Hi All,
We are using Splunk ES app in our environment and log sources are integrated to it and I am working on to make the logs CIM compatible.
As of now, we are getting thousands of notable eve...
I'm trying to make a usecase where it will alert when there are several attempts of failed logins and one of them succeeded in the past 10 minutes.
So it must do the following thing: Alert when 1...
Seeing lots of "Brute Force Access Behavior Detected" notable events coming from Microsoft domain controllers. The correlation search triggers when successful authentication >0 and failures_by_sr...
We have not been using the Splunk ES for long and the “xswhere” used for this notable is an extreme search. The extreme search provides a non-fixed threshold on when to alert, but it needs time to f...
Why i can't edit the correlation search or using search in splunk by extreme search such as:exwhere
The error (Unknown search command 'xswhere'.) will show out.
How can i fix it? if i only got e...
...val('action'=="failure")) as failure,count(eval('action'=="success")) as success by user app | search failure>10 success>0 | xswhere failure from failures_by_src_count_1h in authentication is a...
This correlation search detects a "substantial increase in port activity" and it works well. How can I tune/modify it so that it is a little less sensitive so that it doesn't "trigger" as often? Ba...
Hi all,
I would like to ask what is the meaning of using pipeline as first character in search query. I saw some video tutorial that will use pipeline as first character and also correlation searc...
Hi Everyone
I'm having trouble with one of the alerts in Enterprise Security which is causing a lot of noise and false positives. I've tuned the correlation rule to where I want it, but the proble...