Splunk Enterprise Security

Discussions

Thread Info

Splunk Enterprise Security new log ERRORs after upgrading enterprise to 7.3.3 and ESS from 5.0.1 to 5.3.1

I need to determine the significance of these errors before giving the green light to upgrade production. These are a...

by Path Finder in

Tenable not importing vuln or asset information

We have installed Tenable Add-on For Splunk, and configured it to connect to cloud.tenable.com with an API key. Ou...

by Explorer in

how do i calculate the average of logs received from a sourcetype over last 30 days and compare FOR EACH SOURCETYPE if percentage of dip is more than 70% in last 24 hours when compared to average logs for that particular sourcetype

| metadata type=sourcetypes index=* group by index | search sourcetype=* | where lastTime < (now() - 86400) | eval D...

by Explorer in

setup.xml exists for apps, but no "Setup app" option

We've tried installing several apps on a distributed search head cluster via a deployer: Demisto: https://splunkba...

by Path Finder in

Splunk ES 6.0 failed set up - Postinstall failure

I tried to install ES 6.0 in my server and it fails during postinstall. Have anyone experienced the same issue? ...

by Explorer in

How can I get Azure Self Service Password Reset into Splunk (on prem)?

Primary focus is obtaining SSPR logs ASAP and then learning what else can be ingested.

by Path Finder in

I need to match the user col to the Expired user col from two different datasets

I need an SPL that will take input from Authentication dataset in the Authentication datamodel, at the same time taki...

by Path Finder in

Severity for Correlation search

Hello Expert, I have requirement to detect malware related events which should create notable event. In this if acti...

by Explorer in

Empty 'sourcetype' field in Authentication data model if tstats query used

Hello, In order to detect excessive failed logins we use the correlation search below: | tstats summariesonly=t...

by Communicator in

Query to detect activity from inactive account

Hi Folks, I want to create a correlation for inactive account activity including last login with timestamp and app...

by New Member in

Recommended CPU for client workstation accessing Splunk Enterprise Security

Is there a recommended number of CPU cores for client workstation accessing Splunk ES? The company is running virtual...

by Explorer in

Tweek Enterprise Security when having few log inputs

Hello everyone, i am using Splunk Enterprise Security but at the moment because I don't have enough logs (only fro...

by Communicator in

How to Write query for TCP port activity in splunk ES

Hi, We are trying to analyze traffic on TCP ports both inbound and outbound in Splunk ES excluding the ports 80,44...

by Path Finder in

Phantom: How to run Splunk search and add data to artifact rather than widget

I am able to send data to Phantom and create containers with valid Artifacts but I want to enrich the artifact itself...

by Path Finder in

how do i calculate the average of logs received from a sourcetype over last 30 days and then compare if percentage dip is is more than 70% in last 24 hours

how do i calculate the average of logs received from a sourcetype over last 30 days and then compare if percentage di...

by Explorer in

How to leverage multiple lookup tables in a search

I have two lookup tables: notablesIp.csv and criticalAsset.csv notableIP.csv ip attack 1.1.1.1 Ransomware 1.1.1...

by Path Finder in

Splunk Ignores my cron and sets his own daily

Hello I am having an issue when scheduling some reports which i set cron as : 0 6 3 * * which is “At 06:00 on day-...

by Explorer in

ms:o365:reporting:messagetrace props.conf settings for timestamp recognition

Hi Splunkers Does anyone know the correct settings for the props.conf file of the TA-MS_O365_Reporting add-on that...

by New Member in

How to extract the following fields?

Hi, I am having the following event and I am trying to extract the URI and FileSHA256 field, but not using the se...

by New Member in

How to setup custom admin password for Splunk on Kubernetes

I am currently trying to deploy a splunk cluster on kubernetes. While I can successfully deploy the standard yaml fr...

by New Member in

Radiobutton issue: have to reselect it every time to be able to resubmit the search

Hello, We'd like to provide a basic dashboard to our analysts to help them to search the information in an asset l...

by Communicator in

New file with extension (dot).lock

Hi Folks, Does anyone have idea of files with extension (dot).lock Thanks

by New Member in

calculate the difference between current time and Last event time and then display the difference in days

I have the below query to calculate events not reporting for last 24 hours. I want to calculate the difference betwee...

by Explorer in

Issue with field value update in lookup cache file

The Lookup cache has been generated with 90 days baseline before Search 2 in which "dest" field is not "null" for any...

by New Member in

Do Splunk Partners offer employment on a vocational basis?

Many companies looking for candidates with expertise and experience using Splunk products. I have earned my Splunk Ce...

by New Member in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Splunk Enterprise Security new log ERRORs after upgrading enterprise to 7.3.3 and ESS from 5.0.1 to 5.3.1

Tenable not importing vuln or asset information

how do i calculate the average of logs received from a sourcetype over last 30 days and compare FOR EACH SOURCETYPE if percentage of dip is more than 70% in last 24 hours when compared to average logs for that particular sourcetype

setup.xml exists for apps, but no "Setup app" option

Splunk ES 6.0 failed set up - Postinstall failure

How can I get Azure Self Service Password Reset into Splunk (on prem)?

I need to match the user col to the Expired user col from two different datasets

Severity for Correlation search

Empty 'sourcetype' field in Authentication data model if tstats query used

Query to detect activity from inactive account

Recommended CPU for client workstation accessing Splunk Enterprise Security

Tweek Enterprise Security when having few log inputs

How to Write query for TCP port activity in splunk ES

Phantom: How to run Splunk search and add data to artifact rather than widget

how do i calculate the average of logs received from a sourcetype over last 30 days and then compare if percentage dip is is more than 70% in last 24 hours

How to leverage multiple lookup tables in a search

Splunk Ignores my cron and sets his own daily

ms:o365:reporting:messagetrace props.conf settings for timestamp recognition

How to extract the following fields?

How to setup custom admin password for Splunk on Kubernetes

Radiobutton issue: have to reselect it every time to be able to resubmit the search

New file with extension (dot).lock

calculate the difference between current time and Last event time and then display the difference in days

Issue with field value update in lookup cache file

Do Splunk Partners offer employment on a vocational basis?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

Editing the alert that is sent to PagerDuty

Throttling Notables - Do Underlying Alerts Need to...

How long are asset list field values stored in the...

Documentation for SA-AccessProtection / DA-ESS-Acc...

Multi-Select in HTML for Alert Action does not ret...