×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
venkatasri
SplunkTrust
Member since: ‎02-12-2019
a week ago
Community Statistics
Posts 619
Solutions 120
Karma Given 4
Karma Received 191
Member Since ‎02-12-2019
Activity Feed
Topics I've Started
View All

Maximizing the Value of Splunk ES 8.x

by SplunkTrust in Community Blog
a week ago
1 Karma
a week ago
1 Karma
Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal role in modern security operations. Since the release of version 8, ES has delivered a revitalized user interface through Mission Control and introduced powerful automation capabilities via integration with Splunk SOAR. The latest general availability release is ES 8.1, further strengthens its offerings for organizations seeking robust, adaptive security solutions across ever expanding IT environments being it in on-prem/cloud, Networks, and IoT ecosystems. Maximizing the value of Splunk ES is fundamentally about an organisation’s ability to strategically configure and leverage the extensive frameworks and capabilities it provides in today’s dynamic security environment Assets & Identities framework Threat Intelligence framework Data Model Acceleration (DMA) ESCU (Enterprise Security Content Update) Risk Based Alerting Along with these essential pillars, Splunk ES 8.x introduces a suite of features designed to empower blue teams: Mission Control with Analyst Queue : Brand new UI experience which streamlines investigation workflows, fosters collaboration, and provides a unified analyst experience to respond faster and more effectively. Detection versioning: Facilitates auditability and continuous improvement of detection logic, Flexibility to turn on individual versions and diff with previous version of detection logic. Response plans: Predefined tasks for investigations or findings, ensuring consistent pre-guided triage when linked to a Detection. Find them in ES App → Security Content Menu. Run SOAR Playbooks and actions straight from Finding/Investigation: ES 8.1 version onwards SOAR can be directly paired, It enables seamless automated actions empower security teams to launch investigations and remediation actions on the fly, shrinking the window of exposure. Let's dive into essential pillars, Assets & Identities framework: The Assets & Identities framework delivers a unified approach to collect, extract and store organisational assets such as endpoints, network devices, and IoT devices, by offering a configurable approach of sources like CMDB, LDAP , and Active Directory (Refer Extract asset and identity data in Splunk Enterprise Security | Splunk Docs) . Similarly, Identities aka user accounts who is having access to these systems and devices. This framework adds vital context to findings by enriching observable detected during investigations, such as IP addresses, hostnames, and user accounts. An observable represents any entity under monitoring whether it is flagged as malicious or benign enabling security teams to swiftly assess risk and respond with clarity and precision. Threat Intelligence framework: The constant changes in cyber threats mean you need the latest intelligence. Adding known threat feeds into ES helps organizations spot new attacks, recognize patterns, and prepare defences before problems get worse. This framework lets you download both open-source and paid feeds (see https://help.splunk.com/en/splunk-enterprise-security-8/administer/8.0/threat-intelligence/available-premium-intelligence-sources-for-splunk-enterprise-security#d1c1a9089c1954409be651f24ad0f23e2__Available_premium_intelligence_sources_for_Splunk_Enterprise_Security) in a way that can be set up for your needs. A feed might include suspicious domains, IP addresses, or file hashes. It also comes with built-in threat matching rules and extra information. The framework stores collected feeds in a KV store and writes matching events to threat_activity index, which then builds into the Threat Intelligence data model for further use (see https://help.splunk.com/en/splunk-enterprise-security-8/rest-api-reference/8.0/threat-intelligence-endpoints/threat-intelligence-api-reference#ariaid-title5).   Data Model Acceleration (DMA): Organizations face challenges with increasingly large volumes of raw data, making analysis time-consuming and resource intensive. Data models in ES are inherited from Splunk Enterprise product and have been adapted for ES use. DMA allows security teams to quickly analyse large datasets and apply consistent use cases. CIM normalization (see Use the CIM to normalize data at search time | Splunk Docs) prepares data for acceleration; many Splunkbase technology add-ons offer CIM compliance, though manual setup is also possible. Splunk ES utilises various data models, including Risk Analysis, Threat Intelligence, Authentication, Change, Endpoint, Alerts, Network Sessions, Network Traffic, and Malware etc. Data model configurations are found in the Splunk_SA_CIM app. You have a choice to use pre-built data models or optionally define custom Data models for unique data sets. ESCU (Enterprise Security Content Update): The ESCU provides an ideal starting point for organizations new to Splunk ES, offering a robust library of use cases complete with recommended data sources, detection's and SOAR playbooks. These out-of-the-box detection's can be deployed directly or tailored to fit unique operational needs. If data is already accelerated through DMA, deploying ESCU detection's becomes a straightforward process. In addition, the Splunk Security Research team continuously refreshes the ESCU library with new use cases and detection's, helping environments remain current and resilient against the latest threats. Risk Based Alerting: Risk-Based Alerting is a detection engineering methodology designed to handle low-fidelity findings, labelled as "Intermediate Findings" in ES 8.x. Risk scores can be attributed to users, systems, device or custom-defined entities, and a Finding based Detection monitors cumulative risk over time, generating incidents when threshold meet which is typically set at 100 are met. This approach reduces alert fatigue for Security Operations Center (SOC) while ensuring that relevant, potentially significant events are still surfaced. (See https://www.splunk.com/en_us/pdfs/gated/ebooks/the-splunk-guide-to-risk-based-alerting.pdf) "Splunk ES 8.x empowers organizations with adaptive, Intuitive features and best practices to meet evolving security challenges. By leveraging its frameworks and automation, teams can strengthen their defences and respond to threats with greater speed ." ... View more
Labels

Re: Get Schooled with Splunk Education: Explore Ou...

by SplunkTrust in Training & Certification Blog
‎03-18-2025 06:23 PM
‎03-18-2025 06:23 PM
Hi @cskokos_splunk Great to find new ES 8.0 content in EDU, would you be able to confirm - Introduction to Detection Engineering with Splunk is going to be on ES 8.0 or older version? Similarly for SOC Essentials: Introduction to Threat Hunting which version of ES is explained here?   ... View more

Re: Phantom health alert notification

by SplunkTrust in Splunk SOAR
‎04-21-2024 02:07 PM
‎04-21-2024 02:07 PM
Hi @harishlnu  One of the ways is using Rest API - /rest/health of SOAR - status field contains all the daemons health information and additional info on resource utilization. https://docs.splunk.com/Documentation/SOAR/current/PlatformAPI/RESTInfo#.2Frest.2Fhealth To monitor I would run an external script or if you are using Splunk Enterprise - by using | restsoar command you can call the above Rest API and create an alert.  You should install official  https://splunkbase.splunk.com/app/6361 Splunk App for SOAR to use  | restsoar command. -------- Srikanth Yarlagadda   ... View more

Re: Incident Review -> History page is empty

by SplunkTrust in Splunk Enterprise
‎12-04-2023 05:59 PM
‎12-04-2023 05:59 PM
Hi @VK18 , If the notable is new and not being worked on by analysts/concerned team then you would find empty results. Check for notable that has been changed from New to other status such as 'In progress' or closed. You should be able to find the history. ----- Srikanth Yarlagadda     ... View more

Re: Cron Scheduling

by SplunkTrust in All Apps and Add-ons
‎07-03-2023 07:19 PM
1 Karma
‎07-03-2023 07:19 PM
1 Karma
Hi @Devi13 perhaps you could try with trigger condition inside a search as a workaround? As @ITWhisperer  said, cron is not a possible and you have to schedule it for first 5 business days. Inside search you could put couple of conditions to check the week of the day is either Saturday/Sunday (Depends on in your Locale) and another check is if the day in holiday list using this add-on (specific to your country, location ) - https://splunkbase.splunk.com/app/4853. Final Trigger condition:   if it is not a weekend and not a holiday then let the report run and do the necessary action. Having said that though cron is scheduled to run every day in first 5 days of month the trigger condition check will only let report fire the action on business day. Hope this helps! ---------------------------- Srikanth Yarlagadda. ... View more

Re: How to configure heavy forwarder to extract mu...

by SplunkTrust in Getting Data In
‎07-03-2023 03:59 PM
‎07-03-2023 03:59 PM
Hi @prashant5847 , Splunk is good at auto extracting the JSON event if it is well formatted. Did you search it on Search head and saw the fields not being extracted correctly? Choose search mode - Smart/Verbose. If you still can not find it, you don't need to extract it on Heavy forwarder. Search head will do the extractions for you. Either you could use spath command - Example  <your search return json event> | spath  - This is inline search. Or update source type settings (props.conf) on search head to include following config- [<sourcetype-name-of-json-events>] AUTO_KV_JSON = true KV_MODE = json Hope this helps! ------------------------------ Srikanth Yarlagadda. ... View more

Re: [WinEventLog://Security] logs to Splunk

by SplunkTrust in Getting Data In
‎07-02-2023 09:42 PM
‎07-02-2023 09:42 PM
Hi @Murali  If you can't find Type/ OS in Windows Security Event logs that are ingested to Splunk, that is likely due to the source windows machines do not have such information exist in event logs. You could talk to Windows Administrator to include the desired details on Windows machine that you wanted for Splunk to collect and ingest. Hope this helps!  ------------------------- Srikanth Yarlagadda. ... View more

Re: Crowdstrike to deprecate some v1 API Endpoints...

by SplunkTrust in All Apps and Add-ons
‎05-21-2023 11:34 PM
‎05-21-2023 11:34 PM
Hi @CS_  By looking at the Crowdstrike OAuth API code - https://github.com/splunk-soar-connectors/crowdstrikeoauth/blob/next/crowdstrikeoauthapi_consts.py CROWDSTRIKE_GET_DEVICE_DETAILS_ENDPOINT = "/devices/entities/devices/v2" Latest 4.0.0 version is updated to v2 API from v1 that you mentioned in original post.    ... View more

Re: Announcing Our Splunk MVPs

by SplunkTrust in Community Blog
‎03-04-2023 02:04 AM
4 Karma
‎03-04-2023 02:04 AM
4 Karma
Congratulations to everyone! It's great to be part of a team of like-minded individuals through the MVP program. ... View more

Re: State of Splunk Careers 2022: Positive Career ...

by SplunkTrust in Community Blog
‎11-13-2022 08:08 PM
‎11-13-2022 08:08 PM
@sensitive-thug  It would be nice to have results break-down by Major countries where Splunk having decent foot print in the region. Overall report is pretty neat, as the Career paths and Jobs market is different by region/country individual numbers gives more confidence in candidates willing to switch or make Splunk as their primary skill. ... View more

Re: Fresh Splunk Content on Your Product Adoption ...

by SplunkTrust in Product News & Announcements
‎10-18-2022 03:23 PM
‎10-18-2022 03:23 PM
https://experience.splunk.com   is redirecting to splunk.com and a sub module link is working ok.  For example - https://experience.splunk.com/security is fine, Good to land on home page to see what this site offers. ... View more

Re: What date format does splunk HTTP Event Collec...

by SplunkTrust in Getting Data In
‎09-19-2022 10:38 PM
‎09-19-2022 10:38 PM
Hi @mark-jones  https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/FormateventsforHTTPEventCollector#Event_metadata You could take a look at this link and there are examples deep links to follow inside. -- Hope it helps! ... View more

Re: Need help with regex to read all the value in ...

by SplunkTrust in Splunk Search
‎09-19-2022 09:55 PM
‎09-19-2022 09:55 PM
@fajri1203  Try search-time approach, UF is a universal forwarder not applicable for your case. I wonder Add-on Microsoft Cloud Services don't have the extraction by default.  You have to configure props.conf, and transforms.conf on search-head (SH) under $SPLUNK_HOME/etc/<app_name>/local OR  $SPLUNK_HOME/etc/system/local. If you are having SH cluster and using SH deployer you must know how to bundle push or contact your splunk admin.  In standalone splunk SH the restart is required post changes. [mscs:storage:blob] REPORT-extract-csv-fields = extract-csv-fields [extract-csv-fields] DELIMS="," FIELDS = "pluginid","alertRef","alert","name","riskcode","confidence","riskdesc","confidencedesc","desc","instances","count","solution","otherinfo","reference","cweid","wascid","sourceid" ... View more

Re: Is it possible to extract a field across multi...

by SplunkTrust in Splunk Enterprise
‎09-19-2022 07:47 PM
‎09-19-2022 07:47 PM
@gordenkem  you need to elaborate a bit more, extractions can be done both at index and search-time. the extractions are set at spec level with combination of props & transforms (optional in some cases). the spec you could set is source, host, sourcetype... if you have them common across the said index, sourcetype yes it is otherwise you have to clone the config. https://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/Propsconf#GLOBAL_SETTINGS - Read <spec> For example - I have index= a , index = b they both having a sourcetype = web:logs, if you set extraction to [web:logs] that applies to both indexes. if both indexes having common sources [source::/log/webserver/logs/web.log], then setting extraction at source level apply to both indexes... you have to me mindful about source, sourcetype and host combo while setting. As long as the data follow same structure that should be fine otherwise you will end-up seeing inconsistent values in extracted fields. ... View more

Need help with regex to read all the value in all ...

by SplunkTrust in Splunk Search
‎09-19-2022 07:39 PM
‎09-19-2022 07:39 PM
Hi @fajri1203  You don't need a regex you could do it two ways if .csv is being forwarded from UF then set inside props.conf [sourcetypename] INDEXED_EXTRACTIONS = csv At search-time, on search-head you shall do following https://www.splunk.com/en_us/blog/tips-and-tricks/quick-n-dirty-delimited-data-sourcetypes-and-you.html?301=/blog/2013/03/11/quick-n-dirty-delimited-data-sourcetypes-and-you.html&_gl=1*1q6w3af*_ga*NDMxNjgzMDU4LjE2Mjc2MDY0MDg.*_gid*NDUyOTcwODc3LjE2NjM1NDI5NDI.&_ga=2.10800753.452970877.1663542942-431683058.1627606408&locale=en_us ... View more

Re: How to send Windows log to Splunk?

by SplunkTrust in Splunk Search
‎08-10-2022 09:58 PM
‎08-10-2022 09:58 PM
@rockzers you might need to install this add-on and enable required inputs, follow the instructions - https://docs.splunk.com/Documentation/AddOns/released/Windows/AbouttheSplunkAdd-onforWindows --- Srikanth Yarlagadda ... View more

Re: AWS Splunk Usescases- What are AWS sourcetype ...

by SplunkTrust in Splunk Enterprise Security
‎08-10-2022 09:55 PM
‎08-10-2022 09:55 PM
@cybersej  Another great place to find AWS use cases - https://research.splunk.com/ , search AWS you will find already curated security detection details!   --- Srikanth Yarlagadda   ... View more

Re: AWS Splunk Usescases- What are AWS sourcetype ...

by SplunkTrust in Splunk Enterprise Security
‎08-10-2022 06:46 PM
‎08-10-2022 06:46 PM
@cybersej  Perhaps you could start with this list to get an understanding! - https://docs.splunk.com/Documentation/AddOns/released/AWS/DataTypes If you are not going to use AWS add-on for ingestion of logs the will be different. -- Srikanth Yarlagadda ... View more

Re: What is the process of moving locally installe...

by SplunkTrust in Deployment Architecture
‎08-10-2022 06:38 PM
1 Karma
‎08-10-2022 06:38 PM
1 Karma
@jason0  - https://community.splunk.com/t5/Deployment-Architecture/Using-Deployment-Server-as-Search-Head-Deployer/m-p/345844  You can certainly do it, SH requires deploymentclient.conf file pointing to (deployment server)DS.  I never tested after the first-time deployment of apps  from DS --> SH, the subsequent changes to the apps done locally by user will stay on SH.. however if you push the same app once again from  DS might get override the app on SH which might remove the local changes. Where as with SH deployer they get merged with local changes! ... View more

Re: User accounts not listed- Why is index not vie...

by SplunkTrust in Security
‎08-10-2022 06:28 PM
‎08-10-2022 06:28 PM
Hi @HathMH  May be something related to grantableRoles option if you have changed default role!. https://community.splunk.com/t5/Security/Admin-can-t-see-users-with-a-certain-role-and-we-can-t-take-out/m-p/399779 ---   ... View more

Re: Splunk ID

by SplunkTrust in Training + Certification Discussions
‎08-10-2022 06:21 PM
‎08-10-2022 06:21 PM
@euddy  - https://www.splunk.com/pdfs/training/Exam-Registration-Tutorial.pdf the process is explained here. ... View more

Re: OCI logging

by SplunkTrust in Getting Data In
‎07-07-2022 05:37 AM
‎07-07-2022 05:37 AM
Hi @VijaySrrie  You shall elaborate it for better understanding.  What is the source? What do you want to achieve? What is OCI? ... View more

Re: HF unable to forward events

by SplunkTrust in Installation
‎04-19-2022 10:44 PM
‎04-19-2022 10:44 PM
Did you check forwarders are active? There must be at least one active forwarder (aka indexer from HF).   ./splunk list forward-server    restarting should clear the queues temporarily they may get blocked again if indexers are busy receiving data. https://wiki.splunk.com/Community:TroubleshootingBlockedQueues Make sure your forwarders are monitoring correctly and connected to HF.  (HF must be under active forwarder list when you execute same command on UF) ... View more

Re: Field Does Not Exist in Tstats

by SplunkTrust in Splunk Search
‎04-05-2022 08:22 PM
1 Karma
‎04-05-2022 08:22 PM
1 Karma
tstats only for indexed fields. rex is a search-time. Refer - https://docs.splunk.com/Documentation/Splunk/8.2.5/Data/Configureindex-timefieldextraction after successful creation you can use the field in tstats. -- Hope it helps! ... View more

Re: Parsing not working as expected

by SplunkTrust in Splunk Search
‎04-05-2022 08:16 PM
1 Karma
‎04-05-2022 08:16 PM
1 Karma
Your TIME_PREFIX = ^ that means starting of the event, what you have highlighted is not being considered as _time for that reason. When you set TIME_PREFIX alone, starting of the event is 4/5/2022 9:02 PM assuming line_breaking is fine. you should look at TIME_FORMAT and set the TIME_PREFIX correctly for the timestamp you want to consider for _time. The screenshot and events pasted looks completely different. ... View more
Contact Me
Online Status
Offline
Date Last Visited
a week ago
Karma from
Karma given to
View All