Splunk Enterprise Security

Discussions

Thread Info

Compare if field1 == field2 and if field2 = field3 and so on. Building a process tree.

I'm trying follow a process to see all of the child processes it created. Essentially i have events that has the ...

by New Member in

Events now Missing from Regular/Notable Index

We have an alert that we had setup to create a notable event and email a notification when a particular Windows Event...

by Loves-to-Learn Lots in

Why is the ES Incident Review page still lists deleted Correlation Searches in the Multiselect box "Correlation Search Name"?

The ES Incident Review page still lists deleted Correlation Searches Names in the Multiselect box "Correlation Search...

by Splunk Employee in

Enterprise Security connect to firewall and block IP addresses?

Hi guys, There is a way that i can automate block IP addresses in my firewall with a script? Where can i put my...

by Explorer in

Is there a way to run a search with an adaptive response?

I am currently in the process of creating an adaptive response that I want to be able to add some user input into a l...

by Explorer in

Can you help me create a usecase that will alert when a string of failed logins is followed by a successful login?

I'm trying to make a usecase where it will alert when there are several attempts of failed logins and one of them suc...

by Communicator in

Symantec add on - CIM Compliance error

Hello, I am collecting SEP data from the next sources : symantec:ep:behavior:filesymantec:ep:agent:filesymantec:e...

by Communicator in

Palo Alto Add-on CIM Network_Traffic, can we map only end events?

Palo Alto traffic logs include start and end events. Sometimes multiple start events. Since all traffic logs get the ...

by Builder in

How to export resilient ticket id for notable events in incident review ?

We have integrated resilient tool with Splunk. For reporting purpose need to get ticket id for each of the notable ev...

by New Member in

In Splunk Enterprise Security, how do you calculate the time difference from different events with the same value for other field?

Hello, I'm trying to figure out a search that will parse through all events from a specific sourcetype. For eac...

by New Member in

Auditing Datamodels

Hello, Is there a way to validate the fields used in the datamodel by how compliant they are with the current setu...

by Path Finder in

Splunk Add-on - multi select values in an alert action

Hi, I'm working on an add-on for Splunk. I added an alert action, and I'm adding some fields to it. How can I add ...

by New Member in

Alert triggering on an entry not in inputlookup file

Hello, i have made an alert as follow : [|inputlookup admin_groups.csv | table "query" as Group_Name ] | search E...

by Explorer in

How to whitelist events using inputlookup?

I am trying to whitelist events from a specific server using IP and hostname. I am running into 2 issues. I have d...

by Path Finder in

Does a license key(or file) is required to “activate” the Splunk ES App?

Hi All, Does a license key(or file) is being required to “activate” the Splunk Enterprise Security App? Looking...

by New Member in

whether a license key is required for the ES app or not?

Hello Folks, I have a concern with one of my customer using Splunk Enterprise Security App,they mentioned the don’...

by New Member in

In Splunk Enterprise Security, how do you change a query result when a drop down option is selected within a panel?

Hi, I have four options in a drop down--- Highest,Lowest ,Top 5 and Least 5. Each option has a query: For ex...

by Explorer in

Unable to distribute to peer from search head

Hi, We are facing this issue frequently in splunk search head. Please help me. Unable to distribute to peer na...

by Path Finder in

Monitor correlation/notable/incident review Splunk ES

How can I monitor if all correlations open incidents into "Incident Reviews" in Splunk ES correctly?

by Explorer in

Do we have option in Splunk enterprise security to check the command output

We created Dashboard in Splunk enterprise security where we can see the commands status and risk score for those comm...

by Path Finder in

Splunk Enterprise Security

Discussions

Compare if field1 == field2 and if field2 = field3 and so on. Building a process tree.

Events now Missing from Regular/Notable Index

Why is the ES Incident Review page still lists deleted Correlation Searches in the Multiselect box "Correlation Search Name"?

Enterprise Security connect to firewall and block IP addresses?

Is there a way to run a search with an adaptive response?

Can you help me create a usecase that will alert when a string of failed logins is followed by a successful login?

Symantec add on - CIM Compliance error

Palo Alto Add-on CIM Network_Traffic, can we map only end events?

How to export resilient ticket id for notable events in incident review ?

In Splunk Enterprise Security, how do you calculate the time difference from different events with the same value for other field?

Auditing Datamodels

Splunk Add-on - multi select values in an alert action

Alert triggering on an entry not in inputlookup file

How to whitelist events using inputlookup?

Does a license key(or file) is required to “activate” the Splunk ES App?

whether a license key is required for the ES app or not?

In Splunk Enterprise Security, how do you change a query result when a drop down option is selected within a panel?

Unable to distribute to peer from search head

Monitor correlation/notable/incident review Splunk ES

Do we have option in Splunk enterprise security to check the command output

Splunk correlation search with throttling generati...

Tuning ESCU Windows Registry correlation searches

Security Essentials / MITRE ATT&CK

Parsing the "_raw" field of Splunk Python SDK resu...

Missed macro ec2_excessive_terminateinstances_mltk...