Splunk Enterprise Security

Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Community Activity
Treize

How do I Add a cidr filter to the existing correlation rule?

Hi, I am a beginner.I have a correlation rule that :- searches for IP addresses that are port scans- search in the lo...
by Treize Path Finder in Splunk Enterprise Security 06-28-2022
0 3
0
3
sssinqiry5

Splunk ES: Best way to do a Yes/No or simple indicator for acceptance of an alert?

Hi all,My team needs to clear an alert with a totally different department before we consider it "published" for the ...
by sssinqiry5 Engager in Splunk Enterprise Security 06-23-2022
0 1
0
1
ksahu

One or more SHs in a SHC seem to go down frequently- Any suggestions?

I have a SHC consisting of 4 SHs (Splunk on-prem on AWS). One or the other SHs seem to go into down state. The only i...
by ksahu New Member in Splunk Enterprise Security 06-21-2022
0 1
0
1
Lowell

How do you update lookups on a SHC while running Splunk Enterprise Security?

Splunk Enterprise Security is deployed to a Search Head Cluster, along with a bunch of applicable TAs. Deployments ar...
by Lowell Super Champion in Splunk Enterprise Security 06-20-2022
5 13
5
13
bhargavg

PCI Compliance- Why is Incident Review blank?

Hi All, We are facing a weird issue where we are unable to see any new incidents on PCI compliance >Incidents review....
by bhargavg New Member in Splunk Enterprise Security 06-18-2022
0 0
0
0
muhammadalavi19

Create Notable Event Error (reading 'value')

Hi We are using Splunk ES 7.0 in our SOC environment. After upgrading to ES 7.0 we are getting the following issue du...
by muhammadalavi19 Loves-to-Learn in Splunk Enterprise Security 06-18-2022
0 0
0
0
Agent31

Using relative_time to filter results before writing to index

I'm using searches which are relatively noisy and difficult to simply write exclusions for, so one way that I've been...
by Agent31 Engager in Splunk Enterprise Security 06-16-2022
0 0
0
0
dmuley

How to remove specific xml element with attribute (only start tag)?

I have the event that looks like below    2022-06-15 19:59:57.489 threadId=L4GFP2275S1K class="ActiveSession" mname="...
by dmuley Explorer in Splunk Enterprise Security 06-15-2022
0 4
0
4
residualfail

How do I find VMware Horizon View Agent EventType AGENT_UNREACHABLE

Hello, I found a ton of eventtypes for the vmware agent module like AGENT_CONNECTED, AGENT_RECONNECTED, AGENT_SHUTDOW...
by residualfail New Member in Splunk Enterprise Security 06-14-2022
0 0
0
0
deodeshm

How to search Notable Events By Owner and Severity older than 48 hours?

As I understand es_notable_events is KVStore and it stores notable event information for last 48 hours/ also there is...
by deodeshm Explorer in Splunk Enterprise Security 06-09-2022
0 1
0
1
sheamus69

How to convert Active DIrectory AccountExpires field into a date code

The AccountExpires field in an AD log is described as: The date when the account expires. This value represents the...
by sheamus69 Communicator in Splunk Enterprise Security 06-07-2022
0 2
0
2
spectrum2035

Splunk ES and CIM compatibility for upgrade?

Hello, We would like to use the latest CIM version (4.13.0) in order to use the Endpoint datamodel which is not avail...
by spectrum2035 Explorer in Splunk Enterprise Security 05-31-2022
0 3
0
3
oylkm

Help filtering out threat activity false positive

I have a threat activity rule that looks at both internal IPs attempting communication externally to malicious IPs ba...
by oylkm Explorer in Splunk Enterprise Security 05-30-2022
0 2
0
2
SamHTexas

Need help please. Threat list for MITRE ATT&CK from the following link not working. Thanks a million

The error says "Threat list download from https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterp...
by SamHTexas Builder in Splunk Enterprise Security 05-25-2022
0 3
0
3
ncsasecops

Seeing (SSL/TLS Compression Algorithm Information Leakage Vulnerability port 8089/tcp over SSL) from qualys scanning

We are seeing this vulnerability show up via qualys vuln scanning on both our dev and production splunk instances. I ...
by ncsasecops Engager in Splunk Enterprise Security 05-25-2022
2 2
2
2
Abdullah

How to fix slowness in Splunk ES

Hi,   Closing high number of incident was always done but the slowness is a new thing.   Now we are facing the slowne...
by Abdullah Explorer in Splunk Enterprise Security 05-25-2022
0 1
0
1
fedejko

How to move multivalue fields as separate columns?

Hi, I have the following case which I can't get around. My search returns something like this: In order to help secu...
by fedejko Explorer in Splunk Enterprise Security 05-24-2022
0 5
0
5
zargaran

Problem in using Cortex as Response Action in Splunk ES correlation search rules!

Hi geeks,I integrated the TheHive and Cortex with Splunk ES for getting some alerts after triggering the correlation ...
by zargaran Observer in Splunk Enterprise Security 05-23-2022
0 0
0
0
jimish

Unable to pull similar number 53726516638.77 (in billion) using chart for past 7 days?

Unable to pull similar number 53726516638.77 (in billion) using chart for past 7 days. Dashboard only pulls data for ...
by jimish Explorer in Splunk Enterprise Security 05-20-2022
0 4
0
4
JakeInfoSec

Adding Threat Intelligence feed into Splunk ES in CSV format

I'm currently trying to upload a malware feed into Threat Intelligence Management.The feed itself is being pulled fro...
by JakeInfoSec Explorer in Splunk Enterprise Security 05-20-2022
1 2
1
2
Zacknoid

How to Separate data from main index/HF?

Hello everyone, I am trying to separate data getting into the main index from particular hosts. I am trying  Transfor...
by Zacknoid Explorer in Splunk Enterprise Security 05-20-2022
0 3
0
3
halleyglen

What is the command to check KVStore status?

Facing issues with KVStore on Enterprise Security. Dashboards show an error "Unable to load results". Is there any co...
by halleyglen Explorer in Splunk Enterprise Security 05-19-2022
3 8
3
8
jravida

How to troubleshoot unknown role warnings for 'ess_analyst' in Splunkd.log, even after uninstalling the Splunk App for Enterprise Security?

Hi folks, I seem to have the remnants of a role, being called up, and failing to exist. The role is related to the E...
by jravida Communicator in Splunk Enterprise Security 05-18-2022
1 3
1
3
Splunk2210

How to put Limit on "edit Selected" option for the notable?

While editing the Notable, we have options called "Edit selected".  Can anyone help me with how to put the limit(numb...
by Splunk2210 Observer in Splunk Enterprise Security 05-17-2022
0 0
0
0
PickleRick

Possibility of Multitenancy with ES

I'm wondering about possibilities to set up a separate ES's for different teams. Due to some mergers and acquisitions...
by SplunkTrust SplunkTrust in Splunk Enterprise Security 05-16-2022
0 2
0
2
Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...
Top Solution Authors
View All