Splunk Enterprise Security

Discussions

Thread Info

Splunk Enterprise Security: Why do correlation searches sometimes say "Access - " or "Network - " and sometimes not?

So if you create a new correlation search, a fancy little "feature" of Splunk Eenterprise Security, a stanza gets cre...

by Communicator in

Unable to run searches in Splunk Enterprise Security because of the error "BUNDLE_SIZE_EXCEEDS_MAX_SIZE"

I am getting the following error in the Search Head running Splunk Enterprise Security: Unable to distribute to p...

by Contributor in

Unable to run Security Posture in the Splunk Cloud sandbox with error "The minimum free disk space (2000MB) reached"?

Search not executed: The minimum free disk space (2000MB) reached for /opt/splunk/var/run/splunk/dispatch. user=wtadd...

by New Member in

Why is the Incident Review dashboard missing from Splunk Enterprise Security?

The Incident Review dashboard is not listed in the pre-set list in Splunk Enterprise Security. Is this a dashboard I ...

by Splunk Employee in

Splunk Enterprise Security (ES) - How to do a field lookup for Notable Events?

Hi everyone, I am creating a workflow action that allows me to links to a website (e.g. google.com) from Incident ...

by Path Finder in

assets and identities lookups not merging into identities_expanded.csv in Splunk SA-IdentityManagment for Splunk Enterprise Security - Search Head Clustering

why are my lookup files not being merged into identities_expanded.csv ?

by Splunk Employee in

Splunk ES asset and identity merge issues

A quick question about how the asset and identity list is populated for Splunk ES. I can see it is happening from ...

by Builder in

How to remove asset data?

I've configured my own asset list, and now I want to stop asset information from the "demo assets" lookup from showin...

by Path Finder in

Splunk Enterprise Security setup: Why am I seeing error "unable to distribute to peer...because replication was unsuccessful."?

I've been trying to set up the Splunk Enterprise Security app, but I came across an issue that I can't find reference...

by Contributor in

Splunk Enterprise Security: How to automate the population of assets.csv with DB Connect?

We are running Enterprise Security and I'm trying to schedule and automate the population of assets.csv that ES uses ...

by Explorer in

Incident review default settings

Hi Is there a way to show only critical, high, medium in incident review by default?

by Builder in

How to pull data from SharePoint to Splunk

I needed to pull asset data from SharePoint to Splunk as a lookup table to feed into Splunk Enterprise Security. I lo...

by Explorer in

Splunk Enterprise Security: Taxii feed from Soltra Edge server is stuck at "Taxii feed polling starting"

I am trying to get the FS-ISAC threat feed from my Soltra Edge box into my threatlists on Splunk Enterprise Security....

by Explorer in

Splunk ES App incident management for notable events

The ES App currently configured to run few correlation searches and when the notable events are created those events ...

by Explorer in

Splunk Enterprise Security: Why is the notable event for a user lockout correlation search showing urgency as "Unknown"?

Hi The notable event for a user lockout correlation search is showing urgency as "Unknown", I tried changing it t...

by Builder in

Configuring "additional fields" for a notable event in Enterprise Security (ES)

I'm creating correlation searches from scratch in the latest version of ES. The search results include fields that do...

by Path Finder in

Drilldown behavior on Notable Events - Drilldown to custom dashboard? (ES)

Hey Splunkers, Question about notable events. I know how to modify a correlation drill-down searches (and pass tok...

by Path Finder in

How to get DNS logs running on Solaris for the Splunk Enterprise Security app?

Hi, I am implementing the Splunk Enterprise Security app. I have DNS logs which are in Solaris. I went through the...

by New Member in

Splunk PCI App Notable Events no longer being generated or web page available

We recently upgraded our Splunk installation from 6.1.6 to 6.4.1 As part of the follow up work around this we needed ...

by Explorer in

Splunk App for Enterprise Security Installation?

Hi , I am planning to install ES in my environment. I have 3 indexer, 1 master node, 1 deployment server. Currentl...

by Explorer in

*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:
SOAR (f.k.a. Phantom) >>
Enterprise Security >>
Splunk Enterprise or Cloud for Security >>
Observability >>

Or Learn More in Our Blog >>

Splunk Enterprise Security

Discussions

Splunk Enterprise Security: Why do correlation searches sometimes say "Access - " or "Network - " and sometimes not?

Unable to run searches in Splunk Enterprise Security because of the error "BUNDLE_SIZE_EXCEEDS_MAX_SIZE"

Unable to run Security Posture in the Splunk Cloud sandbox with error "The minimum free disk space (2000MB) reached"?

Why is the Incident Review dashboard missing from Splunk Enterprise Security?

Splunk Enterprise Security (ES) - How to do a field lookup for Notable Events?

assets and identities lookups not merging into identities_expanded.csv in Splunk SA-IdentityManagment for Splunk Enterprise Security - Search Head Clustering

Splunk ES asset and identity merge issues

How to remove asset data?

Splunk Enterprise Security setup: Why am I seeing error "unable to distribute to peer...because replication was unsuccessful."?

Splunk Enterprise Security: How to automate the population of assets.csv with DB Connect?

Incident review default settings

How to pull data from SharePoint to Splunk

Splunk Enterprise Security: Taxii feed from Soltra Edge server is stuck at "Taxii feed polling starting"

Splunk ES App incident management for notable events

Splunk Enterprise Security: Why is the notable event for a user lockout correlation search showing urgency as "Unknown"?

Configuring "additional fields" for a notable event in Enterprise Security (ES)

Drilldown behavior on Notable Events - Drilldown to custom dashboard? (ES)

How to get DNS logs running on Solaris for the Splunk Enterprise Security app?

Splunk PCI App Notable Events no longer being generated or web page available

Splunk App for Enterprise Security Installation?

Problem in using Cortex as Response Action in Splu...

How to put Limit on "edit Selected" option for the...

Is throttling based on trigger time? How do we dec...

What should be the source type for AWS KMS logs to...

Single Enterprise Security searchhead cluster conn...