Splunk Enterprise Security

Discussions

Thread Info

How to query for similar events from aggregated data and few other criteria.

Hi, I'm trying to find/create a splunk query for the following. My log is something like below: time=2018...

by Explorer in

In Splunk Enterprise Security, how come the Incident review dashboard isn't returning events intermittently?

In the Splunk incident review dashboard, when the customer is clicking on the submit button, they can see the event c...

by Splunk Employee in

It is possible to group notable events in Incident Review for Splunk Enterprise Security?

I have a couple searches that trigger in Incident Review and I want to group them up by count. And than let the drill...

by Explorer in

How do I change the first and last time to actual timeformat="%y-%m-%d %H:%M"?

I am looking to take the default datamodel search -- | tstats summariesonly max(_time) as lastTime from datamodel...

by New Member in

Cannot jump to Ad-Hoc AR action result, 'orig_action_name' changed when 'tag=modaction_result' is applied

Splunk Enterprise Version: 7.1.2 Enterprise Security Version: 5.1.0 Build: 12 When testing our AR action addon ...

by Explorer in

User Not listed in Enterprise Security's Owner list

In my environment, i have configured authentication on Splunk via SAML in our organization. There's one user which is...

by Path Finder in

Can you help me with the following Enterprise Security 5.11 Install error?: "Unable to initialize modular input"

I just installed Splunk Enterprise 7.2.0, which shows that it is a supported platform for Enterprise Security 5.11. ...

by New Member in

Splunk Enterprise Security: How do you stop emails from a suppressed alert in a correlation search?

I have a search that monitors alerts created by an IDS. I have begun going through the triggered alerts to suppress t...

by Explorer in

How do you create a correlation search in Splunk Enterprise from a simple search of an index?

I have a simple search alert such as (index=A src_user=userA) which uses lookup tables to filter data. I'd like these...

by New Member in

What is the best way to learn how to use Splunk Enterprise?

So this post is more of a question in relation to how people have gained knowledge of using Splunk Enterprise as well...

by Path Finder in

How come I'm unable to disable a correlation search nor able to save the changes made on it?

Hi All, This is a two fold question. Specs: Splunk Enterprise Security Version 6.6.1 Problem 1: I'm trying t...

by Communicator in

Splunk Security Essentials : Data Exfiltration

Hi, SSE use case maps to the MITRE ATT&CK tactics. As we can see from MITRE ATT&CK, each tactic has various techn...

by Explorer in

Why can't I see most of the dashboards after migration from ES 4.7.1 to Splunk Enterprise Security 5.1.1?

Splunk Enterprise is migrated from 6.5.3 to 7.1.2 and also Splunk Enterprise Security App has been upgraded from 4.7...

by Splunk Employee in

REST API "nearby events'

I'm trying to automate a search using the REST API to provide a list of events that occur x seconds before and after ...

by Path Finder in

Can you help me with a problem i'm having with my pie chart?

So I'm having a strange issue that I'm hoping someone can help me with. I have a pie chart with two goals: 1. Show...

by Path Finder in

Can you help me build a query which would generate a list of enabled usecases in Splunk Enterprise Security App along with the last triggered time?

Hey Guys, Could anyone suggest me a query for the below scenario. I need a Splunk query to show the list of ena...

by Explorer in

*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:
SOAR (f.k.a. Phantom) >>
Enterprise Security >>
Splunk Enterprise or Cloud for Security >>
Observability >>

Or Learn More in Our Blog >>

Splunk Enterprise Security

Discussions

How to query for similar events from aggregated data and few other criteria.

In Splunk Enterprise Security, how come the Incident review dashboard isn't returning events intermittently?

It is possible to group notable events in Incident Review for Splunk Enterprise Security?

How do I change the first and last time to actual timeformat="%y-%m-%d %H:%M"?

Cannot jump to Ad-Hoc AR action result, 'orig_action_name' changed when 'tag=modaction_result' is applied

User Not listed in Enterprise Security's Owner list

Can you help me with the following Enterprise Security 5.11 Install error?: "Unable to initialize modular input"

Splunk Enterprise Security: How do you stop emails from a suppressed alert in a correlation search?

How do you create a correlation search in Splunk Enterprise from a simple search of an index?

What is the best way to learn how to use Splunk Enterprise?

How come I'm unable to disable a correlation search nor able to save the changes made on it?

Splunk Security Essentials : Data Exfiltration

Why can't I see most of the dashboards after migration from ES 4.7.1 to Splunk Enterprise Security 5.1.1?

REST API "nearby events'

Can you help me with a problem i'm having with my pie chart?

Can you help me build a query which would generate a list of enabled usecases in Splunk Enterprise Security App along with the last triggered time?

Tune out blocks for Threat Activity Detected in ES.

How come I can't find the Splunk Add-on builder in the Splunk Enterprise Sandbox?

An error while exporting a Data Model to Phantom

Perfmon Dashboard/Report Help

Problem in using Cortex as Response Action in Splu...

How to put Limit on "edit Selected" option for the...

Is throttling based on trigger time? How do we dec...

What should be the source type for AWS KMS logs to...

Single Enterprise Security searchhead cluster conn...