×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
davidem
Explorer
Member since: ‎08-26-2022
‎02-07-2023
Community Statistics
Posts 4
Solutions 1
Karma Given 0
Karma Received 1
Member Since ‎08-26-2022
Activity Feed
View All

Re: Splunk Security Essentials - Mitre Map do not ...

by in Splunk Enterprise Security
‎12-22-2022 07:09 AM
‎12-22-2022 07:09 AM
I noticed that in the file "use_case.csv" ("| sseanalytics | lookup use_cases.csv....") the one from which the data for the mitre map is taken, the data does not match the data in the correlation search, and in particular the field "mitre_tactic_display" is "none". ... View more

Splunk Security Essentials - Mitre Map does not re...

by in Splunk Enterprise Security
‎12-22-2022 06:24 AM
‎12-22-2022 06:24 AM
Hi Splunkers, I have a problem with the "Splunk Security Essentials" application. Currently, I have 34 activated correlation searches that I would like to map on the Mitre Framework. Viewing the "sse_content_exported_lookup" file, the mitre information does not match the information reported in each correlation rule. Also, there are correlation searches in the "sse_content_exported_lookup" file that had the mitre but didn't appear in the Mitre Map. However, all 34 correlation searches show up in the bookmarks. Could you suggest a solution? is there any procedure I can follow to make sure that all active correlation searches appear in the mitre map?   Thank you. ... View more
Labels

Re: The Notable Generation doesn't produce the exp...

by in Splunk Enterprise Security
‎08-26-2022 07:14 AM
1 Karma
‎08-26-2022 07:14 AM
1 Karma
I changed the time range from (-6 , -5) to (-11 ,-10) and now the notable generation workes. There are some log sources with different delays. Thank you. ... View more

The Notable Generation doesn't produce the expecte...

by in Splunk Enterprise Security
‎08-26-2022 04:47 AM
‎08-26-2022 04:47 AM
Hi, I created a new Correlation Search that needs to generate notable, so in the "Adaptive Response Actions" I added the "Notable" with all information. Doing a manual search with the same time span as the correlation search, I've got the expected outputs. The problem is that the correlation search doesn't create the same number of notables. For example: in a range time of 4 hours, the correlation search has generated 4 notables, instead, doing the manual search I've got 28 events. Doing the search "index=_internal sourcetype=scheduler" in the same time range, I found the 28 events generated by the correlation search, of which, 24 with these parameters: result_count=0 alert_actions="" suppressed=0 status=success and 4 with these parameters: result_count=1 alert_actions="notable,risk" suppressed=0 status=success Why, if I do the manual search (the same as the correlation search) I've got 28 results, instead the correlation search generated only 4 notables?   Thank you ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎02-07-2023 09:46 AM
Karma from
View All