Activity Feed
- Posted Re: Splunk ES Incident Review Notable Events Don't Match Correlation Search on Splunk Enterprise Security. 08-11-2021 12:59 PM
- Posted Re: Grouping Notable Events from MLTK alerts on Splunk Enterprise Security. 08-06-2021 10:01 AM
- Posted Re: ES Identity: prevent merge for email field on Splunk Enterprise Security. 08-06-2021 09:56 AM
- Posted Re: How do I access a list of Saved searches for different apps. To change their timing in ES? Any helpful SPLs ? Thank on Splunk Enterprise Security. 07-27-2021 10:01 AM
- Got Karma for Re: How do I access a list of Saved searches for different apps. To change their timing in ES? Any helpful SPLs ? Thank. 07-26-2021 06:45 PM
- Posted Re: How do I access a list of Saved searches for different apps. To change their timing in ES? Any helpful SPLs ? Thank on Splunk Enterprise Security. 07-26-2021 05:38 PM
- Posted Re: Easy notables search - top owners and top alerts per owner on Splunk Enterprise Security. 07-12-2021 09:09 AM
- Posted Re: Has any great person here written a Back up / DR for Splunk ES? Any guidance is much appreciated. on Splunk Enterprise Security. 07-12-2021 09:02 AM
- Got Karma for Re: ES Notable events add a link on "next steps" form. 07-12-2021 01:32 AM
- Posted Re: ES Notable events add a link on "next steps" form on Splunk Enterprise Security. 07-09-2021 10:13 AM
- Posted Re: ES Notable events add a link on "next steps" form on Splunk Enterprise Security. 07-08-2021 09:10 AM
- Posted Re: Need your expert advice about Splunk Ent. & Enterprise Security (ES) Backups + Disaster Recover + HA advice plea on Splunk Enterprise Security. 07-02-2021 09:32 AM
- Posted Re: no latest update for ESCU on Splunk Enterprise Security. 06-17-2021 07:08 PM
- Posted Re: Risk Based alerting in SPLUNK ES on Splunk Enterprise Security. 06-15-2021 08:55 AM
- Posted Re: Why does latest version of ES CU app indicates exploring Analytical Stories through ES or Sec Essentials App ? on Splunk Enterprise Security. 06-02-2021 09:03 AM
- Posted Re: How do I backup the Splunk Enterprise Security app. What components needs to be backed up and how often? on Splunk Enterprise Security. 05-11-2021 10:33 AM
- Posted Re: Disable identitymerge in older enterprise security? on Splunk Enterprise Security. 03-25-2021 09:14 AM
- Posted Re: Disable identitymerge in older enterprise security? on Splunk Enterprise Security. 03-24-2021 06:21 PM
- Posted Re: Where do I find already built in Dashboards in Splunk Enterprise & ES on Splunk Enterprise Security. 03-17-2021 09:26 AM
- Posted Re: Please help me learn standard built in features of Splunk Enterprise Security App. (ES) on Splunk Enterprise Security. 03-16-2021 09:15 AM
Topics I've Started
No posts to display.
08-11-2021
12:59 PM
There's some info about troubleshooting notables... https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Troubleshootnotables Let me know if it turns out to be something else.
... View more
08-06-2021
10:01 AM
It sounds like you could use sequence templates: https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Sequencecorrelationsearches Let me know if that helps.
... View more
08-06-2021
09:56 AM
Sounds like you could use entity zones: https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Entityzones (the example is asset, but it's also for identity) Or change the key to a different field: https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Identitysettings#Add_or_edit_an_identity_field Let me know if that helps.
... View more
07-27-2021
10:01 AM
When you're in the Enterprise Security (ES) app, Configure is located in the ES menu bar as follows (I've circled it in orange):
... View more
07-26-2021
05:38 PM
1 Karma
In Enterprise Security, you can change the timing of the correlation searches in Content Management: https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Configurecorrelationsearches#Change_correlation_search_scheduling There's also a filter by App, so that you can view only the searches related to the app you're interested in. Let me know if that helps.
... View more
07-12-2021
09:09 AM
Sounds like you could use the Incident Review Audit Dashboard: https://docs.splunk.com/Documentation/ES/6.6.0/User/Audit#Incident_Review_Audit or the Investigation Overview Dashboard: https://docs.splunk.com/Documentation/ES/6.6.0/User/Audit#Investigation_Overview Let me know if that helps.
... View more
07-12-2021
09:02 AM
For the ES portion of things, also consider this: https://docs.splunk.com/Documentation/ES/6.6.0/Install/InstallEnterpriseSecuritySHC#Back_up_and_restore_Splunk_Enterprise_Security_in_a_search_head_cluster_environment Let me know if that helps.
... View more
07-09-2021
10:13 AM
I don't think it would be a clickable link. It would probably be a copy/paste link.
... View more
07-08-2021
09:10 AM
1 Karma
The available response actions are the ones in the dropdown list for "insert adaptive response action." For example if you want the next step to be ping a host, you can use text and the link to the action in that format mentioned: Ping a host to determine if it is active on the network. If the host is active, increase the risk score by 100, otherwise, increase the risk score by 50. [[action|ping]] https://docs.splunk.com/Documentation/ES/6.6.0/Tutorials/ResponseActionsCorrelationSearch#Part_5:_Choose_available_adaptive_response_actions_for_the_correlation_search Let me know if that helps.
... View more
07-02-2021
09:32 AM
Not specific to an AWS environment, but some things to think about for ES: https://docs.splunk.com/Documentation/ES/6.5.1/Install/InstallEnterpriseSecuritySHC#Back_up_and_restore_Splunk_Enterprise_Security_in_a_search_head_cluster_environment https://docs.splunk.com/Documentation/ES/6.5.1/Install/InstallEnterpriseSecuritySHC#Restore_incident_review_history_from_internal_audit_logs Let me know if that helps.
... View more
06-15-2021
08:55 AM
Yes, with correlation searches that use the Risk data model. Also, assuming that you want to use security framework annotations: https://docs.splunk.com/Documentation/ES/6.5.1/Admin/Configurecorrelationsearches#Use_security_framework_annotations_in_correlation_searches make sure to check out step 3 & 4... in this release, the Notable and the Risk Analysis adaptive responses work a little differently: 3. (Conditional) If you are using the adaptive response action of Notable because you want see annotations as field labels in Incident Review, and if you are editing a correlation search that does not use the Risk data model, then you need to append an eval statement for the annotations.mitre_attack field to end of the correlation search, such as: | from datamodel:"Identity_Management"."Expired_Identity_Activity" | stats max("_time") as "lastTime",latest("_raw") as "orig_raw",count by "expired_user" | rename "expired_user" as "user" | eval annotations.mitre_attack="T1027" 4. (Conditional) If you are using the adaptive response action of Risk Analysis because you want see annotations as field labels in the Risk Analysis Dashboard, the annotations show up automatically. For more information about creating risk factors to adjust risk scores for risk objects, see Create risk factors in Splunk Enterprise Security. Let me know if that helps.
... View more
06-02-2021
09:03 AM
ES Content Update app got a UI update and some parts have been removed, as mentioned in Release Notes: https://docs.splunk.com/Documentation/ESSOC/3.21.0/RN/Enhancements https://docs.splunk.com/Documentation/ESSOC/3.22.0/RN/Enhancements If you already have Enterprise Security, then it's easiest to see them in the Use Case Library: https://docs.splunk.com/Documentation/ES/6.5.1/Admin/Usecasecontentlibrary If you don't already have Enterprise Security, then you can use Security Essentials as a first step in your security journey & see them in there.
... View more
05-11-2021
10:33 AM
Is it in a search head cluster environment? https://docs.splunk.com/Documentation/ES/6.5.1/Install/InstallEnterpriseSecuritySHC#Back_up_and_restore_Splunk_Enterprise_Security_in_a_search_head_cluster_environment https://docs.splunk.com/Documentation/ES/6.5.1/Install/InstallEnterpriseSecuritySHC#Restore_incident_review_history_from_internal_audit_logs Also though, backing up theKV store is part of Enterprise: https://docs.splunk.com/Documentation/Splunk/8.1.3/Admin/BackupKVstore but should be done prior to upgrading ES: https://docs.splunk.com/Documentation/ES/6.5.1/Install/Upgradetonewerversion
... View more
03-25-2021
09:14 AM
Some new features come along in a later release that could help. But they're not available yet in 6.0: You can put the duplicates in different entity zones: https://docs.splunk.com/Documentation/ES/6.3.0/Admin/Globalsettings#Enable_entity_zones_for_Assets_o... You can change the key to a different field for the merge: https://docs.splunk.com/Documentation/ES/6.3.0/Admin/Assetsettings#Add_or_edit_an_asset_field
... View more
03-24-2021
06:21 PM
Hi! How old is the ES version? I'm going to say at least 6.0 because that's when merge behavior changed. In versions of ES earlier than 6.0, there was no context for how to resolve the overlapping key field values. The first host that matched in the collection was the only one you would see in your search results. But as of 6.0, they merge instead. Disable merge was introduced in 6.2.0. But I only know of this doc section to avoid merging prior to 6.2.0 (using a 6.1.0 doc example... starting below the tables that happen to mention 6.2 for disabling it): https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Manageassetsandidentititiesuponupgrade#Avoid_merged_assets_and_identities_data Let me know if that helps.
... View more
03-17-2021
09:26 AM
Let me know if this helps: https://docs.splunk.com/Documentation/ES/6.4.1/User/Domaindashboards
... View more
03-16-2021
09:15 AM
There are A LOT of things you can do with it. But for the very most common things, I would say look at the topics & objectives for ES in the Splunk Training & Certification course descriptions: https://www.splunk.com/en_us/training/courses/using-splunk-enterprise-security.html https://www.splunk.com/en_us/training/courses/administering-splunk-enterprise-security.html
... View more
03-09-2021
02:51 PM
Which version of ES are you using? It sounds like you could add a custom field and configure it as a tag: https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Assetsettings#Add_or_edit_an_asset_field Let me know if that helps.
... View more
03-08-2021
09:03 AM
1 Karma
What's the end result that you want to achieve? I think there are different things you could do, but I'm not sure if they apply to your situation: https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Manageinternallookups https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Entityzones Let me know if that helps.
... View more
03-01-2021
03:59 PM
1 Karma
Hi! If you mean "software" as a field name that might be associated with a data model, then no, that is not currently a field name associated with a data model: https://docs.splunk.com/Documentation/CIM/4.18.0/User/CIMfields
... View more
02-25-2021
01:55 PM
Are you referring to these notes? https://docs.splunk.com/Documentation/ES/6.4.1/User/Addtoaninvestigation#Add_a_note_to_an_investigation I don't think there's a way to search for content within the notes, but only to search for the name/title of the notes. That sounds like a good idea though. Perhaps submit it to https://ideas.splunk.com/
... View more
02-25-2021
01:51 PM
This isn't exactly the answer to the question that you've asked, but if you're using Enterprise Security, it sounds like you could possibly use entity zones to help specify your different domains: https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Entityzones Let me know if that helps.
... View more
02-25-2021
10:10 AM
Added this advice to https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Troubleshootnotables 🙂
... View more
02-25-2021
10:09 AM
Does this help? https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Troubleshootnotables
... View more