Splunk Enterprise Security

Ask a Question

Discussions

Thread Info

metadata/local.meta question

Hello, so I was looking at my metadata/local.meta and it is only the following 4 lines: [savedsearches/mysavedsearc...

by Path Finder in

Splunk search on two different indexes and retrieve a matching value from one index

Hi All, I have two indexes. Index A | table email_usersIndex B | table email, Group email_users and email field...

by Explorer in

How to implement an App or Add-on that enables Splunk employees to report security incidents?

I would like to integrate an app or add-on into Splunk that enables employees in the company to bring anomalies into ...

by New Member in

Splunk App and Add-on for Amazon Web Services: Log search Cloudfront .gz log from S3 files

I'm not able to search cloud-front logs from S3. There is no results. But I'm able to search ELB logs and Cloud-trail...

by New Member in

Can I add the sendemail response action with the link to incident review page for a correlation search

I've created a correlation search, then I want to add the send email response action with a link to this rule that sh...

by Explorer in

Maxmind Threat Intelligence Database is not downloading

Hi there, I noticed that the URL path for the MaxMind ASN Database has changed on, to another path, and the siem can ...

by Explorer in

Send email on Notable Event close action

Hi Team I am looking to send an email alert once the notable event is closed, I can send an email when the notable ...

by Explorer in

Does not meet the recommended minimum system on only one instance

Why do we encounter this "Does not meet the recommended minimum system" only for ESSH03 even though all of the syst...

by Builder in

Adding manually downloaded Threat Intel file into Splunk ES

Hi all I have a threat feed that is available via using an API key only, I could not see any way to add the API key...

by Explorer in

EnterpriseSecurity - DataModels

Hi everyone, Introduction: We have Palo Alto products, and we have also installed the appropriate add-on and apps...

by Contributor in

Why does modifying notable severity in Splunk ES impact historic events as well?

Hi All, We notice a seemingly weird behaviour where modifying the notable severity in a correlation search brings u...

by Communicator in

Splunk Security Essentials not showing ESCU content in Manage Bookmarks page top statistics

Enabled 3 ESCU rules in ES and mapped them in SSE using Content Introspection on the Manage Bookmarks page. After a...

by Explorer in

Threat intelligence framework

Hi , Can anyone provide me approach/steps for integrating threat intelligence framework to Splunk ES. Also , how ...

by Explorer in

Latest and most Stable Splunk Enterprise version 8.x and Splunk ES Version 6.x

Hi Team, We are planning to upgrade from Splunk Enterprise v7.2.9.1 to Splunk Enterprise v8.0.x on the next few mon...

by Communicator in

What are the best practices for implementing Suricata Alerts into Splunk Enterprise Security?

Hi Everyone, We have Suricata NIDS onboard and plans to integrate with Splunk and in particular with Splunk Enterp...

by Engager in

splunkd.log has license_warnings_update_interval messages every 20 seconds

I had converted my Splunk Head to use SSL. I added /opt/splunk/etc/system/local/web.conf and updated [settings] to ...

by Path Finder in

Microsoft Office 365 Reporting Mail

Hi, I've been trying to get email trace for office365 exchange using the addon in subject. No data is coming und...

by Engager in

How to calculate for what duration the status was in a particular state

Hi, I have a transaction that goes through multiple Status before its completed. Now the challenge I am facing he...

by Path Finder in

Any way to change the default owner of a notable dynamically?

We would like to dynamically assign an owner of a notable event? Our soc would like to round robin the incoming e...

by Explorer in

ES notable urgency changing for old notables.

Hi, We have correlation search with action as notable. Initially we made it low Severity on notable to monitor and...

by Engager in

How to get a complete list with descriptions of correlation searches in the Splunk Enterprise Security app

How to get a complete list with descriptions of correlation searches in the Splunk Enterprise Security app with sourc...

by New Member in

How to exclude windows events where logging has restarted after being stopped?

I have set up an alert for when logging has stopped on a Windows endpoint using event code 1100, but want to avoid re...

by New Member in

Should we lower acceleration.max_concurrent from 3 to ensure stability of the system?

For our accelerated datamodels, acceleration.max_concurrent is set to 3 and we reach situations where lots of cpu is...

by Motivator in

How to identify eventtype in props.conf

Hey, I have one sourcetype named "my_sourcetype". Since I would like to integrate with Splunk ES, I need to map m...

by Path Finder in

SecKit with ES 6.1.1

I am trying to configure SecKit with ES 6.1.1 but I am running into an issue with the configuration I am hoping someo...

by New Member in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

metadata/local.meta question

Splunk search on two different indexes and retrieve a matching value from one index

How to implement an App or Add-on that enables Splunk employees to report security incidents?

Splunk App and Add-on for Amazon Web Services: Log search Cloudfront .gz log from S3 files

Can I add the sendemail response action with the link to incident review page for a correlation search

Maxmind Threat Intelligence Database is not downloading

Send email on Notable Event close action

Does not meet the recommended minimum system on only one instance

Adding manually downloaded Threat Intel file into Splunk ES

EnterpriseSecurity - DataModels

Why does modifying notable severity in Splunk ES impact historic events as well?

Splunk Security Essentials not showing ESCU content in Manage Bookmarks page top statistics

Threat intelligence framework

Latest and most Stable Splunk Enterprise version 8.x and Splunk ES Version 6.x

What are the best practices for implementing Suricata Alerts into Splunk Enterprise Security?

splunkd.log has license_warnings_update_interval messages every 20 seconds

Microsoft Office 365 Reporting Mail

How to calculate for what duration the status was in a particular state

Any way to change the default owner of a notable dynamically?

ES notable urgency changing for old notables.

How to get a complete list with descriptions of correlation searches in the Splunk Enterprise Security app

How to exclude windows events where logging has restarted after being stopped?

Should we lower acceleration.max_concurrent from 3 to ensure stability of the system?

How to identify eventtype in props.conf

SecKit with ES 6.1.1

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming

Has anyone used finding-based detection on ES 8.0 ...

Anatomy of a Successful Migration with Pizza Hut

ES Notable Security Domain Issue

adding a custom field to notable and update the va...

es_notable_events Query

Splunk Enterprise Security

Are you a member of the Splunk Community?

Discussions