cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
EssKay
Engager
Member since: ‎12-06-2022
‎03-31-2024
Community Statistics
Posts 3
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎12-06-2022
View All

Why is assets_by_cidr.csv lookup file empty?

by in Security
‎03-20-2024 04:34 PM
‎03-20-2024 04:34 PM
As I was going through the Asset and Identity Management manual, I couldn't see anything related to how to enrich the two lookup files assets_by_cidr.csv and assets_by_str.csv. For some reason (I couldn't figure out why), the assets_by_str.csv is filled with data and is populating data when running any search. However, nothing is getting fetched to assets_by_cidr.csv, I'm not sure if this is supposed to be filled automatically? and I can't find any configuration that associates where these two CSVs are taking the data from...    I can only see that they're coming from the app SA-IdentityManagement, can someone please help in troubleshooting this? Where are these two lookup table expected to get the data from and how? Lastly, to give more context, the final purpose it to fulfill the request of data enrichment for this specific use case Detect Large Outbound ICMP Packets... ... View more
Labels

How can I automatically and evenly assign notables...

by in Splunk Enterprise Security
‎11-27-2023 11:58 PM
‎11-27-2023 11:58 PM
Hi, I'm trying to setup a way to automatically assign notables to the analysts, and evenly. The "default owner" in the notable adaptive response wouldn't help as it will keep on assigning the same rule to the same person. Is there a way to shuffle the assignees automatically? ... View more

What are the differences between action.correlatio...

by in Splunk Enterprise Security
‎08-17-2023 08:41 AM
‎08-17-2023 08:41 AM
Hi,   I got confused when running the following search to identify what are the enabled searches in the environment :  | rest splunk_server=local count=0 /services/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | rename eai:acl.app as app, title as csearch_name, action.correlationsearch.label as csearch_label, action.notable.param.security_domain as security_domain | table csearch_name, csearch_label, app, security_domain, description Because I got a complete different result when I added: disabled=0   Apparently, there are correlation searches with action.correlationsearch.enabled=1 and disabled=1 at the same time... what does that mean? I found the searches disabled from the content management, so why is the action.correlationsearch.enabled equals to 1? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-31-2024 09:52 AM
Karma given to
View All