Splunk Enterprise Security

Discussions

Thread Info

Python dependencies failing

After restarting splunk master node machine (whole machine - there was no update of the splunk software itself, just ...

by SplunkTrust in

MITRE-ATTACK latest threat list can not be downloaded in ES

ES erroring reg. The latest threat list can not be downloaded. I visited the site it is trying to access manually , n...

by Builder in

Adding a tag to leavers in identity

Hello All, Wondering if anyone can help? I am currently looking at RBA and adding a multiplier to any users that ar...

by Engager in

Does upgrading Security Essentials App require the ES content App to be updates to the current ver. (3.29.0) ? Thx

I am about to upgrade the Security Essentials App (Installed on ES) to it's most current version 3.4.0. I read that S...

by Builder in

Checking against a known threat intel IP

Hello All,I am a Newbie to ES and need some help on a basic use case of ES. We are ingesting our firewall logs int...

by Builder in

In process of upgrading to 8.2.2.1 from 7.x.x any great lessons to follow? Should we upgrade the ES at the same time?

Work in a large environment including Splunk Ent. & ES. Planning to upgrade from 7.x.x to 8.2.2.1. Any optimizations ...

by Builder in

Same Event Showing up in Multiple Notables !!

We are receiving the same event over multiple notables. We would like to have a way to stop the duplicate events or t...

by Contributor in

Why is my Correlation search not showing up in Incident Review bench ?

Hello All,I have created couple of correlation searches , ensured to select "Notable" under the Adaptive Responsive s...

by Builder in

How can I Pass/access Notable Event fields to Adaptive Response python script?

I've created a correlation search that generates Notable events and I have a few fields that are extracted and displa...

by Engager in

What happens to ES, it's settings, configurations when Splunk Enterprise is upgraded to a new version like 8.2.2.1 ?

We have Splunk Ent. (8.0) & ES.(6.4). What is a proper procedure to upgrade to Splunk Enterprise 8.2.2.1 to retain th...

by Builder in

Empty Stream Capture on Notable Event's Adaptive Response Actions

Hello everyone, I have installed Splunk Stream on a distributed environment. All stream forwarders talk to the dep...

by Communicator in

Hiding statuses in "Edit event" box in splunk ES

I have added some custom notable event statues say a , b , c. I have modified the transition rules for "new" status...

by Explorer in

customizing Datamodels in ES: what will happen in upgrades?

Hi at all, my customer has the requirement to have the "index" field in each DataModel used in ES. Obviously, thi...

by SplunkTrust in

No results from scheduled jobs or searches

Hi,We are using Splunk cloud 8.2 and mainly utilizing for Splunk SIEM solution. Currently we have many scheduled a...

by Loves-to-Learn Lots in

How to use ip_intel lookup to perform a CIDR match ?

Hello Folks,How can i perform a CIDR/Subnet match with the "ip_intel" lookup file that comes by default ? This looku...

by Builder in

data on indexers disappeared

I have about 10 indexers, a cluster. For some reason my "master node" turned off and when it turned on. my data has d...

by Communicator in

Extracting field with different type of data

Hi All, Hope you all are doing good. I am trying to extract a field which the different types of data. I want to ...

by Explorer in

Visualisation : Single Value with Trendline

Hi, Im trying to create a single value with trendline visualisation, where I want to compare the difference between...

by Path Finder in

How to know all the Contents created from a specific data model in Splunk Enterprise Security ?

I want to list all the 'Authentication' related content we have created in the ES App.Is there any SPL query to get t...

by Contributor in

Authentication Data model duplication of logs issue from 2 sourcetypes

I have one 1 primary index namely azure with 2 sourcetypes namely: mscs:kube-good and mscs:kube-audit-good. I believ...

by Path Finder in

How do I lookup the Name & IP addresses of my Splunk instances. Am using the following for ES but don't get the IP. Thx

The following do not give the IP for the Splunk Enterprise Security (ES). Is there a better SPL to provide the list o...

by Builder in

How to troubleshoot when KVStore is failed

Hi, I deployed Splunk distributed topology. Now my server Search Head has issue: KVStore is on failed state (it mak...

by Explorer in

Threat Activity Detected Notable not triggered

Hello everyone, I have added an IP on local_intel_ip.csv and it now appears on Threat Artifact panel. The correlati...

by Communicator in

I am setting up Authentication datamodel that have Default, insecure and Privileged Authentication

How will I set up a data model that has Authentication and sub-sessions Default, insecure and Privileged Authenticati...

by Path Finder in

Notable urgency not registering correctly

Hi, According to the Splunk Docs page How urgency is assigned to notable events in Splunk Enterprise Security if I ...

by Communicator in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Python dependencies failing

MITRE-ATTACK latest threat list can not be downloaded in ES

Adding a tag to leavers in identity

Does upgrading Security Essentials App require the ES content App to be updates to the current ver. (3.29.0) ? Thx

Checking against a known threat intel IP

In process of upgrading to 8.2.2.1 from 7.x.x any great lessons to follow? Should we upgrade the ES at the same time?

Same Event Showing up in Multiple Notables !!

Why is my Correlation search not showing up in Incident Review bench ?

How can I Pass/access Notable Event fields to Adaptive Response python script?

What happens to ES, it's settings, configurations when Splunk Enterprise is upgraded to a new version like 8.2.2.1 ?

Empty Stream Capture on Notable Event's Adaptive Response Actions

Hiding statuses in "Edit event" box in splunk ES

customizing Datamodels in ES: what will happen in upgrades?

No results from scheduled jobs or searches

How to use ip_intel lookup to perform a CIDR match ?

data on indexers disappeared

Extracting field with different type of data

Visualisation : Single Value with Trendline

How to know all the Contents created from a specific data model in Splunk Enterprise Security ?

Authentication Data model duplication of logs issue from 2 sourcetypes

How do I lookup the Name & IP addresses of my Splunk instances. Am using the following for ES but don't get the IP. Thx

How to troubleshoot when KVStore is failed

Threat Activity Detected Notable not triggered

I am setting up Authentication datamodel that have Default, insecure and Privileged Authentication

Notable urgency not registering correctly

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Splunk ES threat feeds empty

Palo Alto apps and add-ons for splunk

Dashboard PNG schedule export setting is not viewa...

Incident_updates_lookup not updating urgency and r...

Create Investigation SOAR

Splunk Enterprise Security

Are you a member of the Splunk Community?

Discussions

Can’t make it to .conf25? Join us online!