Splunk Enterprise Security

Ask a Question

Discussions

Thread Info

Searchmatch need to verify either of two field values/events

Hi All, Recently Dal Jeanis provided solution to my query and now I'm encounter one more issue with same solution....

by Explorer in

Creating search for malware infection

Hi guys, The team has created this search To Alerts when a host has an infection that has been re-infected remove mu...

by New Member in

CEF parsing is not working

we have one search head and one with Enterprise Security. we have one index which named index=fireeye and logs are...

by Path Finder in

Issues Related With Log-In Credantials in Splunk

Hello, I am recently joining with the Splunk community and really like your services but there is a small glitch w...

by New Member in

How to narrow time frame for metadata search to only see events within a certain window?

I have a metadata search to detect when host stops sending logs. I'd like to change the timeframe so that I only see ...

by Path Finder in

How to achieve a search to get a count of how many times each alert has fired over a period of time?

How can I perform a search to get a count of how many times each alert has fired over a period of time?

by New Member in

Splunk Enterprise Security 6.X - Notables not showing in Incident Management

Hi, I have an issue at a customer where ES is not showing the notables on the incident management page or the secu...

by Path Finder in

How whitelist editor is working in threathinting app ?

I am wondering how whitelist lookups concept is working in threathinting app? is it something we need to push the dat...

by Explorer in

How can I make my search against lookup table case insensitive?

I have a search which is detecting when host stops sending logs, then the search does a lookup against my assets look...

by Path Finder in

Splunk Enterprise Security: Why am I unable to create notable events?

Issue I see in web_service.log : 2016-02-15 16:58:28,367 ERROR [56c203b3dd836e2840f0] init:340 - Mako failed to re...

by Engager in

How to identify which host the user is trying to access by using windows DC log.

This question may not 100% related with Splunk but I am sure Splunker had done this many times so I thought I will ju...

by Communicator in

Can some one help in writing searches for below scenerio in Enterprise security

Hello all, In Enterprise Security I need to write searches for below scenario can some help in writing this? 1...

by Explorer in

If there is no match in lookup table, return default value in results

I have a lookup table with domain names and corresponding IP address. In my events, the results show the IP, so I add...

by Path Finder in

Possible Email Leakage and Auto-forwarding rules (Exchange Logs)

Hi all, What I want to achieve is to identify the users that possibly leaking /auto-forwarding emails to his perso...

by Engager in

Why does adding head (1==1) fix this strange lookup error?

Both queries work on our non ES server; however, only the first query works on our ES server. This query works in ...

by Engager in

Splunk subsearch to find an event from a source if it is present in another source is not working

I have a query that looks for data from one source only if it is present in another source. It was working fine befor...

by New Member in

How does one safely merge a KV store?

We migrated Splunk ES from an old windows server to a new Linux server. Everything is good to go except we want to co...

by Engager in

Does threat intelligence work only with data Accelerated Datamodels?

Hi All, I have enabled threat feed into my Splunk Enterprise Security app and the data was working fine until few ...

by Explorer in

How to deal with the duplicate events in Authentication datamodel?

Hi Guys, I have built the Authentication datamodel on the Splunk ES. However I am dealing with a dilemma of duplic...

by Explorer in

i want to display the time intearval today and last 30 days i want to display the difference between these to days how we can wright query

| mstats c(System.System_Up_Time) as Uptime prestats=t WHERE index="em_metrics" AND host="*" by host,metric_name span...

by New Member in

Can you match with subsearch using an evaluated field?

I am trying to compare 2 indexes (malicious domains against proxy logs) using an evaluated field. I have a subsearch ...

by New Member in

Error in replication of incident (notables) from sh1 to other sh's in a cluster.

Hi Folks, The incidents triggered in Splunk enterprise security are not getting replicated , i checked splunkd.log...

by Path Finder in

Extract description into Threat Activity Object

Splunk has all of those threat intel lists for file, process, registry, ip, url, etc... And each list has a descripti...

by Explorer in

How do I drilldown to a unique URL using a table row's unique token?

Situation: I have a panel. The panel creates a token for me from a field I extract from the search. In the same pa...

by Communicator in

How to monitor changes in kv store lookups

Hello everyone I have following problem: I have set disabled flag in ip_intel by following query: | inputlookup ip...

by Path Finder in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Searchmatch need to verify either of two field values/events

Creating search for malware infection

CEF parsing is not working

Issues Related With Log-In Credantials in Splunk

How to narrow time frame for metadata search to only see events within a certain window?

How to achieve a search to get a count of how many times each alert has fired over a period of time?

Splunk Enterprise Security 6.X - Notables not showing in Incident Management

How whitelist editor is working in threathinting app ?

How can I make my search against lookup table case insensitive?

Splunk Enterprise Security: Why am I unable to create notable events?

How to identify which host the user is trying to access by using windows DC log.

Can some one help in writing searches for below scenerio in Enterprise security

If there is no match in lookup table, return default value in results

Possible Email Leakage and Auto-forwarding rules (Exchange Logs)

Why does adding head (1==1) fix this strange lookup error?

Splunk subsearch to find an event from a source if it is present in another source is not working

How does one safely merge a KV store?

Does threat intelligence work only with data Accelerated Datamodels?

How to deal with the duplicate events in Authentication datamodel?

i want to display the time intearval today and last 30 days i want to display the difference between these to days how we can wright query

Can you match with subsearch using an evaluated field?

Error in replication of incident (notables) from sh1 to other sh's in a cluster.

Extract description into Threat Activity Object

How do I drilldown to a unique URL using a table row's unique token?

How to monitor changes in kv store lookups

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

How to handle Defender Incidents/Alerts with ES No...

Splunk Enterprise Security API support for update ...

Clarification on UBA Capability in Splunk Enterpri...

KV Store communication fails with TLS errors after...

Findings Comments

Splunk Enterprise Security

Are you a member of the Splunk Community?

Discussions