Splunk Enterprise Security

Discussions

Thread Info

How to get DNS logs running on Solaris for the Splunk Enterprise Security app?

Hi, I am implementing the Splunk Enterprise Security app. I have DNS logs which are in Solaris. I went through the...

by New Member in

Splunk PCI App Notable Events no longer being generated or web page available

We recently upgraded our Splunk installation from 6.1.6 to 6.4.1 As part of the follow up work around this we needed ...

by Explorer in

Splunk App for Enterprise Security Installation?

Hi , I am planning to install ES in my environment. I have 3 indexer, 1 master node, 1 deployment server. Currentl...

by Explorer in

Splunk Enterprise Security 4.0.1: Is it possible to add the risk scores to the notable events listed in Incident Review?

Is it possible to add the risk scores to the notable events listed in Incident Review? I think it's possible to ac...

by Communicator in

Upgrade Enterprise Security from 3.3.x to 4.0 hangs on "Disabling Apps"

I am doing an upgrade of Enterprise Security from 3.3.1 to 4.0 through the GUI. I installed the app by providing it t...

by Communicator in

Is it possible to pass values from a notable event to a shell script?

Hello In Enterprise Security, there is the option to run a script as a follow on action to a notable event. Is it ...

by Path Finder in

Is there some sort of list of which CIM area common sourcetypes fit in?

Hello everyone, There is extensive documentation on what fields need to exist in order for a data source to fit in...

by Communicator in

What is the best way to change sourcetype for Linux Audit Events coming from OSSEC?

Hi, We have Linux Audit log data coming in Via OSSEC into Splunk. For this data, source is set to /var/ossec/logs/...

by Builder in

My search parses all fields in the Search App, but why do I get null results putting it in a Splunk Enterprise Security correlation search?

Hi all, I wrote this search that shows me when certain SSIDs are matched. sourcetype=rogap SSID="*skynet*" OR ...

by Explorer in

Splunk App for Enterprise Security: How to troubleshoot if the Threat Intelligence Source data is actually being downloaded?

After configuring the proxy settings for downloading the Splunk for Enterprise Security Intelligence Source data, I a...

by Path Finder in

How to test a correlation search?

So this is the pre-configured correlation search called "substantial increase in port activity". I'd like to tweak it...

by Builder in

Why ES threat list lookup fails on pivot data, but works with direct search on indexed data?

Is there anything different when running a lookup on data returned by a pivot compared to the same lookup running on ...

by Explorer in

Splunk Enterprise Security: Is it better to have more or less indexes when handling a lot of distinct types of data?

Hi, Splunkers We have a single instance as an Indexer, Search head, and Splunk Enterprise Security (32Gb RAM,16 vC...

by Contributor in

How to troubleshoot error "A script exited abnormally...deploy_splunk_ta_netscaler.py"?

I get this error every hour at my installation: msg="A script exited abnormally" input="./bin/scripted_inputs...

by Communicator in

Tuning Risk Scores and resetting score values

Hi, I'm in the process of tuning our risk scores, as applied to objects (users or assets) from a correlation searc...

by Communicator in

Upgrading Splunk Enterprise Security fails on enabling / disabling add-ons - Solution

Hi All, I am just posting a solution to an issue I have had with two upgrades for Splunk Enterprise Security. Firs...

by Path Finder in

Learning SIEM basics

Hello, I now have fairly good experience with Splunk and want to learn more about SIEM but not sure where to start...

by Contributor in

Splunk Enterprise Security: What is the best way to add details to asset information?

Hello Splunkers, Can someone provide some guidance on what is the best or recommended method of adding context to ...

by Path Finder in

How to use earliest and latest in my inputlookup search to filter results?

Hello Splunk Answers! I'm relatively new to Splunk - pardon if this is a very basic question. I've looked through ...

by Engager in

Why does Enterprise Security 3.0 not see the tags or field aliases properly in Splunk 6.0 or 6.1?

I have Splunk Enterprise 6.1, I've had the same issue on 6.0, and Enterprise Security 3.0 running. I pull in a dataso...

by Path Finder in

Are Splunk Enterprise Security and Splunk User Behavior Analytics (Splunk UBA) totally independent apps?

Hi, Is Splunk Enterprise Security and Splunk User Behavior Analytics (Splunk UBA) totally independent apps? Do ...

by Explorer in

Splunk Enterprise Security 4.x app questions

We've provided some background info to go with the questions as they relate to the Splunk Enterprise Security 4.x app...

by New Member in

Does anyone have test data that can fire off various correlation searches for notable events in Splunk Enterprise Security?

Hi, Does anyone in the community have test data that can fire off various Correlation Searches for Notable Events ...

by Engager in

Splunk Enterprise Security: Some dashboards are populated with data, but why not the Threat Activity dashboard?

The treat activity dashboard won't populate in the Splunk Enterprise Security app, although other dashboards (not all...

by Engager in

ES Security App: Multi-line header is missing matching quotation, or could not parse CSV header

I have recurring warnings in splunkd logs with multi-line header is missing matching quotation, or could not parse C...

by Path Finder in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

How to get DNS logs running on Solaris for the Splunk Enterprise Security app?

Splunk PCI App Notable Events no longer being generated or web page available

Splunk App for Enterprise Security Installation?

Splunk Enterprise Security 4.0.1: Is it possible to add the risk scores to the notable events listed in Incident Review?

Upgrade Enterprise Security from 3.3.x to 4.0 hangs on "Disabling Apps"

Is it possible to pass values from a notable event to a shell script?

Is there some sort of list of which CIM area common sourcetypes fit in?

What is the best way to change sourcetype for Linux Audit Events coming from OSSEC?

My search parses all fields in the Search App, but why do I get null results putting it in a Splunk Enterprise Security correlation search?

Splunk App for Enterprise Security: How to troubleshoot if the Threat Intelligence Source data is actually being downloaded?

How to test a correlation search?

Why ES threat list lookup fails on pivot data, but works with direct search on indexed data?

Splunk Enterprise Security: Is it better to have more or less indexes when handling a lot of distinct types of data?

How to troubleshoot error "A script exited abnormally...deploy_splunk_ta_netscaler.py"?

Tuning Risk Scores and resetting score values

Upgrading Splunk Enterprise Security fails on enabling / disabling add-ons - Solution

Learning SIEM basics

Splunk Enterprise Security: What is the best way to add details to asset information?

How to use earliest and latest in my inputlookup search to filter results?

Why does Enterprise Security 3.0 not see the tags or field aliases properly in Splunk 6.0 or 6.1?

Are Splunk Enterprise Security and Splunk User Behavior Analytics (Splunk UBA) totally independent apps?

Splunk Enterprise Security 4.x app questions

Does anyone have test data that can fire off various correlation searches for notable events in Splunk Enterprise Security?

Splunk Enterprise Security: Some dashboards are populated with data, but why not the Threat Activity dashboard?

ES Security App: Multi-line header is missing matching quotation, or could not parse CSV header

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Notable Event Status Inconsistency Between List Vi...

How to handle Defender Incidents/Alerts with ES No...

Splunk Enterprise Security API support for update ...

Clarification on UBA Capability in Splunk Enterpri...

KV Store communication fails with TLS errors after...

Splunk Enterprise Security

Are you a member of the Splunk Community?

Discussions