Splunk Enterprise Security

Thread Info

Enterprise Security: Is Blue Coat a CIM Network Traffic compliant?

Based on Sourcetypes for the Splunk Add-on for Symantec Blue Coat ProxySG bluecoat:proxysg:access:file is CIM comp...

by Motivator in

Strange issue with missing menu in Enterprise Security

I'm hoping someone can assist me with this strange issue. For some reason my menu bar for enterprise security is gone...

by Path Finder in

Modify whois to use cisco umbrella instead of domain tools

Hello All, I wanted to know if anyone has tried to modify whois to use cisco umbrella instead of domain tools?

by Engager in

SQL Injection Rule - Multivalue count with multiple statistical conditions

Hi, I'm trying to add an additional condition to this rule. Currently it splits up the raw value from our web l...

by Explorer in

How to Validate Datamodel

Hi Friends, I am using SPLUNK ES 5.3.1 version.I am trying to validate the existing datamodels(Total 32 including ...

by Explorer in

Enterprise Security: why is sourcetype="bluecoat:proxysg:admin:file" tagged as error

The bluecloat sourcetype "bluecoat:proxysg:admin:file" is tagged as error. It's also not listed at Sourcetypes for th...

by Motivator in

Fortigate Firewall logs are not populating in Intrusion Centre dashboard in Splunk Enterprise Security

Hi All, Environment: Splunk Cloud We have installed "Fortinet Fortigate Add-On for Splunk" on our Onprem Heavy ...

by Path Finder in

Splunk Enterprise Security: How to do conditional regex?

I'm trying to unify records from two different indexes, as part of this I'm trying to create a common field by extrac...

by New Member in

How to add a site into action fields in SPlunk Enterprise Security?

How to add a site into action fields in Splunk Enterprise Security? We have nslookup, google search,etc added as part...

by Communicator in

"UniversalForwarder Setup Wizard ended premarturely because of an error" on Windows server 2019 Standard

Hello guys, We are trying to collect logs from our Active directory into Splunk enterprise, however we were gettin...

by New Member in

Appendpipe or Multisearch for continuing processing after Outputlookup?

I am attempting to create a custom Risk Attribution rule based on Web Proxy traffic to newly-seen (not-seen-before-ye...

by Path Finder in

Correlating multiple logs to get combined data for Active Directory Events

All, Need help with combining logs from Load Balancer/SNAT and AD Domain Controller to get the combined results in a ...

by New Member in

match field value with multi-field value

I have result in one field from the lookup and also result in second field(multivalue results) from lookup. Access...

by Path Finder in

Splunk Enterprise Security: Drilldown stats list

Hi, I am building a vulnerability dashboard and got the following table: To make it easier to read I li...

by New Member in

Firemon Server Control Panel integration with Splunk

Hi, Is it possible to integrate Firemon Server Control Panel with Splunk? Syslog can be enabled on Firemon SCP.

by New Member in

Compare search using join and subsearch in 2 different indexes

Hi, I've got 2 index logs to do a comparison with for emails. So in my mind is to use subsearch and join - but doe...

by New Member in

Enterprise Security: where is the CIM compatibility breakdown per sourcetype for Splunk_TA_symantec-ep?

Looking at Splunk_TA_symantec-ep and I wonder where the documentation for the sourcetypes, which are CIM compliant, i...

by Motivator in

How to identity logoffs when there isn't always a logoff event

I've been working on a problem that has me stumped. I have a 4624 and 4633 event that I want to correspond with e...

by Explorer in

Splunk Enterprise Security: Cisco ASA logs extracting in ES search- in search and reporting, but not in ES search?

Hi, I have the Cisco ASA TA installed and things look great on my Enterprise Security search head when I search for t...

by Path Finder in

Subsearch results not matching special characters

Hi, I'm trying to match email events which may consists of alphabets, numbers and special characters and do a coun...

by New Member in

Lookup: 'PrivilegedRiskScores' is missing

With Security Essentials, I get an error: [Indexer] Streamed search execute failed because: Error in 'lookup' comm...

by Communicator in

Splenk ES Threat Intel - Any help or Benefit ?

HI all, Anyone out there had any benefit from the free Threat intel List in Splunk ES? Its causing alot of noise,...

by New Member in

Splunk ES 6.0 installation fails

Hi folks, I'm trying to install newly released Splunk ES 6.0, but it keeps on failing during the "post installation c...

by Explorer in

Splunk Enterprise 7.1, ES 5.1 and phased_execution_mode

I have been looking into upgrading our Splunk Enterprise deployment to version 7.1.1, which would also require upgrad...

by Path Finder in

How to add new field to a search from results of another search

PLEASE BE PATIENT I AM NEW TO THIS All, I am trying to use the results of a search (search 1) and create a new fie...

by Explorer in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Splunk Enterprise Security

Discussions

Enterprise Security: Is Blue Coat a CIM Network Traffic compliant?

Strange issue with missing menu in Enterprise Security

Modify whois to use cisco umbrella instead of domain tools

SQL Injection Rule - Multivalue count with multiple statistical conditions

How to Validate Datamodel

Enterprise Security: why is sourcetype="bluecoat:proxysg:admin:file" tagged as error

Fortigate Firewall logs are not populating in Intrusion Centre dashboard in Splunk Enterprise Security

Splunk Enterprise Security: How to do conditional regex?

How to add a site into action fields in SPlunk Enterprise Security?

"UniversalForwarder Setup Wizard ended premarturely because of an error" on Windows server 2019 Standard

Appendpipe or Multisearch for continuing processing after Outputlookup?

Correlating multiple logs to get combined data for Active Directory Events

match field value with multi-field value

Splunk Enterprise Security: Drilldown stats list

Firemon Server Control Panel integration with Splunk

Compare search using join and subsearch in 2 different indexes

Enterprise Security: where is the CIM compatibility breakdown per sourcetype for Splunk_TA_symantec-ep?

How to identity logoffs when there isn't always a logoff event

Splunk Enterprise Security: Cisco ASA logs extracting in ES search- in search and reporting, but not in ES search?

Subsearch results not matching special characters

Lookup: 'PrivilegedRiskScores' is missing

Splenk ES Threat Intel - Any help or Benefit ?

Splunk ES 6.0 installation fails

Splunk Enterprise 7.1, ES 5.1 and phased_execution_mode

How to add new field to a search from results of another search

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

ES Notable Security Domain Issue

adding a custom field to notable and update the va...

es_notable_events Query

Saved Search in Source Code

Adding comment (link) to Next Steps (In an alert u...