebuilding my data-models?

Tripwire TA that integrates with Splunk Enterprise Security?

Is the Tripwire Enterprise App for Splunk ES compatible with the Splunk App for Enterprise Security?

Getting F5 data into the data model of enterprise security

Questions about getting started with Splunk Enterprise Security

Splunk Common Information Model (CIM): Why is data model acceleration not working for Email data model?

How can I test for high or critical notable events?

Create indexer app purely for index configs and splitting hot\warm paths - what considerations when ES Splunk_TA_ForIndexers is used ?

How can I accelerate my DataModel Query below to work better for an Alert?

Setting Multiple severity level for same Correlation search

Repeat offenders risk

Reduce and Transform Your Firewall Data with Splunk Data Management

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Clarification on UBA Capability in Splunk Enterpri...

Findings Comments

Sendalert risk does not populate source_guid / sou...

Asset Identity Framework subnet does not match ip-...

Palo Alto apps and add-ons for splunk

Splunk Enterprise Security

Are you a member of the Splunk Community?

Discussions