Splunk Enterprise Security

Discussions

Thread Info

Need to pull all the data from the investigation panel (Enterprise Security) and send to third party (Archer, ServiceNow) via API

Need to pull all the data from the investigation panel (Enterprise Security) and send to third party (Archer, Service...

by Path Finder in

How do I get the alert actions from splunk_ta_snow to be active as adaptive responses in Enterprise Security

Hi. It seems like the alert_actions defines in splunk_ta_snow misses param._cam parms, so they don't show up, as a...

by Contributor in

Using the eval command, how do you calculate the time difference between two events WHERE the status value is different?

Hi, There's probably a better function to use for this, but I think it could be done with an eval and where (I thi...

by Path Finder in

how to customize drilldown action

Under the noteable event view, for each field ther is action, I want to add "got to virustotal $src$" field for src(i...

by Communicator in

Correlate two search results.

Hello, I have a two queries from two DM (Authentication and Change-Analysis). Task: Basically, I need to exclud...

by New Member in

Splunk ES - Configuration Errors on Splunk UI

We noticed Configuration Errors on Splunk UI, Investigated the errors and this is from the rules. No changes made to ...

by Splunk Employee in

Splunk Enterprise Security - SA-IdentitiyManagement - inputs.conf - master_host attribute value

What should be the value of master_host attribute in inputs.conf for SA-IdentitityManagement add-on? In my Splunk Ent...

by Explorer in

Splunk Enterprise Security: Unable to save Input stanza for lookup source

We are implementing the Splunk ES in our environment, when I try to save input stanza for lookup source under Configu...

by Explorer in

notables relation with device events

Is there any way that a notable is linked to the events that generated it?

by Explorer in

Enterprise Security Identity Correlation - merging of identities

Hi all, I have a problem understanding how ES Identity Correlation merges identities together. Example: I have ...

by Motivator in

How does Splunk Enterprise Security work?

hello I want to understand the concept of how Splunk security works. I think that it has a database of signatures...

by Path Finder in

Percent problems

Hi, Struggling to get the percentage to work properly... I have 3 fields; Open, Closed and New. I want to r...

by Path Finder in

inclusion in Datamodel

If there is any source type which has hash values but not action fields like allowed or blocked then it can consider ...

by Path Finder in

Symantec endpoint protection - CIM compliance

Hello, I am collecting SEP data from the next sources : symantec:ep:behavior:file symantec:ep:agent:file symante...

by Contributor in

Splunk ES Change Analysis - Filtering out False Positive

Hi Everyone, I'm having a little trouble tuning a correlation search which ships with ES. The rule primarily lo...

by Explorer in

In Splunk Enterprise Security, what are the pros and cons of querying across multiple Splunk systems?

Hi, We have multiple Splunk systems across different business units, managed separately. Our ES Splunk has a requi...

by Champion in

splunklib.client as client IPv6 Error

Hello, I am attempting to access the REST api of a splunk instance through Python and am receiving an IPv6 error i...

by New Member in

Need to update my pearson vue credentials so they match those in Splunk in order to schedule an exam.

I tried to schedule an examination for splunk cert via pearson vue. Saw a notification, according to it, my credentia...

by New Member in

Why is this app still called TA_sudo instead of TA-Sudo?

I'm not sure why the app makers just don't change the name of the app to TA-Sudo so the regex for importing apps in E...

by Path Finder in

Why are we unable to assign notable events when upgrading from ES 4.7.2 to 5.2.2?

We have upgraded our ES app from 4.7.2 to 5.2.2 and we are facing issue while assigning the alert. The issue was reso...

by Splunk Employee in

Are search-time extractions for non-accelerated data models possible?

Is it possible for additional fields to be extracted from a non-accelerated data model at search-time? Our ES "Malwar...

by Engager in

Error When Using DNSLOOKUP Command

I`m trying to run a search using dnslookup. index=MY_INDEX host=MY_HOST | lookup dnslookup clienthost as host outp...

by Contributor in

what does timeDiff_type field in es_notable_events collection does?

I was trying to get report of top notable events created in splunk. Below is the search query for it: | es_notable_ev...

by Engager in

How to get a report of Investigations from Enterprise Security

How to get a report of Investigations from Enterprise Security. The report should contain Name, Description,Status,Cr...

by Explorer in

Status doesnot change for each notable event

Hi, We have notable events that is being triggered in enterprise security. There similar events that are triggering a...

by Explorer in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Need to pull all the data from the investigation panel (Enterprise Security) and send to third party (Archer, ServiceNow) via API

How do I get the alert actions from splunk_ta_snow to be active as adaptive responses in Enterprise Security

Using the eval command, how do you calculate the time difference between two events WHERE the status value is different?

how to customize drilldown action

Correlate two search results.

Splunk ES - Configuration Errors on Splunk UI

Splunk Enterprise Security - SA-IdentitiyManagement - inputs.conf - master_host attribute value

Splunk Enterprise Security: Unable to save Input stanza for lookup source

notables relation with device events

Enterprise Security Identity Correlation - merging of identities

How does Splunk Enterprise Security work?

Percent problems

inclusion in Datamodel

Symantec endpoint protection - CIM compliance

Splunk ES Change Analysis - Filtering out False Positive

In Splunk Enterprise Security, what are the pros and cons of querying across multiple Splunk systems?

splunklib.client as client IPv6 Error

Need to update my pearson vue credentials so they match those in Splunk in order to schedule an exam.

Why is this app still called TA_sudo instead of TA-Sudo?

Why are we unable to assign notable events when upgrading from ES 4.7.2 to 5.2.2?

Are search-time extractions for non-accelerated data models possible?

Error When Using DNSLOOKUP Command

what does timeDiff_type field in es_notable_events collection does?

How to get a report of Investigations from Enterprise Security

Status doesnot change for each notable event

Can’t make it to .conf25? Join us online!

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Customer success is front and center at .conf25

Splunk ES threat feeds empty

Palo Alto apps and add-ons for splunk

Dashboard PNG schedule export setting is not viewa...

Incident_updates_lookup not updating urgency and r...

Create Investigation SOAR

Splunk Enterprise Security

Are you a member of the Splunk Community?

Discussions

Can’t make it to .conf25? Join us online!