Splunk Enterprise Security

how do I make splunk es to check my uploaded logs

testttt
Observer

I have installed splunk es app and uploaded botsv1.stream_http.json (https://github.com/splunk/attack_data)

336788958-05898aa7-26ac-4db7-ac9f-9cc72fb6feb2.png
but incident_review and ess_security_posture is not hitting any event

336789872-68990f35-2468-4ef5-82e8-1da409d20585.png

how do I make splunk es to check my uploaded logs and generate a list of alerts like below. Please note that I am not checking the logs forwarded by agent, but the log files uploaded on the browser side

336793300-1a8315ea-8ac6-47e2-98d2-eaf79ce0391d.png

thank you

Labels (1)
0 Karma

kiran_panchavat
Contributor

@testttt There are no notable events that you can produce because you have uploaded sample events to Splunk. Could you please create an instance, send the logs to Splunk, and attempt to produce the notable events? such as unsuccessful login attempts and bruteforce attacks.

0 Karma

testttt
Observer

I created a dvwa application and used SplunkUniversalForwarder to forward the log to port 9997, containing events such as sql injection and brute force cracking,

微信截图_20240606163504.png微信截图_20240606163352.png

but incident_review and ess_security_posture is not hitting any event

微信截图_20240606163605.png

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...