We have SplunkEnterpriseSecurity and use the correlationsearches along with notable events for incident handling. We also have alerts setup. However, the alerts don't have the incident h...
I'm creating correlationsearches from scratch in the latest version of ES. The search results include fields that don't show up in the notable event (in the incident review dashboard). I'd like t...
...ne dedicated to run the EnterpriseSecurity app
- These two SHs clusters are connected to the same Indexers Cluster and they are configured to use the same SAML LDAP server for authentication
- We w...
InSplunkEnterpriseSecurity (ES), we cannot save a correlationsearch as a user with ess_admin. This works if user is admin.
The navigation is: ES/Configure/Content Management/Create new C...
Hi all,
On a similar note to this question, I would also like to know the complete list of pre-configured correlationsearches available in ES 4.0
We don't have ES installed and therefore I c...
InEnterpriseSecurity I have this correlationsearch which I believe includes searching through the previous 24 hours of events:
| inputlookup append=T listeningports_tracker | eval _time=f...
Hi,
I'm trying to configure Drill-down Earliest Offset in my Notable from Adaptive Response Action.
I'd like to run the Drill-down search setting as earliest 2 minutes before the e...
Hi,
How can I configure a CorrelationSearchin ES to add risk to 2 objects (src & dest)? I can only configure a Adaptive Response Action once from the drop down menu.
Savedsearches.conf s...
Hello friends, We have Splunk ES and we stored our data in different indexes (OS logs, Network logs, ...) I have a question about correlationsearches. Some correlationsearches didn't use Data M...
I have installed EnterpriseSecurity App. I review Security Domain, in particular, Access and Network sections and I see many events coming from my AD, Office 365, and Firewalls. However,&n...