Splunk Enterprise Security

Ask a Question

Discussions

Thread Info

Unable to find sourcetype="ms365:defender:incident:alerts"?

Unable to find sourcetype="ms365:defender:incident:alerts"can u pls help

by Explorer in

Comparing IP Addresses after using the Join Command?

Hi Team, I am trying to compare IP addresses but I am unable to find any logic that can do so with the below query...

by Explorer in

Fields Not Showing After I Add Them in The Incident Review Settings Page?

Hi All, I want to display some additional fields and I have added them by following the below method: Configure...

by Explorer in

How to join information into one table?

Hi peeps,I want to join below information result in one table: 1st queryindex=sslvpn| iplocation src_ip| search Co...

by Path Finder in

Does Splunk "Clean All" make itself a backup of auth data for logging into the instance?

In many Splunk official Documentation we read sometimes, to "wipe" an instance, to launch the command spl...

by Builder in

Unable to open some correlation rules in Splunk enterprise security?

When I click on some correlation rules in content management in Splunk ES, I get the following error and it does not ...

by Engager in

CIM Field Values- Do field values have to be consistent for ES or doesn't it matter?

Hello Do field values have to be consistent for ES or doesn't it matter? So in the wineventlog if src is sometime...

by Engager in

How to prevent notable events from being created in Enterprise Security when the source is one of the scanning devices?

We have several devices that perform endpoint and network device scanning. As intended, they are scanning prohibited...

by Engager in

How to create a table to display different users who logged in from same clientip?

Hi, I am a student and new to Splunk. I really need help creating a table like this: The goal is to detect differe...

by Explorer in

Threat Intel lookup - Can we change how frequently ES reads new information?

Hi all, We have few Custom CSV lookups that have been added to ES for Threat Intel. For the existing data, we can l...

by Builder in

How to change Threat Intelligence time interval?

Hi Splunkers, How to change the threat intelligence Function time interval in Splunk ES. currently , I'm ge...

by Explorer in

How to fix this Error in 'SearchParser': The search specifies a macro 'm365_default_index' that cannot be found?

I'm getting this error after upgrading Microsoft 365 app in Splunk error - Error in 'SearchParser': The search specif...

by Explorer in

Short-lived Account Detected - How to narrow down searches to certain accounts?

HiIts my first week in the job and I am finding creating alerts is not the issue but how to create useful alerts is m...

by Explorer in

Enterprise Security Suite Incident Review - How do you edit the owners list?

How do you control who is in the drop down list of owners, so you can assign a ticket to someone else? It seems to ha...

by Engager in

When opening Glass Tables page, I get the following Splunk ES Glass Tables Error?

All, When opening Glass Tables page, I get the following error: HTTPSConnectionPool(host='127.0.0.1', port=8089...

by Communicator in

How to create an alert if index have no data in the last 24 hours?

I want to create alert to check on all indexes event count and alert the list of all indexes that have no events in t...

by Loves-to-Learn in

How to send events via HEC method via JSON format?

Hi to all. im setting an integration with Splunk and Splunk ES. I decided to send events via HEC method json fo...

by Observer in

Is it possible to set up retrospective searches based on new threat intelligence indicators in ES?

As the title says, I am looking to setup retrospective searches based on new threat intelligence indicators in ES. ...

by Contributor in

How to detect threat from MySQL database, and as a threat response- how to safeguard storage volume used for database?

use case : How to detect threats from MySQL database and as a threat response how to safeguard Storage volume used...

by Engager in

How to configure email settings for Splunk Cloud to send alerts?

What's the best practice to configure email settings on Splunk Cloud Enterprise Security (ES) and Adhoc search head t...

by Builder in

Is it possible to change time format for column Receipt Time in Incident Review window?

Is it possible to change format time for the column "Receipt Time" in "Incident Review"? Currently I see this time...

by Engager in

Input lookup results: How to exclude results from Lookups?

Hi, index=network sourcetype=cisco:asa NOT src_ip IN("10.0.0.0/8","10.0.0.1,"10.0.0.2") | bucket _time span=1m| st...

by Engager in

Where can I find Splunk logs for Content management in Splunk Enterprise security?

Hello Team, In our environment, we have created use cases in the content management in Splunk ES. We want to know ...

by Loves-to-Learn in

Threat Activity Detecting Possibly Old Intel From Old Lookup- Search shows more than specified?

Hello Splunkers, I have a search created below to only detect local ip intel specified manually by the user: ...

by Path Finder in

In Splunk Fortinet FortiGate app - Wireless and System dashboards are not working?

In the Splunk Fortinet FortiGate app - wireless and System dashboards are not workingboth dashboards are not showing ...

by Explorer in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Unable to find sourcetype="ms365:defender:incident:alerts"?

Comparing IP Addresses after using the Join Command?

Fields Not Showing After I Add Them in The Incident Review Settings Page?

How to join information into one table?

Does Splunk "Clean All" make itself a backup of auth data for logging into the instance?

Unable to open some correlation rules in Splunk enterprise security?

CIM Field Values- Do field values have to be consistent for ES or doesn't it matter?

How to prevent notable events from being created in Enterprise Security when the source is one of the scanning devices?

How to create a table to display different users who logged in from same clientip?

Threat Intel lookup - Can we change how frequently ES reads new information?

How to change Threat Intelligence time interval?

How to fix this Error in 'SearchParser': The search specifies a macro 'm365_default_index' that cannot be found?

Short-lived Account Detected - How to narrow down searches to certain accounts?

Enterprise Security Suite Incident Review - How do you edit the owners list?

When opening Glass Tables page, I get the following Splunk ES Glass Tables Error?

How to create an alert if index have no data in the last 24 hours?

How to send events via HEC method via JSON format?

Is it possible to set up retrospective searches based on new threat intelligence indicators in ES?

How to detect threat from MySQL database, and as a threat response- how to safeguard storage volume used for database?

How to configure email settings for Splunk Cloud to send alerts?

Is it possible to change time format for column Receipt Time in Incident Review window?

Input lookup results: How to exclude results from Lookups?

Where can I find Splunk logs for Content management in Splunk Enterprise security?

Threat Activity Detecting Possibly Old Intel From Old Lookup- Search shows more than specified?

In Splunk Fortinet FortiGate app - Wireless and System dashboards are not working?

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

Video | Tom’s Smartness Journey Continues

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

ES Notable Security Domain Issue

adding a custom field to notable and update the va...

es_notable_events Query

Saved Search in Source Code

Adding comment (link) to Next Steps (In an alert u...