Splunk Enterprise Security

Start a Conversation

Discussions

Start a Conversation

Thread Info

Search query for MicrosoftO365 - Multi Factor Authentication failure from different user with same source IP

by Loves-to-Learn Lots in

How to Monitor Multiple DNS requests which are not resolved by DNS server from a particular source using SPL

Conditons to create query: 1) Query should not contain any eventcode 2) Query must be build from DNS data model

by Loves-to-Learn Lots in

DomainTools app for ES - How do I update whois lookup builder?

Hello! Does anyone know how to update the whois lookup builder to be able update with new domains every 3 months ...

by New Member in

How can I make an ES Incident Review copy of my Notables?

How can we halt duplicate notables from being created on the Enterprise security Incident Review page for the same ev...

by New Member in

How to duplicate Notables in ES Incident Review?

Hi All, How can we stop duplicate notables which are getting generated in the Incident Review page for same event ...

by Loves-to-Learn Everything in

How to add new field for filtering in Splunk ES incident review?

Hi all, I would like to ask is that a way to add a another field for filtering in the Splunk ES incident review pa...

by Observer in

Failed to fetch data: Unable to get wmi classes from host '192.168.1.131'. This host may not be reachable or WMI may be

Hello, i have installed Splunk on windows machines and trying to get data from another windows machines using remot...

by Engager in

Unable to access Splunk ES?

I have abruptly been unable to access Splunk ES with the error message as "Fetch failed: authentication/current-conte...

by Engager in

Trouble with Enterprise Security configuration

Hi All, We have recently installed Enterprise Security but strangely the default dashboard doesn't display the inde...

by Path Finder in

Notable info could not be obtained: : unidentified in content management adaptive response actions?

Hi All, we have newly installed ES cluster where we cannot see the any action populating in adaptive response. We ...

by Path Finder in

Enterprise Security - Correlation Search - Notable - "default owner" missing users

I'm attempting to auto-assign users to certain types of Notable events under "Default Owner". For some reason only 20...

by Communicator in

Where can I find powershell commands?

G'day, Can someone please help me to understand how I can find the powershell commands (if any) an adversary has r...

by Loves-to-Learn Lots in

Using "sendalert risk" from saved search fails?

A saved search that ends with | sendalert risk param._risk_score=risk_score runs fine, but fails when run as a ...

by SplunkTrust in

How to get multiple issues when enabling ssl on Splunk web with 3rd party certs with requiredClientCert = true?

Hi All, I want enable mTLS in splunk cluster on all the communication channels. I have peer certificate that works...

by Path Finder in

How to make the Splunk ES Risk-Based Alerting risk threshold search case insensitive

We've starter lookin into Risk-Based Alerting (RBA) in Splunk ES, and noticed that the logic for the risk notables is...

by Builder in