Does it have to be a line chart? Would the audit dashboards show similar results?  https://docs.splunk.com/Documentation/ES/6.4.1/User/Audit#Incident_Review_Audit https://docs.splunk.com/Documentation/ES/6.4.1/User/Audit#Investigation_Overview  ... View more

I don't know the answer for sure, but do you need to include the data set? For example: Endpoint.Ports, Endpoint.Processes, Endpoint.Services, or Endpoint.Filesystem? https://docs.splunk.com/Documentation/CIM/4.18.0/User/Endpoint#Search_Example ... View more

Hi, Is this the part you're doing?  https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Verifyassetandidentitydata  Based on these?  https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Addassetandidentitydata#Use_LDAP_to_register_data_in_Asset_and_Identity_Manager   ... View more

Let me know if this helps: https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Troubleshootnotables ... View more

It probably depends on which version of the ES Content Updates app you have installed. I have 3.9.1. I see ColdRoot MacOS RAT Analytic Story & Malware Use Case for Alerts. I don't see any for Certificates.  ... View more

In the Use Case Library... you can filter on the data model to see if there's a matching analytic story or use case: https://<splunk:port>/splunk-es/en-US/app/SplunkEnterpriseSecuritySuite/ess_use_case_library   the filters are Framework Mapping, Data Model, App, In Use, Bookmarked Docs:  https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Usecasecontentlibrary ... View more

Here are some other tips for troubleshooting notable events:  https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Troubleshootnotables ... View more

You could use the Use Case Library to see which data sources and source types map to certain types of use cases, based on what you want to do:  https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Usecasecontentlibrary#Determine_which_Analytic_Stories_to_configure ... View more

As of ES 6.2, almost all of the add-ons have been removed from the installer:  https://docs.splunk.com/Documentation/ES/6.2.0/RN/Enhancements  https://docs.splunk.com/Documentation/ES/6.2.0/RN/Enhancements#Add-ons  ... View more

Your syntax looks correct based on the docs:  https://docs.splunk.com/Documentation/Splunk/8.1.1/RESTTUT/RESTsearches#Example:_Create_a_search Are you using an on-prem instance or a  cloud instance? There might be some access requirements and limitations:  https://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTandCloud  ... View more

Hi,  There's a new page in the docs about troubleshooting missing notable events in Splunk Enterprise Security. Maybe one of these tips will help:  https://docs.splunk.com/Documentation/ES/6.4.0/Admin/Troubleshootnotables ... View more

Yes, you can do that. You can start an investigation & then you can manually create a notable event called "started an investigation" (or whatever you like):  https://docs.splunk.com/Documentation/ES/6.4.0/Admin/Createnotablesmanually#Create_a_notable_event_from_scratch & you can see it in Incident Review & add it to your investigation.  ... View more

Update to my previous answer... If you're including the ES option, the numbers should match. Whatever volume your license is, use the same number for ES volume.  ... View more

You could use the investigation workbench. It's like ticket tracking & collaborating on investigations for assets, identities, or artifacts involved in a potential security incident: https://docs.splunk.com/Documentation/ES/6.4.0/User/InvestigationWorkbench ... View more

Hi! For this step?  > 2. Current License(s) - Core is required, future requirements will be accounted for later. I believe that only the Splunk Enterprise core license size is required & the other fields are optional. Splunk Enterprise Security doesn't have its own physical license, but it requires a Splunk Enterprise license or Splunk Cloud subscription. You just need more like an entitlement term associated with the account to download ES from Splunkbase (is what I last heard in August).   ... View more

Oh! Sorry, I thought I saw "merging" assets. My answer might not apply to your question 🙂  ... View more

Which version of ES are you using? If ~6.0 or higher, you could rank them:  https://docs.splunk.com/Documentation/ES/6.4.0/Admin/Assetlookupconfiguration#Rank_the_order_for_merging_assets Any new asset list gets added to the bottom of the list by default. You can rank the order of this list to determine priority for merging assets. If an asset exists in multiple source files as a single value or exists multiple times in the same source file, this ranking is the weighted order for merging them.  ... View more

Which version of ES are you using? Is correlation enabled? Correlation is the part that enriches events with your asset and identity data at search time:  https://docs.splunk.com/Documentation/ES/6.4.0/Admin/Correlationsetup ... View more

That's a good question. I could be wrong, but I don't think there's a way to do it from the Splunk Web UI. You should probably post that as a feature enhancement on https://ideas.splunk.com/.  ... View more

Hi! I'm late to the party with this answer, but yes, you can use Endpoint for that. The Endpoint doc has been updated with further details...  The Endpoint data model is for monitoring endpoint clients including, but not limited to, end-user machines, laptops, and bring your own devices (BYOD). If an event is about an endpoint process, service, file, port, and so on, then it relates to the Endpoint data model. For administrative and policy types of changes to infrastructure security devices, servers, and endpoint detection and response (EDR) systems, see Change.Endpoint in the Change data model. https://docs.splunk.com/Documentation/CIM/4.18.0/User/Endpoint ... View more

I agree with nickhillscpl & it's one of the options listed in the doc:  https://docs.splunk.com/Documentation/ES/6.4.0/Admin/Verifyassetandidentitydata ... View more