Splunk Enterprise Security

Community Activity

Splunk ES Duplicate of Notable Events displaying in Incident Review Dashboard Hi Everyone, I have an issue where I am seeing am seeing duplicate notable events for a single event. So heres the ... by dsofoulis Path Finder in Splunk Enterprise Security 09-24-2019 1 7	1	7
Help with creating field extractions for map Can you help map creating field extractions Please use the ES CIM model where possible for field names: There are ... by vikram1583 Explorer in Splunk Enterprise Security 09-23-2019 0 5	0	5
How to make second token value be based on choice made for first token Token 1: <label>OS</label> <choice value="Windows">Windows</choice> <choice value="RedHat">RedHat</choice> T... by arikanter Observer in Splunk Enterprise Security 09-23-2019 0 1	0	1
How to get the results of a correlation search when we have success after login failures by user? Hi All, Below is the correlation search. I want the results for bruteforcesearch query only when we have successful ... by abhi04 Communicator in Splunk Enterprise Security 09-23-2019 0 1	0	1
ES detected "Default Account at Rest" - How do you fix this? Good morning, I have been receiving a notable even in ES that states there are default accounts at rest on a certain... by mgiddens Path Finder in Splunk Enterprise Security 09-23-2019 0 3	0	3
How to get the last login time for the user for the correlation search " Access - Inactive Account Usage"? How to get the last login time for the user for the correlation search " Access - Inactive Account Usage"? Below is t... by abhi04 Communicator in Splunk Enterprise Security 09-19-2019 0 4	0	4
A bit stuck with syntax while working with an ES search Hello, I found two cases where the ES correlated search "Brute Force Access Behavior Detected" is "invalid" for our ... by mbrownoutside Path Finder in Splunk Enterprise Security 09-19-2019 0 0	0	0
Incident Review Dashboard Issue for a User Hi Team, We have a separate ES- Splunk Cloud for our organisation. So in which we have provided access via SAML aut... by anandhalagarasa Path Finder in Splunk Enterprise Security 09-19-2019 0 2	0	2
Reverse engineering an enterprise security correlation search I am doing a deep dive to understand the internals of a correlation search within ES so that I can justify creating n... by mbrownoutside Path Finder in Splunk Enterprise Security 09-19-2019 0 3	0	3
Enterprise Security: who can assign incidents? I wonder who within Incident Review can assign incidents to the group members? Does anybody can assign them? by danielbb Motivator in Splunk Enterprise Security 09-19-2019 0 1	0	1
Extracting SHA256 field Hello, I am trying to extract fields using Splunk field extractor and I reached a point where I got the following er... by emkaxon New Member in Splunk Enterprise Security 09-19-2019 0 3	0	3
Correlation search: email notification subject line Dear Helpful bloggers, morning I have question on rule action: While setting Adaptive Response Actions for Correalti... by pavanbmishra Path Finder in Splunk Enterprise Security 09-19-2019 0 2	0	2
input lookup file to search email traffic Hi, I am new to Splunk. I have an input lookup file with some high risk internal email addresses in it . I want to ... by hbfblueteam New Member in Splunk Enterprise Security 09-18-2019 0 1	0	1
Manually create a notable event with a pre-determined timestamp I am trying to manually create 500 new notable events that all have the same timestamp. I have not been able to find ... by gkeller Explorer in Splunk Enterprise Security 09-17-2019 0 3	0	3
ES search head notable events for zscaler have signature "None" Hi All, We're getting a number of notable events through originating from zscaler that have a signature of "None". ... by ravikiranradhak New Member in Splunk Enterprise Security 09-17-2019 0 3	0	3
Enterprise security engineering tasks Hi in my company they recently migrated to Spunk(Enterprise Security) from QRador so installation part is done rule ... by vikram1583 Explorer in Splunk Enterprise Security 09-17-2019 0 1	0	1
how to work on SIEM in splunk? Hii, all I had a developer license to work with splunk.i was unable to implement by the splunk SIEM. why ?? how to ... by zippyopsadmin New Member in Splunk Enterprise Security 09-16-2019 0 2	0	2
How to filter only one email address domain if you have multiple email address entries How to filter only one email address domain if you have multiple email address entries, example : I have more than 10... by rodrigvi New Member in Splunk Enterprise Security 09-16-2019 0 1	0	1
KVStore Initialization I'm trying to install Enterprise Security 4 on Splunk 6.3 and it is hanging on the installing apps phase. I've restar... by jsmith_splunk Splunk Employee in Splunk Enterprise Security 09-16-2019 1 6	1	6
how to combine list of domain controllers we are using enterprise security we have 20 domain controllers we need to combine them and use in search by vikram1583 Explorer in Splunk Enterprise Security 09-15-2019 0 1	0	1
How to merge Virus total application information with Splunk search query? Hi, I am trying to get the some information from virus total in splunk enterprise through Virus total API Key. I don'... by prajapatividhy1 New Member in Splunk Enterprise Security 09-15-2019 0 4	0	4
Security Posture: Notable Events By Urgency Under the Security posture there is a "Notable Events By Urgency" chart but it only shows medium, low and information... by rhoush Observer in Splunk Enterprise Security 09-15-2019 0 4	0	4
1: Need to find Average number of vpn users in weekday and weekend Curerntly using the search : 1:: index=sec_vpn sourcetype="cisco:acs" action=success date_wday!=sunday OR date_wday!... by vigneshit New Member in Splunk Enterprise Security 09-14-2019 0 6	0	6
Enterprise Security: why the incidents don't show up in the lookup? With all the help from @solarboyz1, the correlation searches produce now notable events, which show up in the Inciden... by danielbb Motivator in Splunk Enterprise Security 09-13-2019 0 3	0	3
Enterprise Security: how long is a search accessible? I try to assign an event to myself, but I get the following message - -- Unable to change 1 events: The search is n... by danielbb Motivator in Splunk Enterprise Security 09-13-2019 0 2	0	2