Splunk Enterprise Security

Discussions

Thread Info

Splunk ES - Configuration Errors on Splunk UI

We noticed Configuration Errors on Splunk UI, Investigated the errors and this is from the rules. No changes made to ...

by Splunk Employee in

Splunk Enterprise Security - SA-IdentitiyManagement - inputs.conf - master_host attribute value

What should be the value of master_host attribute in inputs.conf for SA-IdentitityManagement add-on? In my Splunk Ent...

by Explorer in

Splunk Enterprise Security: Unable to save Input stanza for lookup source

We are implementing the Splunk ES in our environment, when I try to save input stanza for lookup source under Configu...

by Explorer in

notables relation with device events

Is there any way that a notable is linked to the events that generated it?

by Explorer in

Enterprise Security Identity Correlation - merging of identities

Hi all, I have a problem understanding how ES Identity Correlation merges identities together. Example: I have ...

by Motivator in

How does Splunk Enterprise Security work?

hello I want to understand the concept of how Splunk security works. I think that it has a database of signatures...

by Path Finder in

Percent problems

Hi, Struggling to get the percentage to work properly... I have 3 fields; Open, Closed and New. I want to r...

by Path Finder in

inclusion in Datamodel

If there is any source type which has hash values but not action fields like allowed or blocked then it can consider ...

by Path Finder in

Symantec endpoint protection - CIM compliance

Hello, I am collecting SEP data from the next sources : symantec:ep:behavior:file symantec:ep:agent:file symante...

by Contributor in

Splunk ES Change Analysis - Filtering out False Positive

Hi Everyone, I'm having a little trouble tuning a correlation search which ships with ES. The rule primarily lo...

by Explorer in

In Splunk Enterprise Security, what are the pros and cons of querying across multiple Splunk systems?

Hi, We have multiple Splunk systems across different business units, managed separately. Our ES Splunk has a requi...

by Champion in

splunklib.client as client IPv6 Error

Hello, I am attempting to access the REST api of a splunk instance through Python and am receiving an IPv6 error i...

by New Member in

Need to update my pearson vue credentials so they match those in Splunk in order to schedule an exam.

I tried to schedule an examination for splunk cert via pearson vue. Saw a notification, according to it, my credentia...

by New Member in

Why is this app still called TA_sudo instead of TA-Sudo?

I'm not sure why the app makers just don't change the name of the app to TA-Sudo so the regex for importing apps in E...

by Path Finder in

Why are we unable to assign notable events when upgrading from ES 4.7.2 to 5.2.2?

We have upgraded our ES app from 4.7.2 to 5.2.2 and we are facing issue while assigning the alert. The issue was reso...

by Splunk Employee in

Are search-time extractions for non-accelerated data models possible?

Is it possible for additional fields to be extracted from a non-accelerated data model at search-time? Our ES "Malwar...

by Engager in

Error When Using DNSLOOKUP Command

I`m trying to run a search using dnslookup. index=MY_INDEX host=MY_HOST | lookup dnslookup clienthost as host outp...

by Contributor in

what does timeDiff_type field in es_notable_events collection does?

I was trying to get report of top notable events created in splunk. Below is the search query for it: | es_notable_ev...

by Engager in

How to get a report of Investigations from Enterprise Security

How to get a report of Investigations from Enterprise Security. The report should contain Name, Description,Status,Cr...

by Explorer in

Status doesnot change for each notable event

Hi, We have notable events that is being triggered in enterprise security. There similar events that are triggering a...

by Explorer in

Local lookup CSV to Threat Intel KV timestamp - age out indicators

Has anyone tackled IOC expiry / timestamp issues between a local lookup and the Splunk ES Threat Intel KV store ? ...

by Path Finder in

Custom Role Inheritance Is Not Working In ES App After Upgrade

Customer have created SOC l1 and SOCl 2 custom roles, SOC l1 has the inherited role ES analyst, ES user and user. ...

by Splunk Employee in

How do you normalize time fields, and then use them to compare two different source types?

Hi All, While trying to build a correlation search, I have run into a standpoint, where I need some help. I have t...

by Communicator in

Check if new software detected exists/doesn't exist in Lookup

I am trying to find out when a new software get installed on any end point. and I also have a script running to colle...

by New Member in

In Splunk Enterprise Security, can you help me fix my search that uses the tstats command with a NOT operator?

I'm trying to use the NOT operator in a search to exclude internal destination traffic. Any help would be great! |...

by New Member in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Splunk ES - Configuration Errors on Splunk UI

Splunk Enterprise Security - SA-IdentitiyManagement - inputs.conf - master_host attribute value

Splunk Enterprise Security: Unable to save Input stanza for lookup source

notables relation with device events

Enterprise Security Identity Correlation - merging of identities

How does Splunk Enterprise Security work?

Percent problems

inclusion in Datamodel

Symantec endpoint protection - CIM compliance

Splunk ES Change Analysis - Filtering out False Positive

In Splunk Enterprise Security, what are the pros and cons of querying across multiple Splunk systems?

splunklib.client as client IPv6 Error

Need to update my pearson vue credentials so they match those in Splunk in order to schedule an exam.

Why is this app still called TA_sudo instead of TA-Sudo?

Why are we unable to assign notable events when upgrading from ES 4.7.2 to 5.2.2?

Are search-time extractions for non-accelerated data models possible?

Error When Using DNSLOOKUP Command

what does timeDiff_type field in es_notable_events collection does?

How to get a report of Investigations from Enterprise Security

Status doesnot change for each notable event

Local lookup CSV to Threat Intel KV timestamp - age out indicators

Custom Role Inheritance Is Not Working In ES App After Upgrade

How do you normalize time fields, and then use them to compare two different source types?

Check if new software detected exists/doesn't exist in Lookup

In Splunk Enterprise Security, can you help me fix my search that uses the tstats command with a NOT operator?

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)

Editing the alert that is sent to PagerDuty

Is it possible to make it mandatory to assign Owne...

Throttling Notables - Do Underlying Alerts Need to...

How long are asset list field values stored in the...

Documentation for SA-AccessProtection / DA-ESS-Acc...