Splunk Enterprise Security

Start a Conversation

Discussions

Start a Conversation

Thread Info

Why is the AWS Lookup failing in Splunk Enterprise Security?

I have a customer that is running a search in ES training to use an AWS Account Look up table and it they get The lo...

by Path Finder in

How to find sources contacting a destination from previous results?

Hi, I have the following search that allows me to internal IPs contacting destinations categorized as CnC in Emerg...

by New Member in

How to get a list of logins without a count or multiple entries for users logging in?

This is easy and hard to describe. Let's say you have 250 users logging in during the course of the day (this ques...

by Communicator in

Anyone able to help me tune my indexes.conf?

All, Sorry guys, don't do this much and the docs are not giving me the warm and fuzzy's about about how to do thi...

by Builder in

Splunk Enterprise Security and Splunk App/Add-on for ServiceNow: How to dreate SNOW incidents from ES incidents?

Using the latest Splunk Entperirse Security and Splunk App/Add-on for ServiceNow. I'm trying to get incidents in E...

by Explorer in

Why is the CIM and the Enterprise Security not seeing the data correctly in Cisco Firepower eNcore App for Splunk?

Hello, I setup correctly Cisco eStreamer 3.0.0 but I see that is not CIM and Enterprise Security won't see the data ...

by New Member in

Splunk security enterprise (sandbox access: trial version)

Hello, I want to test the sandbox Splunk SE (trial version) for my company, but when i access to the sandbox inter...

by New Member in

Splunk Indexer IOPS

Hello All Im currently trying to size up a indexer and have been told that what is needed is 1200 IOPS per disk . ...

by New Member in

Why are events included in one Search Head but not the other when running the same search?

I have a two search head, one indexer environment. One Search Head is dedicated to Splunk Enterprise Security (ES). I...

by Engager in

How to aggregate events per host per hour?

Hello, I believe this does not give me what I want but it does at the same time. After events are indexed I'm atte...

by Communicator in

Tracking Session Open/Closed

Hello, How could I track if a session is opened but not closed immediately and by track I mean implementing a rule...

by Communicator in

How to compare columns in an inputlookup and return results that do not match?

Hello, I am trying to build a search that takes an inputlookup file that has 2 columns; One is a list of usernames...

by Explorer in

How to organize my columns, in a table, by urgency for tracking KPI for notable events?

I would like to organize a table for tracking KPI for notable events like so: No. of Critical No. of High No. of M...

by Explorer in

How to test Environment for Splunk ES?

Hi Splunkers, I have completed administering Splunk enterprise security two months back and now I need to do some ...

by Path Finder in

Splunk Enterprise Security: API 'notable_update' error - Invalid method for this endpoint

Hello! I'm trying to query the notable_update service via api (.../services/notable_update) and get error of - "In...

by Explorer in

Splunk ES local setup

Hi, can somebody help me to download the local setup file for Splunk ES.

by New Member in

Which TA should I use for FortiGate?

Splunk ES includes TA-fortinet 4.7.1. FortiNet maintain Splunk_TA_fortinet_fortigate, currently at v1.5, and whose...

by Communicator in

Any challenges running Splunk ES without admin I should be aware of?

All, Per a request from our security team, I moved Splunk to LDAP only and blasted the local admin account. But E...

by Builder in

How to assign roles to X team if model User doesn't have access to that Index?

How to assign roles to X team if model User doesn't have access to that Index? How to search those roles in Model Use...

by Engager in

What are all the URLs I need to open Splunk Enterprise Security up to for its default threat lists?

All, Anyone have a list of all the URL's IPs I need to open Splunk Enterprise Security up to for its threat lists...

by Builder in

Splunk Enterprise Security

Discussions

Why is the AWS Lookup failing in Splunk Enterprise Security?

How to find sources contacting a destination from previous results?

How to get a list of logins without a count or multiple entries for users logging in?

Anyone able to help me tune my indexes.conf?

Splunk Enterprise Security and Splunk App/Add-on for ServiceNow: How to dreate SNOW incidents from ES incidents?

Why is the CIM and the Enterprise Security not seeing the data correctly in Cisco Firepower eNcore App for Splunk?

Splunk security enterprise (sandbox access: trial version)

Splunk Indexer IOPS

Why are events included in one Search Head but not the other when running the same search?

How to aggregate events per host per hour?

Tracking Session Open/Closed

How to compare columns in an inputlookup and return results that do not match?

How to organize my columns, in a table, by urgency for tracking KPI for notable events?

How to test Environment for Splunk ES?

Splunk Enterprise Security: API 'notable_update' error - Invalid method for this endpoint

Splunk ES local setup

Which TA should I use for FortiGate?

Any challenges running Splunk ES without admin I should be aware of?

How to assign roles to X team if model User doesn't have access to that Index?

What are all the URLs I need to open Splunk Enterprise Security up to for its default threat lists?

Security Essentials / MITRE ATT&CK

Parsing the "_raw" field of Splunk Python SDK resu...

Missed macro ec2_excessive_terminateinstances_mltk...

MITRE-ATTACK latest threat list can not be downloa...

Failing to add Threat Intelligence Feed to Splunk ...