Splunk Enterprise Security

Discussions

Thread Info

Adaptive Response - Log Event

Hello all, I'm using a Correlation Search to create a Log Event as below: hxxps://docs.splunk.com/Documentation/Sp...

by New Member in

Field Extraction - Nothing is happening

To cut a long story short, i'm looking to extract a CVE number for my Vulnerabilities Data Model for ES. An example o...

by Engager in

How to create report of excessive failed login user with head 5?

Hi Team, I want to create a report of excessive failed login users who have more than 5 failed login attempts from...

by New Member in

How to change frequency of messages received in splunk

I am receiving lot of messages in Splunk. I want to change the frequency of the messages receiving in splunk. Kindly ...

by Contributor in

Splunk Add-on for Microsoft Office 365

Hi, I receive all the data from different tenants, but my data is not tagged to be able to use it in my Enterprise...

by New Member in

CIM installation - different UI

Hi All, I've installed CIM (same installation file) on 2 search heads. both of them with the same configuration, s...

by Path Finder in

Upgrade Splunk ES from 5.7.1 to 6.1.0 for Splunk 8.0.1: Does 6.1.0 support Python?

Hello, We are running Splunk 8.0.1 with Splunk ES 5.7.1 (python3 enabled). Everything works fine. Then we just...

by Path Finder in

Security: Is a fake alert app useless?

Hi everyone, preparing for my master´s thesis my supervisor at the uni suggested to create an app that produces f...

by Explorer in

How To rename the field value name from the output.

Hi I want to rename output field value name Week1 1. Systems ops 12.1 to ops 2 .Systems dev 12.1 to dev Below...

by Path Finder in

Golden Ticket

Has anyone had success with setting up alerting for the Golden Ticket attack? I don't see a lot of info about it onli...

by New Member in

Is it possible to import AlienVault OTX data to Splunk in easy way?

Hello, I’d like to enrich a Splunk ES Threat Intel database and I'm trying to find an easy way to import AlienVaul...

by Communicator in

Does an IOC get removed from ip_intel if you remove it from the local lookup

Hi all, So I followed the guide here https://docs.splunk.com/Documentation/ES/4.5.1/User/Configureblocklists in or...

by New Member in

Is it possible to list what source my correlation search is based on?

Hello, We'd like to help our analysts to tell which correlation search is impacted in case of log source issue. Bu...

by Communicator in

zScaler "url" field lacks protocol and doesn't match threat lists in ES

We use the zScaler proxy product and have it configured with NSS to collect logs in Splunk Enterprise. We also downlo...

by Path Finder in

Subtracting Two Dates to get a Difference in Days

Hello, I'd like to obtain a difference between two dates. One of these dates falls within a field in my logs call...

by Communicator in

Where can I find a list of the standard use cases Splunk comes with?

I'm looking for a list of "out of the box" use cases that Splunk comes with - to do a gap analysis between that, and ...

by Explorer in

How to upgrade add-ons on Indexers and Forwarders after Splunk ES upgrade ?

After upgrading ES search head, what is the recommended way to upgrade add-ons on Indexers and forwarders ? Based ...

by Motivator in

First Time Seen Running Windows Service Alert On Splunk Enterprise Security

Hi Splunkers, We have realized our "First Time Seen Running Windows Service " Correlation search seen below has be...

by Path Finder in

Splunk Enterprise Security: Lookups and other props/transforms

Hello, I've run into an issue lately where I want both my search heads and Enterprise Security to show the same f...

by Explorer in

Windows AD Logs - Need actor /recipient details for "admonEventType=Update" ?

How to get the list of username and domain of both the actor (who makes the changes) and the recipient (which object ...

by Path Finder in

Create theHive Alert Splunk app is not working

Hi, I'm trying to use the app - Create theHive Alert for Splunk. I can see the alerts being generated(within Splunk) ...

by New Member in

Exclude list of dest IP from search using input lookup but correlation is alerting excluded dest IP

Hi floks, i have exclude dest IP from search which is working fine but in correlation it is still triggering alert...

by New Member in

LIKE and like()

Just want to clear this up so I am not mistaken. Are the two statements equivalent: | where like (foo, "bar") ...

by Explorer in

Duration between login and logout in an application

I need to take out the duration between login and logout of a user from an application. there are two senario for the...

by Path Finder in

'Sourcetype= stash' value in 'Enterprise Security' incidents.

in enterprise security in incidents additional fields for all incidents i am seeing Sourcetype= stash its not showing...

by Explorer in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Adaptive Response - Log Event

Field Extraction - Nothing is happening

How to create report of excessive failed login user with head 5?

How to change frequency of messages received in splunk

Splunk Add-on for Microsoft Office 365

CIM installation - different UI

Upgrade Splunk ES from 5.7.1 to 6.1.0 for Splunk 8.0.1: Does 6.1.0 support Python?

Security: Is a fake alert app useless?

How To rename the field value name from the output.

Golden Ticket

Is it possible to import AlienVault OTX data to Splunk in easy way?

Does an IOC get removed from ip_intel if you remove it from the local lookup

Is it possible to list what source my correlation search is based on?

zScaler "url" field lacks protocol and doesn't match threat lists in ES

Subtracting Two Dates to get a Difference in Days

Where can I find a list of the standard use cases Splunk comes with?

How to upgrade add-ons on Indexers and Forwarders after Splunk ES upgrade ?

First Time Seen Running Windows Service Alert On Splunk Enterprise Security

Splunk Enterprise Security: Lookups and other props/transforms

Windows AD Logs - Need actor /recipient details for "admonEventType=Update" ?

Create theHive Alert Splunk app is not working

Exclude list of dest IP from search using input lookup but correlation is alerting excluded dest IP

LIKE and like()

Duration between login and logout in an application

'Sourcetype= stash' value in 'Enterprise Security' incidents.

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

Video | Tom’s Smartness Journey Continues

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

ES Notable Security Domain Issue

adding a custom field to notable and update the va...

es_notable_events Query

Saved Search in Source Code

Adding comment (link) to Next Steps (In an alert u...