Splunk Enterprise Security

Discussions

Thread Info

Alert title unable to be found

I am attempting to find alerts that where set by previous employees. Even after looking at all alerts and enabled ale...

by New Member in

Splunk Enterprise Security -> Incident Review -> What capability is required to "Edit Selected"

In the Incident Review panel, we select a Notable Event, click on Edit Selected and a form pops up. I chose the first...

by Contributor in

reboot splunk instance after OS patching

link text We patch our OS last week and OS admin advise us to reboto the Indexers once. we have multistie scenerio...

by Communicator in

How to find a Missing Lookup

I am new to the Splunk admin role and am having troubles with some errors. When a search is conducting I can see erro...

by Path Finder in

return events after searching another index

Hi, Whats the best way to return events from a search after also checking they're not contained within another ind...

by Path Finder in

Splunk Enterprise Security: Why are the colored icons missing from the urgency field when manually setting urgency with eval?

I want to combine multiple notable events into a single search so I am using this: eval urgency=case(infection_count<...

by Explorer in

tstats latest time for devices in a lookup

Hi, I have the following query, for returning the last time a device contained in a lookup logged to splunk by th...

by Path Finder in

Splunk 'Enterprise Security Suite' - Identity Management's Priority calculation

Configuration: We have configured a lookup table under 'ESS Identity management' to maintain the list of users. The u...

by Motivator in

Query for Alert_identification

Hello All, I tried the below query and got the results as well but my concern is who is modifying, deleting or cre...

by New Member in

In Splunk Enterprise Security, how do you Include empty results in a tstats search?

I am using tstats to search for some IP addresses. I'm trying to return the count of those IP addresses, which is eas...

by Path Finder in

search which finds the addition or deletion to the log sources happened since last week by index and loss/gain must be specified in percentage

I am trying to write a search which finds the addition or deletion to the log sources happened since last week by ind...

by New Member in

After upgrade to 7.2.5 due to FIELDALIAS in app props.conf, why is my search head crashing?

We encountered some issues when upgrading our clustered indexes infrastructure from 7.2.4 to 7.2.5. The upgrade proce...

by Explorer in

How to pass field value to custom alert action?

Hi! I'm creating custom alert action. I can use my alert action in save alert and Correlation search. But I meet a tr...

by Engager in

Query to list Crowdstrike Agent versions installed

I am looking for a query to list out CrowdStrike Agent versions installed. What is the latest version, are the client...

by New Member in

How do I correlate sysmon data for malicious child sub processes several levels deep from the parent?

The problem I am having is finding a way to write a rule that will be good enough to find a malicious child-process t...

by Engager in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Alert title unable to be found

Splunk Enterprise Security -> Incident Review -> What capability is required to "Edit Selected"

reboot splunk instance after OS patching

How to find a Missing Lookup

return events after searching another index

Splunk Enterprise Security: Why are the colored icons missing from the urgency field when manually setting urgency with eval?

tstats latest time for devices in a lookup

Splunk 'Enterprise Security Suite' - Identity Management's Priority calculation

Query for Alert_identification

In Splunk Enterprise Security, how do you Include empty results in a tstats search?

search which finds the addition or deletion to the log sources happened since last week by index and loss/gain must be specified in percentage

After upgrade to 7.2.5 due to FIELDALIAS in app props.conf, why is my search head crashing?

How to pass field value to custom alert action?

Query to list Crowdstrike Agent versions installed

How do I correlate sysmon data for malicious child sub processes several levels deep from the parent?

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!

What’s New in Splunk Cloud Platform 9.1.2308?

How can I automatically and evenly assign notables...

Risk-Based Alerting FAQs

threat intelligence upload not working too

Splunk Enterprise Security - permissions issue

Splunk Enterprise Security Install Error In Deploy...