Splunk Enterprise Security

Discussions

Thread Info

Enterprise Security: is it a good practice to "force" certain fields to exist at the macro level?

The cim_Authentication_indexes is defined, in our case, as (index=wineventlog OR index=<linux> OR index=<rsa> OR ...)...

by Motivator in

How do I run a splunk query to find traffic activities on a specific host name

Hello, I am trying to figure out how to run a query in my splunk environment to find all the traffic activities of a ...

by New Member in

Enterprise Security : Is there a demo/video of the Incident Review section?

The team here is not satisfied with the capabilities, workflow of the Incident Review section of ES. Is there a nice ...

by Motivator in

splunk Enterprise security

I created few correlation searches notable events in Enterprise security and in Incident Review - Table Attributes I ...

by Explorer in

retrieve the messages from the banner at the top of the UI and create a Dasboard

Hi All, Request you to post the query for retrieving messages displayed on the top of the UI so that a Dashboard/r...

by Explorer in

Enterprise Security: How do we enable automatic updates by the ESCU?

We are wondering how to enable the automatic updates by the ESCU. We have it working fine but it doesn't seem to fetc...

by Motivator in

Enterprise Security: why is the src_user a recommended field for the Authentication datamodel?

src_user shows only 5 or so of percent_coverage in the cim_validator for our Windows data. Fields for Authenticati...

by Motivator in

Splunk nobody user vs Service User

Hi All, We have an environment where the owner of all the Dashboards/Alerts is user 'nobody'. Are there any disadv...

by Explorer in

Fail on start splunk after the upgrade of Splunk Enterprise Security from v4.7.0 to 5.3.1.

After upgrade to Splunk Enterprise Security v 5.3.1, fail on startup with the following error: [root@splunk02 bin]...

by Engager in

Kaspersky security center mapping to Enterprise Security

I've recently indexed kaspersky security center 10 data in splunk, but malware center in enterprise security showed n...

by Loves-to-Learn Lots in

SPL for Correlation search in enterprise security?

index=email | transaction mid icid | stats count(recipient) as receipent_count by sender | where receipent_count>1...

by Explorer in

Rename existing correlation search Title

Hi Fellows, I need to change the title of existing correlation search which I am not able to do as the options are...

by Explorer in

Problem with threat notables on Splunk ES

Hello , We have a Splunk ES 5.1.0 application installed on Splunk Entreprise version 7.2.0. We need to collect...

by Path Finder in

MLTK: Does it support multi-output classification?

Does the MLTK support multi-output classification, i.e., more than 1 predicted field? Thank you.

by Engager in

How to compare 2 lists from 2 different searches ?

I have 2 different searches to create 2 hosts list, and I want below from splunk search: 1. Find all hosts from 1st s...

by Path Finder in

How to deploy SPL Splunk image on Linux

Dear all, I have downloaded SPL tared image at https://splunkbase.splunk.com/app/4516/ and I want to deploy it Lin...

by New Member in

SSL Medium Strength Cipher Suites Supported (SWEET32) and SSL RC4 Cipher Suites Supported (Bar Mitzvah) {CVE-2016-2183 , CVE-2013-2566,CVE-2015-2808}

We have received notice that our splunk heavy forwarder is vulnerable to CVE-2016-2183 , CVE-2013-2566,CVE-2015-2808....

by New Member in

Adding an Azure sign in field to Splunk ES authentication data model

We recently started to ingest Microsoft's Azure sign-in events and one thing I've noticed are some values from the cl...

by Influencer in

Getting started with BOTS 2.0 - need help

Hello Everyone I am curious to learn with BOTS 2.0 but need some help. I have downloaded BOTS 2.0 but unable to...

by New Member in

How to alert when a rogue/unknown device is plugged into network

Hi, I need to be alerted when a rogue/unknown device is plugged into network. Any help will be appreciated.

by Path Finder in

Defining Authorized Name Servers in ES

The ES correlation search 'DNS Query Requests Resolved by Unauthorized DNS Servers' determines if the traffic is to f...

by Explorer in

What parts of the Enterprise Security dashboard are displayed the output related to this Add-on ?

Hi Dear Friends, I installed "Splunk Add-on for Unix and Linux" and now i have a question What parts of the Enterpris...

by New Member in

Salesforce marketing cloud integration with Splunk

Hello experts, I am trying to integration salesforce cloud modules into splunk for security monitoring. Does anyne ha...

by Explorer in

How to get the difference in count of users and then trigger an alert

Hi Everyone, I have a splunk search: Search: sourcetype = onelogin:event index = onelogin earliest=-12d AND event_...

by New Member in

Splunk Enterprise security search head is not pulling logs from firewall, waf,proxy logs, MFA, sandbox, ...network resources but my other search head for apps is getting all data

Splunk Enterprise security search head is not pulling logs from firewall, waf,proxy logs, MFA, sandbox, ...network re...

by New Member in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Enterprise Security: is it a good practice to "force" certain fields to exist at the macro level?

How do I run a splunk query to find traffic activities on a specific host name

Enterprise Security : Is there a demo/video of the Incident Review section?

splunk Enterprise security

retrieve the messages from the banner at the top of the UI and create a Dasboard

Enterprise Security: How do we enable automatic updates by the ESCU?

Enterprise Security: why is the src_user a recommended field for the Authentication datamodel?

Splunk nobody user vs Service User

Fail on start splunk after the upgrade of Splunk Enterprise Security from v4.7.0 to 5.3.1.

Kaspersky security center mapping to Enterprise Security

SPL for Correlation search in enterprise security?

Rename existing correlation search Title

Problem with threat notables on Splunk ES

MLTK: Does it support multi-output classification?

How to compare 2 lists from 2 different searches ?

How to deploy SPL Splunk image on Linux

SSL Medium Strength Cipher Suites Supported (SWEET32) and SSL RC4 Cipher Suites Supported (Bar Mitzvah) {CVE-2016-2183 , CVE-2013-2566,CVE-2015-2808}

Adding an Azure sign in field to Splunk ES authentication data model

Getting started with BOTS 2.0 - need help

How to alert when a rogue/unknown device is plugged into network

Defining Authorized Name Servers in ES

What parts of the Enterprise Security dashboard are displayed the output related to this Add-on ?

Salesforce marketing cloud integration with Splunk

How to get the difference in count of users and then trigger an alert

Splunk Enterprise security search head is not pulling logs from firewall, waf,proxy logs, MFA, sandbox, ...network resources but my other search head for apps is getting all data

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

Editing the alert that is sent to PagerDuty

Throttling Notables - Do Underlying Alerts Need to...

How long are asset list field values stored in the...

Documentation for SA-AccessProtection / DA-ESS-Acc...

Multi-Select in HTML for Alert Action does not ret...