Splunk Enterprise Security

Ask a Question

Discussions

Thread Info

How to convert Active DIrectory AccountExpires field into a date code

The AccountExpires field in an AD log is described as: The date when the account expires. This value represen...

by Communicator in

Splunk ES and CIM compatibility for upgrade?

Hello, We would like to use the latest CIM version (4.13.0) in order to use the Endpoint datamodel which is not av...

by Explorer in

Help filtering out threat activity false positive

I have a threat activity rule that looks at both internal IPs attempting communication externally to malicious IPs ba...

by Explorer in

Need help please. Threat list for MITRE ATT&CK from the following link not working. Thanks a million

The error says "Threat list download from https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/ent...

by Builder in

Seeing (SSL/TLS Compression Algorithm Information Leakage Vulnerability port 8089/tcp over SSL) from qualys scanning

We are seeing this vulnerability show up via qualys vuln scanning on both our dev and production splunk instances. I ...

by Engager in

How to fix slowness in Splunk ES

Hi, Closing high number of incident was always done but the slowness is a new thing. Now we are facin...

by Explorer in

How to move multivalue fields as separate columns?

Hi, I have the following case which I can't get around. My search returns something like this: In order...

by Explorer in

Problem in using Cortex as Response Action in Splunk ES correlation search rules!

Hi geeks, I integrated the TheHive and Cortex with Splunk ES for getting some alerts after triggering the correlati...

by Observer in

Unable to pull similar number 53726516638.77 (in billion) using chart for past 7 days?

Unable to pull similar number 53726516638.77 (in billion) using chart for past 7 days. Dashboard only pulls data f...

by Explorer in

Adding Threat Intelligence feed into Splunk ES in CSV format

I'm currently trying to upload a malware feed into Threat Intelligence Management. The feed itself is being pulled ...

by Explorer in

How to Separate data from main index/HF?

Hello everyone, I am trying to separate data getting into the main index from particular hosts. I am trying Trans...

by Explorer in

What is the command to check KVStore status?

Facing issues with KVStore on Enterprise Security. Dashboards show an error "Unable to load results". Is there any co...

by Explorer in

How to troubleshoot unknown role warnings for 'ess_analyst' in Splunkd.log, even after uninstalling the Splunk App for Enterprise Security?

Hi folks, I seem to have the remnants of a role, being called up, and failing to exist. The role is related to the...

by Communicator in

How to put Limit on "edit Selected" option for the notable?

While editing the Notable, we have options called "Edit selected". Can anyone help me with how to put the limit(numb...

by Observer in

Possibility of Multitenancy with ES

I'm wondering about possibilities to set up a separate ES's for different teams. Due to some mergers and acquisiti...

by SplunkTrust in

Splunk ES - How to ddd a Status to Incident Review Dashboard?

Under the 'Incident Review' dashboard, I want to add a Status type of 'False Positive' so I can easily find these and...

by Path Finder in

Is throttling based on trigger time? How do we decide?

Hi,I have a CS, which runs every 6mins looking back -65m and -5m.. It triggered a notable alert, where for the same d...

by Path Finder in

What should be the source type for AWS KMS logs to be CIM mapped fed to Splunk HEC through Kinesis Firehose connector?

We have a setup where the AWS KMS logs are sent to Splunk HEC through below flow. We are getting JSON event format bu...

by Explorer in

How to notify collaborators when some changes are done in investigation?

Dear Splunkers, can you please advise or direct my to right place on following question:we need to send notification ...

by Path Finder in

How to write custom trigger condition?

Hi Team, Could you please help me on this request. I have a correlation search working fine and need to exclude th...

by New Member in

Single Enterprise Security searchhead cluster connected to 2 indexer clusters

Hi All, I am investigating the possibility of consolidating our separate standalone ES Searchheads into a single cl...

by Loves-to-Learn in

Trying to set default disposition of a notable correlation search

Greetings.I've been trying to build a correlation search that sets a default disposition value when it runs but so fa...

by Contributor in

Getting error when trying to update notable event

Has anyone found this error event?

by Explorer in

Help with query to find out activity towards a particular URL

query to find out activity towards a particular URL eg: URL - https://www.microsoft.com/en-us/security

by Engager in

Stuck with Splunk ES Upgrade

Hi Helpers - Below is my usecase where I am stuck with my ES upgrade. My Splunk version recently upgraded from 7.2...

by Builder in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

How to convert Active DIrectory AccountExpires field into a date code

Splunk ES and CIM compatibility for upgrade?

Help filtering out threat activity false positive

Need help please. Threat list for MITRE ATT&CK from the following link not working. Thanks a million

Seeing (SSL/TLS Compression Algorithm Information Leakage Vulnerability port 8089/tcp over SSL) from qualys scanning

How to fix slowness in Splunk ES

How to move multivalue fields as separate columns?

Problem in using Cortex as Response Action in Splunk ES correlation search rules!

Unable to pull similar number 53726516638.77 (in billion) using chart for past 7 days?

Adding Threat Intelligence feed into Splunk ES in CSV format

How to Separate data from main index/HF?

What is the command to check KVStore status?

How to troubleshoot unknown role warnings for 'ess_analyst' in Splunkd.log, even after uninstalling the Splunk App for Enterprise Security?

How to put Limit on "edit Selected" option for the notable?

Possibility of Multitenancy with ES

Splunk ES - How to ddd a Status to Incident Review Dashboard?

Is throttling based on trigger time? How do we decide?

What should be the source type for AWS KMS logs to be CIM mapped fed to Splunk HEC through Kinesis Firehose connector?

How to notify collaborators when some changes are done in investigation?

How to write custom trigger condition?

Single Enterprise Security searchhead cluster connected to 2 indexer clusters

Trying to set default disposition of a notable correlation search

Getting error when trying to update notable event

Help with query to find out activity towards a particular URL

Stuck with Splunk ES Upgrade

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Splunk Observability for AI

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

Clarification on UBA Capability in Splunk Enterpri...

Findings Comments

Sendalert risk does not populate source_guid / sou...

Asset Identity Framework subnet does not match ip-...

Palo Alto apps and add-ons for splunk

Splunk Enterprise Security

Are you a member of the Splunk Community?

Discussions