Splunk Enterprise Security

Discussions

Thread Info

need spl into datamodel search

Hi,Need below search into a web datmodel search index=es_web action=blocked host= * sourcetype= *| stats count by cat...

by Builder in

Need changes to the datamodel search

Hi, I aimed to merge the "dropped" and "blocked" values under the "IDS_Attacks.action" field in the output of the d...

by Builder in

Reduce the noise out of Security EventCodes..

Hi,I'm trying to reduce the noise out of these EventCodes which we can exclude in the enterprise security point of vi...

by Builder in

How to create query for showing when was a Notable alert assigned and calculate SLA based off that?

Hi, I need to report on when a Notable alert was changed from the default "unassigned" status to " Acknowledged" stat...

by Builder in

Splunk Enterprise Security Devices support

Dears How to find out what Devices (Switch, Router, etc.), operating systems (Windows, linux, MacOs, etc.), applica...

by Observer in

Developing reliable searches dealing with events indexing delay

Hello everyone, I am concerned about single-event-match (e.g. observable-based) searches and the eventual indexing ...

by Explorer in

Endpoint Correlation Searches.

We are in the process of deploying our endpoint logging strategy. Right now, we are using CrowdStrike as our EDR. As ...

by Explorer in

Adding Additional fields to notable events

I am pretty new to ES correlation seraches and I am trying to figure out how to add additionals fields to notable eve...

by Explorer in

Splunk Enterprise Security - permissions issue

A user is unable to access investigations in Enterprise Security (version ES 7.1.1) on Splunk Cloud (Splunk 9.0.2) . ...

by Explorer in

接入日志的最大数量

想了解下，SPlunk 单台服务器，最多可以接入多大的数据量 ，可以给工

by New Member in

Risk Analysis Dashboard - Risk Modifiers by Annotations

Hello: I recently started playing with the Risk framework, RBA etc. Most of my Risk Analysis dashboard is working w...

by Path Finder in

How to enrich notable events in ES?

Hello all, We are wanting to enrich events as they become notables in ES before they are sent onto Mission contro...

by Loves-to-Learn in

Splunk Enterprise Security Install Error In Deployer

Hi community Splunk, I have a issus when install Splunk Enterprise Security in Deployer. I have Splunk enviroment, it...

by New Member in

metric event is not properly structured issue in my SH !

HiI'm seeing an error message in my es search head, How we can sort out this issue Search peer idx-xxx.com has the fo...

by Builder in

Is it possible to move Splunk Security Essentials Bookmark to Enterprise Security Search Head?

Hi Splunkers, We have a ton of bookmarked content in Splunk Security Essentials App on one of our Dev Splunk searc...

by Communicator in

Splunk Security Essentials and ES Integration

Hello everyone, I am trying to enable some basic detections that found from the Splunk Security Essentials app. We ...

by Explorer in

incident_review migration to new splunk enterprise security (SH cluster)

I have an old stand alone search head with Enterprise security and I'm migrating to a new search head cluster. Now ...

by New Member in

What is the retention period for summaries generated by Data Models?

We have activated several data models for use with Splunk Enterprise security scenarios and are interested in clarify...

by Explorer in

How to send only not suppressed notable from Splunk to SOAR

Hi, we are using Splunk ES with notable events and suppressions. For sake of completeness, we have alerts that prod...

by Path Finder in

how to make a bar graph showing quantity closed notable events based on last modified time in a time range of 12 hours?

I would like a search query that would display a graph with the number of closed notables divided by urgency in the l...

by Engager in

How to retrieve a specific alert in Splunk Enterprise security apart from using Short ID method?

Hi All, Is there a way to retrieve a specific alert without using short ID in the incident review page? I was thi...

by Observer in

Getting error:0906D06C:PEM routines:PEM_read_bio:no start line after activating enableSplunkdSSL in server.conf

I have loaded a SSL Certificate on our development server (Splunk 8.1.4). I added the following to the server.conf fi...

by Communicator in

ES Investigation Note Formatting

When you create notes in Splunk ES you can format the notes with tabs and carriage returns. When the note saves and ...

by Engager in

Why is Splunk tag for key value pair not appearing for fields of notable events?

I have created a tag for a key-value pair (dvc=IP_Address) and shared it will all the apps. Which doing a search for ...

by Explorer in

What defines an asset priority?

All, I am setting up asset center in Splunk ES/PCI. The idea of an Asset priority is sorta vague. Is it left that...

by Builder in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

need spl into datamodel search

Need changes to the datamodel search

Reduce the noise out of Security EventCodes..

How to create query for showing when was a Notable alert assigned and calculate SLA based off that?

Splunk Enterprise Security Devices support

Developing reliable searches dealing with events indexing delay

Endpoint Correlation Searches.

Adding Additional fields to notable events

Splunk Enterprise Security - permissions issue

接入日志的最大数量

Risk Analysis Dashboard - Risk Modifiers by Annotations

How to enrich notable events in ES?

Splunk Enterprise Security Install Error In Deployer

metric event is not properly structured issue in my SH !

Is it possible to move Splunk Security Essentials Bookmark to Enterprise Security Search Head?

Splunk Security Essentials and ES Integration

incident_review migration to new splunk enterprise security (SH cluster)

What is the retention period for summaries generated by Data Models?

How to send only not suppressed notable from Splunk to SOAR

how to make a bar graph showing quantity closed notable events based on last modified time in a time range of 12 hours?

How to retrieve a specific alert in Splunk Enterprise security apart from using Short ID method?

Getting error:0906D06C:PEM routines:PEM_read_bio:no start line after activating enableSplunkdSSL in server.conf

ES Investigation Note Formatting

Why is Splunk tag for key value pair not appearing for fields of notable events?

What defines an asset priority?

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation

adding a custom field to notable and update the va...

es_notable_events Query

Saved Search in Source Code

Adding comment (link) to Next Steps (In an alert u...

Free Training Online Classes