Splunk Enterprise Security

Discussions

Thread Info

How to make Splunk ES override urgency changes?

Hi all, I have a correlation search that passes alerts from another system into ES and I need to prevent the urgen...

by Path Finder in

Why are risk objects not being normalized against assets and identities?

I'm using RBA and am having issues with duplicate notables for the same thing. For example, I'll get a notable for bo...

by Loves-to-Learn Lots in

Why am I not getting the correct percentage difference?

HelloKindly assist me in this query/solution.I have a long list of IPs that logged in. Out of this list, I want to kn...

by Path Finder in

Risk based alerting - Contributing Risk Events Drilldown not working?

Hi, I have problems with the drilldown button in the "Risk Event Timeline" view for an Risk Notable. When expan...

by Explorer in

Search for failed logins: Why is the search creating false positive alerts?

Hello, I have created a search for failed logins for win,linux and network devices from authentication datamodel b...

by Engager in

Enterprise Security Threat Intelligence - Lookup population?

Hi,I'm starting with ES Threat Intelligence and am wondering, how threat intel data is populated to the KV stores use...

by Motivator in

Is there a way to query ES investigations for artifacts?

Is there a way to query ES investigations for artifacts? For example, suppose that I have a current notable with a h...

by Path Finder in

Unable to find sourcetype="ms365:defender:incident:alerts"?

Unable to find sourcetype="ms365:defender:incident:alerts"can u pls help

by Explorer in

Comparing IP Addresses after using the Join Command?

Hi Team, I am trying to compare IP addresses but I am unable to find any logic that can do so with the below query...

by Explorer in

Fields Not Showing After I Add Them in The Incident Review Settings Page?

Hi All, I want to display some additional fields and I have added them by following the below method: Configure...

by Explorer in

How to join information into one table?

Hi peeps,I want to join below information result in one table: 1st queryindex=sslvpn| iplocation src_ip| search Co...

by Path Finder in

Does Splunk "Clean All" make itself a backup of auth data for logging into the instance?

In many Splunk official Documentation we read sometimes, to "wipe" an instance, to launch the command spl...

by Contributor in

Unable to open some correlation rules in Splunk enterprise security?

When I click on some correlation rules in content management in Splunk ES, I get the following error and it does not ...

by New Member in

CIM Field Values- Do field values have to be consistent for ES or doesn't it matter?

Hello Do field values have to be consistent for ES or doesn't it matter? So in the wineventlog if src is sometime...

by Engager in

How to prevent notable events from being created in Enterprise Security when the source is one of the scanning devices?

We have several devices that perform endpoint and network device scanning. As intended, they are scanning prohibited...

by Engager in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

How to make Splunk ES override urgency changes?

Why are risk objects not being normalized against assets and identities?

Why am I not getting the correct percentage difference?

Risk based alerting - Contributing Risk Events Drilldown not working?

Search for failed logins: Why is the search creating false positive alerts?

Enterprise Security Threat Intelligence - Lookup population?

Is there a way to query ES investigations for artifacts?

Unable to find sourcetype="ms365:defender:incident:alerts"?

Comparing IP Addresses after using the Join Command?

Fields Not Showing After I Add Them in The Incident Review Settings Page?

How to join information into one table?

Does Splunk "Clean All" make itself a backup of auth data for logging into the instance?

Unable to open some correlation rules in Splunk enterprise security?

CIM Field Values- Do field values have to be consistent for ES or doesn't it matter?

How to prevent notable events from being created in Enterprise Security when the source is one of the scanning devices?

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!

What’s New in Splunk Cloud Platform 9.1.2308?

How can I automatically and evenly assign notables...

Risk-Based Alerting FAQs

threat intelligence upload not working too

Splunk Enterprise Security - permissions issue

Splunk Enterprise Security Install Error In Deploy...