We are trying to integrate the risk analysis framework in our incident response process. We have developed a library of correlation searches where the results produce multiple objects upon which we need to assign risk, e.g. src, dest, users. When we and the "| sendalert risk" components to the correlation searches, notable events no longer generate and risk scores are NOT applied. When we run the searches as ad-hoc, the risk scores are properly assigned and the results appear as expected. Can "| sendalert" not appear in a correlation search? The Risk Analysis Adaptive response action is not sufficient, as we can not dynamically set the risk tolerance, nor set risk against multiple objects with that action. e.g: | eval risk_score=case(severity=="critical", 20, severity=="high", 15, severity=="medium", 10, severity=="low", 5 ... View more

We have set the appropriate role and permissions on SA-ThreatInigence (write access) to enable ess_admin users to create suppressions. However, we keep getting this error: "Failed to save suppression: Unexpected error "" from python handler: "[HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/SA-ThreatIntelligence/saved/eventtypes". See splunkd.log for more details." We do see the attempt to access in the splunkd_access data. Full Enterprise Admins can perform the suppression, but no ESS Admins. Is there a comprehensive list of permissions required? Do setting app permissions require a restart of splunk? ... View more

I am trying to find a good tutorial (yes, I have looked at the splunk documents) on writing a custom generating command which will take a single input, leverage the input to collect data (over an API call perhaps) and then write the output as events to an index. I can't seem to find good boiler-plate examples in the SDK, while they do provide templates. Are there any tutorials out there? ... View more

I have installed extra visualization (e.g. Sankey). The visualization option is available in the search app and the sankey app, but Enterprise Security is not aware of the extra visualizations. Any ideas? When editing the XML of dashboard manually, I get the error " No matching visualization found for type: sankey_diagram, in app: sankey_diagram_app" ... View more

I've installed a custom JDBC driver on Splunk DB connect version 2.1.3. This connection requires a custom self-signed certificate for SSL connections. I've installed this cert to the java certificate store using the java installcert command and validated this cert is in the keystore. However, when I test the connection I receive the error: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) Does DB connect have access to the Java certificate store? Is there a way to point DB Connect 2.1.3 java certificate store? Thanks! ... View more

We've installed an app that initially does not install as a "global" permission. We'd like to make its resources (e.g. custom commands, lookup tables) available to other apps, especially in the context of Splunk Enterprise Security correlation searches. We've set the app to global with global read permissions as well as all its objects. The commands and lookups are still not available in other apps. We've attempted to restart the relevant search head. Any ideas on where to look for troubleshooting? ... View more

I am trying to download JSON Arrays where one of the data elements contains are large volume of HTML encoded data. In around 50% of the cases (for the larger records), the JSON Array Handler does write the whole record. Any ideas? are there limits set in the JSON Array Handler that can be fixed? Also tried increasing limits on the SPATH extractor, but it appears the whole records is not being written. ... View more