Splunk Enterprise Security

Ask a Question

Discussions

Thread Info

Asset lookup with conditional eval

Greetings-- I have an asset lookup gen that begins with: | stats latest(src_ip) as ip latest(os) as os **latest(pr...

by Communicator in

Splunk Enterprise Security: is there a way to notify someone via email that they have been assigned a notable event?

Is there any way to notify someone that an incident has been assigned to them? For my in incident review process, ...

by Communicator in

Splunk Enterprise Security: Create an alert that sends email to the user who’s got an Enterprise Security notable event assigned to them...

Its should only fire in case of user other then owner assign an notable event to them.

by Explorer in

I had a usecase to remove one of the filed(Secutiry_id) value WHEN IP address is 10.141.20.19.Can you guys help in framing the query

I had a usecase to remove one of the filed(Secutiry_id) value WHEN IP address is 10.141.20.19.Can you guys help in fr...

by New Member in

Unexpected end of JSON input for Azure Monitor

Getting the following error message: 07-10-2019 13:02:18.411 +0000 ERROR ExecProcessor - message from ""C:\Program...

by New Member in

Splunk Enterprise Security :Correlation search for expired identity activity from a lookup table

I'm trying to create a correlation search that imports a lookup table called ExpiredIdentities.csv then it takes all ...

by Path Finder in

Create a search to find Average time taken to close an incident from the time it opens

Hello, I want to create a search for the average time taken to close an incident in ES, after it closes from the t...

by New Member in

How to count Stats by two Fields in one search

I have tired the following commands to retrieve the results, but it fails. |from datamodel:"Authentication"."Faile...

by New Member in

Automatically recognize if all data behave the same at night / on weekends / on public holidays--> determine time period for gap in my graph

Hello, When I plot a timechart, there are some empty buckets, which causes a gap in my graph. In these gaps (value...

by New Member in

splunk ES and Esesntial app prequiest

hi, is there any prerequisite to install or make ES or Essential app work ??? like should I install CIM add-on before...

by Explorer in

How to capture the time when the notable alert was fired, in a field?

I have to populate a field called event_generation_time. I want to populate the time when notable event was created f...

by Engager in

Splunk 6.5.1 and Splunk Enterprise Security 4.5.1: What is upgrade path from Splunk 6.4.0 and ES 4.1.1?

Hi, I know the order to upgrade Splunk components. But don't totally understand the path to upgrade from Splunk En...

by Contributor in

Phantom - Assign Container/Case to Self - Playbook

I am working on automating some minor things and I want to add in a step to have the playbook assign the container or...

by Path Finder in

web security logs (raw data)

Hello everyone, Urgently, am looking for a web security logs to ingest it in splunk enterprise for practicing purpos...

by Explorer in

ES: Why does my new search not appear in the "Saved Search Name" on the "Incident Review" screen?

I created a new correlation search like I have many times before but this time when it fires on the Security Posture ...

by Esteemed Legend in

I would like to find out failed login attempts with Event Code (4625) here the condition is failed login attempts with in one hour and if the failed attempts less than that what ever the event code present in the index will be displayed.?

Hi All, I would like to find out failed login attempts with Event Code (4625) , here the condition is failed login...

by Engager in

How to get word on search and save on new column tables ?

Hello guys, I have a search, sourcetype=example "testword" OR "abcd" | table _time _raw If I run this qu...

by New Member in

Help with Splunk ES Investigations Collaborators

Hello, We are using Splunk Enterprise Security and I was just wondering if there is any way to add multiple collab...

by Engager in

streams and DNS over (HTTPS or TLS)...DoH/DoT

How will Splunk address encrypted DNS collection? It's weird you need to have karma points to post a link, look up...

by Explorer in

Detecting Port Scan (nmap)

I did a test port scan using nmap. This way I could catch what I was looking for in ES. Below is my query and it show...

by New Member in

crcSalt is not working with multiple sub dir contains same file name monitoring

Hi, Am writing a monitoring stanza to on-board the files with same name but different sub-directory named using follo...

by Path Finder in

Threat Intelligence Searches Not Populating threat_activity Index

The search "Threat - Source and Destination Matches - Threat Gen" is working and producing results, only the results ...

by Path Finder in

How can I filter incoming traffic from outgoing traffic

Hi I am working on a DDoS alert. I want to detect spikes of incoming traffic. But I am not sure on how to differen...

by Communicator in

Differences between the Splunk Security courses?

Could anyone give me a synopsis of the differences between the courses "Using Splunk Enterprise Security 5.2" and "Ad...

by Explorer in

Splunk Enterprise Security: How to join with lookup

I need to cross the information of my lookup with fields from my index, and bring some information on the table, but ...

by New Member in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Asset lookup with conditional eval

Splunk Enterprise Security: is there a way to notify someone via email that they have been assigned a notable event?

Splunk Enterprise Security: Create an alert that sends email to the user who’s got an Enterprise Security notable event assigned to them...

I had a usecase to remove one of the filed(Secutiry_id) value WHEN IP address is 10.141.20.19.Can you guys help in framing the query

Unexpected end of JSON input for Azure Monitor

Splunk Enterprise Security :Correlation search for expired identity activity from a lookup table

Create a search to find Average time taken to close an incident from the time it opens

How to count Stats by two Fields in one search

Automatically recognize if all data behave the same at night / on weekends / on public holidays--> determine time period for gap in my graph

splunk ES and Esesntial app prequiest

How to capture the time when the notable alert was fired, in a field?

Splunk 6.5.1 and Splunk Enterprise Security 4.5.1: What is upgrade path from Splunk 6.4.0 and ES 4.1.1?

Phantom - Assign Container/Case to Self - Playbook

web security logs (raw data)

ES: Why does my new search not appear in the "Saved Search Name" on the "Incident Review" screen?

I would like to find out failed login attempts with Event Code (4625) here the condition is failed login attempts with in one hour and if the failed attempts less than that what ever the event code present in the index will be displayed.?

How to get word on search and save on new column tables ?

Help with Splunk ES Investigations Collaborators

streams and DNS over (HTTPS or TLS)...DoH/DoT

Detecting Port Scan (nmap)

crcSalt is not working with multiple sub dir contains same file name monitoring

Threat Intelligence Searches Not Populating threat_activity Index

How can I filter incoming traffic from outgoing traffic

Differences between the Splunk Security courses?

Splunk Enterprise Security: How to join with lookup

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Clarification on UBA Capability in Splunk Enterpri...

Findings Comments

Sendalert risk does not populate source_guid / sou...

Asset Identity Framework subnet does not match ip-...

Palo Alto apps and add-ons for splunk

Splunk Enterprise Security

Are you a member of the Splunk Community?

Discussions