Splunk Enterprise Security

Discussions

Thread Info

Run Adaptive Response & Azure SAML's Lack of AQR

Issue When configured to use Azure SAML on our Enterprise Security search head (no Authentication Extension yet spe...

by Explorer in

Compare Notables (Index) vs Investigations

I want to show how many ES Notables were opened in the last 30 days and how many investigations were opened on a line...

by Explorer in

Rules Time Zones

Hi All, I need to build a rule that alerts for specific activity by specific user past working hours. For example...

by Contributor in

Datamodel Search is empty

Hello, I have an issue with Endpoint Datamodel while using Enterprise Security. Specifically I am running: ...

by Communicator in

Just updated to ES 6.4 and I need to edit a Threat Match Search

I need to manipulate some fields in the URL threat match search in Splunk ES 6.4, but am at a loss as for how to do s...

by Path Finder in

Stop receiving from UDP port

How i create a script to stop receiving data from UDP port on specific hours for example betwenn 12h until 15h ?

by Loves-to-Learn Everything in

How to read a field from a result using a search?

Hi everyone, Can I read the value of a field from each previous result using a search? Something similar to: ...

by Path Finder in

create new index from existing index

Is there a way take existing index and create from it a new index with aggregating search? meaning taking existing ...

by Loves-to-Learn in

Windows & Linux and other logs are required to be sent to pass a GSA gov. audit?

What Windows & Linux and other logs need to be sent to Splunk to pass a GSA gov. audit?

by Builder in

What does "summariesonly' mean in this Enterprise Security search?

I found this search in ES Content Updates | tstats `summariesonly` count min(_time) as firstTime max(_time) as las...

by Builder in

What is the recommended logging requirement for Linux OS from Splunk ES perspective ?

by Motivator in

notable index not populating events for Splunk enterprise security appurity app

Can anyone help me im understanding why the notable events are not getting populated on splunk enterprise security. ...

by Observer in

How can i intgrate Palo Alto with Splunk

Hi, I have one index for Palo Alto and there are other Palo Alto already integrated and indexed to this index. i ...

by Explorer in

Is there any ES Analytical Story or Usecase for Certificates and Alerts datamodel ?

Looking to find what ES usecases are there that use Certificate and/or Alert datamodels

by Motivator in

In Splunk Enterprise Security, why is "weight" field missing in the Threat Intelligence datamodel?

The datamodel for Threat Intelligence is missing the weight field. This breaks the built in Threat Activity Detect...

by Explorer in

Combine base search with LDAP search

I am having difficulty combining two individual searches. I have the following ldap search that lists the member nam...

by Loves-to-Learn in

Missing events in Notable Index Splunk Enterprise Security

Hello, For your awareness my architecture consist of 1SH, 1 Enterprise Security SH, Cluster of 3 indexes, deployme...

by Engager in

What data sources does Splunk for Enterprise Security require?

Specifically, what data sources does the Splunk for Entrrpise Security REQUIRE? What data sources are OPTIONAL? Is th...

by Explorer in

Application Protocols list in ES - unclear in documentation

The documentation for Application Protocol list in ES states "The Application Protocols list is a list of port and pr...

by Motivator in

What is the actual use of Expected Views lookup ?

Splunk doc says, Expected Views list specifies Splunk Enterprise Security views that are monitored on a regular basis...

by Motivator in

ES: DataModel Acceleration Enforcement: Encountered the following error while trying to update: The following required arguments are missing: manual_rebuilds.

Hi, when trying to remove the automatic data model acceleration enforcement from Data Inputs --> Data Model Accelerat...

by Engager in

Is Enterprise Security officially supported in the containerized environment (Docker)?

Hello, I'm trying to find out if Enterprise Security is officially supported in containerized environment (particul...

by Path Finder in

Threat intelligence feeds update

Hi All, Recently, I installed MISP42Splunk in my environment in order to integrate MISP with Splunk. Below is the ...

by Explorer in

Is it possible to install Splunk Security Enterprise 6.4.0 on Windows?

Hello everyone. Currently I have a cluster architecture of Splunk Enterprise 8.0.7. SH cluster + Indexer Cluste...

by Path Finder in

Batch input. How to index .tar files quickly?

Hi, I have batch index with next configuration: [batch://path/to/files] move_policy = s...

by Path Finder in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Run Adaptive Response & Azure SAML's Lack of AQR

Compare Notables (Index) vs Investigations

Rules Time Zones

Datamodel Search is empty

Just updated to ES 6.4 and I need to edit a Threat Match Search

Stop receiving from UDP port

How to read a field from a result using a search?

create new index from existing index

Windows & Linux and other logs are required to be sent to pass a GSA gov. audit?

What does "summariesonly' mean in this Enterprise Security search?

What is the recommended logging requirement for Linux OS from Splunk ES perspective ?

notable index not populating events for Splunk enterprise security appurity app

How can i intgrate Palo Alto with Splunk

Is there any ES Analytical Story or Usecase for Certificates and Alerts datamodel ?

In Splunk Enterprise Security, why is "weight" field missing in the Threat Intelligence datamodel?

Combine base search with LDAP search

Missing events in Notable Index Splunk Enterprise Security

What data sources does Splunk for Enterprise Security require?

Application Protocols list in ES - unclear in documentation

What is the actual use of Expected Views lookup ?

ES: DataModel Acceleration Enforcement: Encountered the following error while trying to update: The following required arguments are missing: manual_rebuilds.

Is Enterprise Security officially supported in the containerized environment (Docker)?

Threat intelligence feeds update

Is it possible to install Splunk Security Enterprise 6.4.0 on Windows?

Batch input. How to index .tar files quickly?

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)

Anatomy of a Successful Migration with Pizza Hut

ES Notable Security Domain Issue

adding a custom field to notable and update the va...

es_notable_events Query

Saved Search in Source Code