Hello Splunk team, I have two doubts please help me with details, 1. We are using Splunk cloud platform for Enterprise security. Is there any way to know the time span of buckets for how many days we have configured. For example Hot - 90 days Warm- 90 days like this data how to get to know from Splunk GUI, I have used "| dbinspect" in search query but I am unable to get the timing for how many days we have kept Hot, warm etc.,  2. While using a search query we can see the time range "All Time", so here what does it actually mean. Is this mean from when we have configured Splunk or from when logs got ingested or else only the Hot & Warm buckets database data. Thanks in advance for letting me know the details. ... View more

Hi All, Our Client has sell off some part of it to another company, Here I am using "CL"  as our client "ZX" as new company who bought this. "CL" was worried about, as part of migration "ZX" will use Quest ODM for migrating M365 data  (Email, OneDrive, SharePoint and Teams) from "CL" tenant to the "ZX" tenant. A cloud only Service Accounts, CL-ZX-QuestODM, will be created to support the ODM migration. Permissions for this service account will be limited to specific mailboxes, OneDrive, SharePoint and Teams sites that are associated with "ZX". The expectation is that "ZX" will only be copying data associated with "ZX" that has been approved by "CL". This account should not be used to upload any data to the "CL" Does anyone have any recommendations for a use cases or controls related to this Service Account? For example: if be it copying "CL" data, uploading any data or accessing other M365 Services (i.e. security portals, etc.) could it trigger an alert?   Thanks in advance. Your answer will be pretty much helpful for me. ... View more

Hello Team,                           We are using Enterprise security in our environment and we have created correlation searches to trigger an alerts. Out of those there is one particular use case which is related to Process injection, We are receiving maximum number of incidents on this due to one Here I am not giving the name of the exe file due to security concerns: I will be using it as ___.exe Shellcode Injection activity detected. Process "___e.exe" has injected itself into ___.exe, ***.exe, +++.exe, ^^^.exe like this we are receiving many incidents. I have some doubts on this: 1. What is this Process injection and why the process are getting injected to others? , 2. How could we stop this to getting injected to others in Splunk  (Or from Endgame), 3. We want to fine tune this use case, Is there any alternative to suppress these alerts from Endgame, 4. We have whitelisted some of these alerts with Source process path and Target process path, But still ___.exe still it getting triggered with new target paths. Its always injecting into some other targets. Can anyone please explain in clear cut, I am a rookie in cyber security. Not exactly getting many things. But out of those this is one which is hunting me. Thanking you in advance.  ... View more

I have some doubts regarding the migration procedure of splunk cloud platform to Victoria.  1. During migration, intermittent inaccessibility to search heads can occur. Does this mean we may have a reduction in our Mean Time To Detect (MTTD)?    2. How long is the maintenance window expected to be? This will help us determine the impact of the expected degradation over the course of the maintenance window. 3. Do we expect any impacts on the apps for the client 4. Is there any pre testing available for this upgrade.? 5.Is there any sort of back out plan?   please help me with these questions, I’m trying hard to get these Answers from docs but not getting any solutions. ... View more

Hi Team,                     We are reviewing the use cases in our Splunk Enterprise security, We have given Throttling as 1 day for a use case, but want to check how many alerts are being suppressed by Throttling action. Is there any search query or any way how to check that.?                     Is there anyway that we can show the proof that throttling is working fine.?                     Thanks in advance for your help. ... View more