Splunk Enterprise Security

Discussions

Thread Info

Splunk Enterprise Security: Phantom IP address "refused to connect" on Google Chrome

Hello, I'm trying to access the Phantom web servers but when I use the IP address into Chrome, it says it "refused to...

by Engager in

When is a Failed Login, not a failed login...

Hi, How can I prevent the Splunk Nix TA from mapping the following event to a 'Failed Login' within the Authentica...

by Path Finder in

Need a help with workflow action or notable event contribution Events

Hello, We created a notable event for DLP which creating Contributing Events: DLP Drilldown for 652837 when...

by Communicator in

Enterprise Security: what makes a correlation search a correlation search?

I'm looking at a sample correlation search called Abnormally High Number of HTTP Method Events By Src - | tstats `...

by Motivator in

Does Value Exist in KV Store

Hi All, Sorry, this might be an obvious one but I'm having trouble finding information on this specific problem. I...

by Explorer in

Enterprise Security: can we extend the cim definition with our own custom fields?

The TA mapped our bluecoat index as a Web cim compliant. Looking at our bluecoat index and reports we built on top an...

by Motivator in

Splunk Enterprise Security: Look up file in correlation searches not populating

The following 3 Correlation Searches within ES have the error "lookup file is not populated": Detect AWS Console L...

by Communicator in

Can I pass tokens (like in email notice) as an arguments to Script for SMS alerting?

Hi, I have SMS alerts sent to me as an action of Splunk alert. I have successfully passed the arguments that avai...

by Path Finder in

how to compare successful logins in the host with yesterday's

Hello, I am getting successful logins from each server which is like 4000 per day from Each server. But some days...

by Communicator in

ES - Threat Intelligence - FS-ISAC Feeds

Attempting to ingest feeds from FS-ISAC into ES. I can see in splunk that a file is created: 2018-06-19 17:01:28,107...

by Engager in

Values and counts

Ex: query=google.com , yahoo.com src= xyz-pc , abc-pc I want to know the count of queries to each domain queried b...

by Explorer in

Updating Timestamp in a Lookup Table

Hi, Trying to build a use case which looks at user logins and stores the Count, Earliest and Lastest times on a per u...

by Explorer in

Query to find host making certain traffic

Hi All, Could you please help me in writing a query for the below scenario: I want find a src computer which is...

by Explorer in

Splunk Enterprise Security: In geodistance what do units="m" refers to, meter or mile?

Not able to find any document about marco geodistance; the units="m", is it mile or meter?

by Engager in

ER: Qualys TA for Splunk to pull Activity Logs

Please add an input configuration that pulls the Activity Logs already parsed for the C.I.M Data models. From the ...

by Contributor in

G Suite App for Splunk

Hi All, I was able to configure and follow the authorization steps 1 and 2. The only logs I am receiving are error...

by Engager in

Is it possible for an alert outside of the Splunk ES app to create and push notable events to Splunk ES?

Hi. We've just installed Splunk ES and want to utilize the notable event functions. I know there is some correlati...

by Builder in

$info_min_time$ is insufficient when using drill down from incident review

If I adjust -1h to my earliest time, I locate the event targeted by the drill down. Is there a best minimal invasive ...

by Explorer in

ODBC connection problem with Splunk ES

I'm trying to pull some data from Splunk Enterprise Security (ES). I have been using the Splunk ODBC to pull data fro...

by Explorer in

splunkd.service doesn't work in splunk7.3.1 based on systemd.

Hi, every one! I have a problem with generate Splunkd.service with systemd in ubuntu 18.04 LTS. This service does wor...

by New Member in

Index in Dashboards

is there a way to check for a specific index on which dashboards this index is used?

by Loves-to-Learn in

PhishTank Threat Intelligence Not Writing to Collection

I am trying to enable the out of box PhishTank Threat Intelligence in ES. The file downloads correctly but it doesn't...

by Explorer in

Splunk Enterprise Security: Pulling data from message field

Hello, I have been trying unsuccessfully parse/filter the data from the message field: Message= Spyware/Graywar...

by Communicator in

Splunk Enterprise Security: How does ES determine license consumption?

We wonder how ES determines the license consumption. After all, sometimes only few events from a certain index are c...

by Motivator in

Splunk buildin intelligence feed

Dear Splunkers, Does Splunk enterprise security come with any threat intelligence feed that is solely provided by ...

by Explorer in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Splunk Enterprise Security: Phantom IP address "refused to connect" on Google Chrome

When is a Failed Login, not a failed login...

Need a help with workflow action or notable event contribution Events

Enterprise Security: what makes a correlation search a correlation search?

Does Value Exist in KV Store

Enterprise Security: can we extend the cim definition with our own custom fields?

Splunk Enterprise Security: Look up file in correlation searches not populating

Can I pass tokens (like in email notice) as an arguments to Script for SMS alerting?

how to compare successful logins in the host with yesterday's

ES - Threat Intelligence - FS-ISAC Feeds

Values and counts

Updating Timestamp in a Lookup Table

Query to find host making certain traffic

Splunk Enterprise Security: In geodistance what do units="m" refers to, meter or mile?

ER: Qualys TA for Splunk to pull Activity Logs

G Suite App for Splunk

Is it possible for an alert outside of the Splunk ES app to create and push notable events to Splunk ES?

$info_min_time$ is insufficient when using drill down from incident review

ODBC connection problem with Splunk ES

splunkd.service doesn't work in splunk7.3.1 based on systemd.

Index in Dashboards

PhishTank Threat Intelligence Not Writing to Collection

Splunk Enterprise Security: Pulling data from message field

Splunk Enterprise Security: How does ES determine license consumption?

Splunk buildin intelligence feed

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

How to handle Defender Incidents/Alerts with ES No...

Splunk Enterprise Security API support for update ...

Clarification on UBA Capability in Splunk Enterpri...

KV Store communication fails with TLS errors after...

Findings Comments

Splunk Enterprise Security

Are you a member of the Splunk Community?

Discussions