Hi Splunkers, I have a doubt about a custom app customization. For a customer, we created with Splunk Addon Builder a simple app to use as "container": every customization we perform, such as Correlation...
I would have to move my customCorrelation rules to a custom TA-foo app My correlationsearches comprises of: custom rules created from scratch (all across the apps estate - yup, its a m...
We have a number of correlationsearches that trigger in Enterprise Security. From these events that trigger in IR, some events are true positive others are not. What I am trying to do is have my a...
...ifferent correlationsearches don't include an additional field what happens?
Does it just not get displayed in that Notable or does it list the field with a null value in the Incident Review Dashboard?
In Splunk ES we have correlationsearches creating notable events. The timestamp of the notable event, and thus the timestamp of the incident in "Incident Review", is the time of when the correlation...
...hreat_activity index). As I undersand correctly, threat_activity index is filled with the help of all these searches (Certificates Intelligence, Email Intelligence, etc.) Can you please show m...
I have a CSV file that I would like to index one time only. There are two fields (Date, Time) that I want to be able to use as _time so that I can create a correlation of avg/median response times w...
Hey gents
My customer is asking me to create a new threat intelligence source in the Enterprise Security app (version 4.5.1.)
He told me that he is going to provide an .ioc file with the f...
...search results, such as : orig_host, ip, and some other custom fields.
I went to Incident Review Settings in order to add my custome fields in the Event Attributes
I customized my correlationsearch...
...he flow of actions -
load data using the HEC,
parse data normalizing them,
eventually, load data in Data Models,
if you don't load data In data Models, create your CorrelationSearches...