Splunk Enterprise Security

Discussions

Thread Info

$info_min_time$ is insufficient when using drill down from incident review

If I adjust -1h to my earliest time, I locate the event targeted by the drill down. Is there a best minimal invasive ...

by Explorer in

ODBC connection problem with Splunk ES

I'm trying to pull some data from Splunk Enterprise Security (ES). I have been using the Splunk ODBC to pull data fro...

by Explorer in

splunkd.service doesn't work in splunk7.3.1 based on systemd.

Hi, every one! I have a problem with generate Splunkd.service with systemd in ubuntu 18.04 LTS. This service does wor...

by New Member in

Index in Dashboards

is there a way to check for a specific index on which dashboards this index is used?

by New Member in

PhishTank Threat Intelligence Not Writing to Collection

I am trying to enable the out of box PhishTank Threat Intelligence in ES. The file downloads correctly but it doesn't...

by Explorer in

Splunk Enterprise Security: Pulling data from message field

Hello, I have been trying unsuccessfully parse/filter the data from the message field: Message= Spyware/Graywar...

by Communicator in

Splunk Enterprise Security: How does ES determine license consumption?

We wonder how ES determines the license consumption. After all, sometimes only few events from a certain index are c...

by Motivator in

Splunk buildin intelligence feed

Dear Splunkers, Does Splunk enterprise security come with any threat intelligence feed that is solely provided by ...

by Explorer in

prowler integration into splunk

Hi All Has anyone integrated json files into splunk.

by New Member in

Splunk Enterprise Security: Issue found in "SA-IdentityManagement" : Identity - Asset CIDR Matches - Lookup Gen

Hello, We have issues to merge our dhcp_asset_list (made of dns record, mac and ip address) into the Asset & Ident...

by Path Finder in

Splunk Enterprise security: What is tag=ids for cim_Intrusion_Detection_indexes?

In ES, the constraint for Intrusion Detection is (cim_Intrusion_Detection_indexes) tag=ids tag=attack. What is th...

by Motivator in

Why after operating normally for a 7 days are all my notable events showing "0" for the last 24 hours

Splunk PS setup our instance and the last day here the Notable Events began falling. No changes that I am aware of bu...

by New Member in

ES - Correlation Search - Lookup file is not populated

3 Correlation Searches stating that previously_seen_users_console_logins.csv isn't populated: Detect new user AWS ...

by Path Finder in

Taking all pairs of elements in a multivalue field to use it in a macro

Hello. I would like to be able to loop along all the elements of a multivalued field to compare all against each ...

by Explorer in

Ingesting DNS Server logs

I would like to forward DNS events from my DNS server with a UF that is monitoring the dns.log debug output. i am alr...

by Engager in

Multitenancy in Enterprise Security

Hi. Does anyone know if Multitenancy can be accomplished with a Single Instance of Enterprise Security? I have...

by Communicator in

Phantom: Playbook that Prompts for User Input

Wondering if Phantom has the ability to prompt for user input in a playbook. Like a simple text box popup to allow f...

by Path Finder in

how do i get complete list of ip address ? is there any query ?

i need to create a dashboard with complete information of IP address

by New Member in

drilldown issue

i have dashboard like this A B C 222 112 90 table by location Location A B C in 12 10 2 us 9 5 4 uk 5 2 1 when ...

by Motivator in

How to create a cron-scheduled alert that triggers a mail with the notable event, urgency and triggered time?

I was trying to create a cron-scheduled alert in Splunk, that would trigger a mail with the notable event, urgency an...

by New Member in

Splunk Enterprise Security

Discussions

$info_min_time$ is insufficient when using drill down from incident review

ODBC connection problem with Splunk ES

splunkd.service doesn't work in splunk7.3.1 based on systemd.

Index in Dashboards

PhishTank Threat Intelligence Not Writing to Collection

Splunk Enterprise Security: Pulling data from message field

Splunk Enterprise Security: How does ES determine license consumption?

Splunk buildin intelligence feed

prowler integration into splunk

Splunk Enterprise Security: Issue found in "SA-IdentityManagement" : Identity - Asset CIDR Matches - Lookup Gen

Splunk Enterprise security: What is tag=ids for cim_Intrusion_Detection_indexes?

Why after operating normally for a 7 days are all my notable events showing "0" for the last 24 hours

ES - Correlation Search - Lookup file is not populated

Taking all pairs of elements in a multivalue field to use it in a macro

Ingesting DNS Server logs

Multitenancy in Enterprise Security

Phantom: Playbook that Prompts for User Input

how do i get complete list of ip address ? is there any query ?

drilldown issue

How to create a cron-scheduled alert that triggers a mail with the notable event, urgency and triggered time?

Security Essentials / MITRE ATT&CK

Parsing the "_raw" field of Splunk Python SDK resu...

Missed macro ec2_excessive_terminateinstances_mltk...

MITRE-ATTACK latest threat list can not be downloa...

Failing to add Threat Intelligence Feed to Splunk ...