Splunk Enterprise Security

Start a Conversation

Discussions

Start a Conversation

Thread Info

How to write a Splunk alert to find malicious C2 traffic using Cisco IPS logs

Guys, Any idea of writing a splunk query to find the malicious command and control traffic using Cisco IPS logs. W...

by New Member in

With Splunk Enterprise Security, I'm getting varying IP geo-location results when comparing Splunk to third-party resources — how frequent are Splunk geo cache updates?

Hi, I'm getting varied results in Splunk when I investigate an IP address' location. Splunk might say "Netherlands...

by Engager in

no expected fields in sourcetype

Hello all! resently i downloaded Check Point App for Splunk. I configured in input.conf in order to force all Chechpo...

by New Member in

How to create Enterprise Security custom roles and have Notables dashboard different for each roles?

hi anyone created "custom" roles in Enterprise Security and re-used the notables dashboard (security events) ? We ha...

by Super Champion in

How do you pass the same token for two panels with one drop-down input?

I want to pass a token from one panel to another panel. I mean, if I give one input in the drop down, it has to updat...

by Explorer in

Symantec MSS integration with Splunk for orchestration and Incident Management

Dear ALL , I am searching a procedure to pull and update the incidents from Symantec MSS created by their SOC ...

by New Member in

Nessus Home and Splunk Add-On for Tenable

Does this TA Support Nessus Home installations? I've tried to use Tenable.io and authentication seems to work but ...

by Splunk Employee in

In Splunk Enterprise Security, how do you combine two searches into one query and group on a specific field?

I am trying to create a query where there are two different searches that each produce a point in time for each devic...

by Explorer in

Fortigate logs are not in CIM format

I installed Fortinet Fortigate Add-on for Splunk 1.6.0 and Fortinet Fortigate App for Splunk 1.4. Sourcetypes are ide...

by New Member in

Notable Event Urgency issues

I have setup a few correlated events which currently are showing up in the incident review console as urgency (unknow...

by Engager in

Multiple tstats with prestats append=t not working in ES app

Hi, I'm querying a datamodel X and I need to append results with same fields names from datamodel xx using. I'm tr...

by Explorer in

Splunk Enterprise Security Alexa Domain NOT lookup failing

Hello, I am trying to create alerts for all outbound DNS queries which do not match the top one million domains as...

by Explorer in

Threat Intelligence

by default, where from threat Intelligence feed downloaded in splunk ?

by New Member in

Splunk Enterprise Security - Host Sending Excessive Emails Alert / Email Data model

Hi Everyone I'm having trouble with one of the alerts in Enterprise Security which is causing a lot of noise and f...

by New Member in

Subsearch relative to base search time

Hello, I'm looking into a way to discover following scenario in my ingested logs: some user logged out and didn't ...

by Explorer in

Script exited abnormally with code 114

I'm getting a scripting error on our Enterprise Security server every hour: msg="A script exited abnormally" input...

by Explorer in

In Splunk Enterprise Security, how do you use a subsearch to correlate information?

Hello, I'm trying to correlate events from 2 different source types, and 2 searches for example: sourcetypeA ha...

by New Member in

In Splunk Enterprise Security, how does Javascript SDK work? I wanna use client side SDK

Hi, Thanks for coming to my question. I am having trouble using javascript SDK. I cannot understand what is...

by Engager in

Notable event missing from Incident Review dashboard?

I have a search in which is generating results when I have it set as an alert and is successfully creating and event ...

by Explorer in

Using a different email address to send email responses using adaptive response action

Hi All, I have a use case where I want to send replies using a separate email address than the default address of ...

by Communicator in

Splunk Enterprise Security

Discussions

How to write a Splunk alert to find malicious C2 traffic using Cisco IPS logs

With Splunk Enterprise Security, I'm getting varying IP geo-location results when comparing Splunk to third-party resources — how frequent are Splunk geo cache updates?

no expected fields in sourcetype

How to create Enterprise Security custom roles and have Notables dashboard different for each roles?

How do you pass the same token for two panels with one drop-down input?

Symantec MSS integration with Splunk for orchestration and Incident Management

Nessus Home and Splunk Add-On for Tenable

In Splunk Enterprise Security, how do you combine two searches into one query and group on a specific field?

Fortigate logs are not in CIM format

Notable Event Urgency issues

Multiple tstats with prestats append=t not working in ES app

Splunk Enterprise Security Alexa Domain NOT lookup failing

Threat Intelligence

Splunk Enterprise Security - Host Sending Excessive Emails Alert / Email Data model

Subsearch relative to base search time

Script exited abnormally with code 114

In Splunk Enterprise Security, how do you use a subsearch to correlate information?

In Splunk Enterprise Security, how does Javascript SDK work? I wanna use client side SDK

Notable event missing from Incident Review dashboard?

Using a different email address to send email responses using adaptive response action

Tuning ESCU Windows Registry correlation searches

Security Essentials / MITRE ATT&CK

Parsing the "_raw" field of Splunk Python SDK resu...

Missed macro ec2_excessive_terminateinstances_mltk...

MITRE-ATTACK latest threat list can not be downloa...