It's best to just disable the "wrong" one and start over with a new one, without removing the old search. * If you want to remove a custom correlation search entirely, you'd have to remove all traces of it from correlationsearches.conf and savedsearches.conf. * If you are on version 4.7.0 or later, you can delete the correlation search like you would any saved search in Settings, because the correlationsearches.conf file is no longer used as of version 4.7.0. ... View more

@khagan, you might want to review (if possible) what got saved in the savedsearches.conf file (and if pre-4.7.x, also correlationsearches.conf) related to the notable event adaptive response action, and compare it to some default notable event settings. I wonder if something wasn't saved properly on the backend. If the issue were just specific fields not showing up, I'd suggest looking here: http://docs.splunk.com/Documentation/ES/4.7.2/Admin/Customizenotables#Change_notable_event_fields but this seems like a bigger issue. Please let me know what you find! ... View more

@shubham87, the main concern is big enough indexers to support the added search load from 2 search heads. Having ES adds a significant search load to your indexers, and a second search head pointing to the same one can increase that even more. As long as your indexers can support the added search load, you should be okay. See the indexer scaling recommendations here: http://docs.splunk.com/Documentation/ES/4.7.2/Install/DeploymentPlanning#Indexer_scaling_considerations_for_Splunk_Enterprise_Security ... View more

Thanks for the update! I hope it's easy to fix after you find out what's causing the problem. Good luck! ... View more

Information about the threat intelligence framework and sources Splunk Enterprise Security includes a threat intelligence framework and threat intelligence sources that attempt to perform these downloads. A modular input performs the download requests (that's what you found in the input.conf file) For information on the threat intelligence sources, see: http://docs.splunk.com/Documentation/ES/4.7.2/Admin/Includedthreatintelsources For more information on how the threat intelligence framework works, see: http://dev.splunk.com/view/enterprise-security/SP-CAAAFBC Troubleshooting your specific problem If the threat sources are failing to download, there are several potential root causes: Is your instance connected to the internet? Are there firewall or proxy rules in place that might prevent the modular input from making these calls to the internet? Are you using a version of Splunk Enterprise Security with a known bug that produces these messages in error (says that the downloads are failing when they are not)? Versions 4.7.0 and 4.7.1 have this bug. Review the log files related to see the exact error messages, and other verification steps, see: http://docs.splunk.com/Documentation/ES/4.7.2/Admin/Verifythreatintel ... View more

If you want to perform UBA without purchasing the UBA app, you can download @David's app Splunk Security Essentials: https://splunkbase.splunk.com/app/3435/ It walks you through the different UBA use cases that you might want to explore, and how to do those in Splunk Enterprise/Cloud or if you would need to use the Splunk User Behavior Analytics product to address those use cases. As Chris mentioned, contacting sales is a great place to start. ... View more

Hello @daniel333, You're correct that you'd want to download the files (upload them, if adding a STIX/IOC file manually) to the deployer and then deploy them out. Treat it like a lookup file. The link that @acharlieh posted has the correct file path in it for that version and the previous one. http://docs.splunk.com/Documentation/ES/4.6.0/User/Configureblocklists#Add_OpenIOC_or_STIX_files_using_the_file_system If you go to the version of the documentation it will tell you if there is a specific path required. I believe in 4.5.0 is when we started requiring a specific file path. In the next version of ES (and the current cloud-only version) this is easier because you can upload the file and the software takes care of the rest, without worrying about a file system location. Let me know how that goes! I'm going to add a SHC-specific note to the documentation to make this clearer, thanks for your question!! ... View more

Hello @neelamsantosh, Make sure you are using a compatible version of Splunk Enterprise with Splunk Enterprise Security. Check this table for your version of Enterprise Security: http://docs.splunk.com/Documentation/ES/4.6.0/Install/DeploymentPlanning#Splunk_Enterprise_system_requirements Thanks, Sarah ... View more

The ES sandbox is on version 4.1.x of Splunk Enterprise Security. The glass table functionality first appears in version 4.2.0 of Enterprise Security. If you engage with sales for a POC or to gain access to the private sandbox, you can see a more recent version of Enterprise Security with glass tables. ... View more

Thanks for the update! ... View more

What version of Splunk Enterprise Security do you have installed? Have you cleared your browser cache? ... View more

Thanks for the added context, Paul! ... View more

No, the search isn't performed twice, it's just a detail about how the search is stored. ... View more

Yes, you would need stanzas in both if you were to add your own correlation searches. However, I'd recommend that you use the content management page to create the searches so that the proper attributes are saved in the proper locations. Starting in 4.6.0, only savedsearches.conf references are needed. ... View more

Check the throttling of notable events for that search. If the search is throttling notable events, and the "randomly" skipped notable events fall into that time window, that would explain why a notable event isn't being created. ... View more

The severity you set when creating a correlation search is different from the urgency of a notable event, though they are related. See: http://docs.splunk.com/Documentation/ES/4.5.1/User/NotableEvents#How_urgency_is_assigned_to_notable_events If you set a severity of "high" but the notable event urgency shows "low" that does seem strange, however. I'm not sure what you mean by "On the Risk Analysis dashboard, it shows the searches as "adhoc unknown"." Does the correlation search also add risk to an object (system or user) when the correlation search finds a match? Or are you clicking the risk score from a notable event on incident review and opening the risk analysis dashboard? ... View more

The version of ES that you're using isn't compatible with the version of Enterprise that you have installed (http://docs.splunk.com/Documentation/ES/4.0.1/Install/DeploymentPlanning#Splunk_Enterprise_system_requirements) but that may or may not be the cause of this issue. Are you creating the correlation search on the content management page within Enterprise Security? There are quite a few correlation searches that come with Enterprise Security that are stored in DA-ESS-* apps (such as DA-ESS-EndpointProtection) so that is not the issue. ... View more

Yes, it's certainly cumbersome to create a lookup from scratch. Depending on the data, you could use a STIX or OpenIOC editor to convert to one of those types. This process will also get easier in the future 🙂 ... View more

Absolutely true! If you're editing a CSV file and then uploading it to Splunk, Enterprise Security also has a workflow to support that. http://docs.splunk.com/Documentation/ES/4.5.1/User/Configureblocklists#Add_threat_data_manually covers the "edit-in-place" lookup method that I mentioned earlier. http://docs.splunk.com/Documentation/ES/4.5.1/User/Configureblocklists#Adding_a_custom_source covers adding a lookup file to ES, for example, a CSV file. The lookup editor app, however, also does this and is a great option for people without Enterprise Security! ... View more

If you do have Splunk Enterprise Security, this app's functionality is duplicated in ES with local lookup files. Configure > Lists and Lookups and any of the lookup files named "Local * Intel", e.g., "Local File Intel" are available to edit using this editor. ... View more