Hello Splunkers! I have built my own correlation search: From which I am generating a notable. In that notable I want to pass some fields using the $   I saw this trick of passing the fields like $this$ in some other pre-configured correlation searches in Enterprise Security, but in my own correlation search it does not work for some reason:    Can someone please tell me how can I make it work? Let me know if you want me to share some other configurations that I did, that might be relevant to this issue. Thanks for taking your time reading and replying to my post ❤️ ... View more

Hello Splunkers! I am collecting logs from Fudo PAM for which I haven't found any suitable existing add-on on the Splunk Base website. The logs are being collected over syslog, yet the regular "syslog" sourcetype doesn't suit the events coming from my source. I was searching the web for some tutorials on how to create your own add-on in Splunk in order to parse the unusual logs like in my case, but I haven't found any.  Could someone please help me with that? Does anyone have any tutorial or guide on how to create your own parser, or can maybe explain what is needed for that, in case it's not a difficult task? If someone decides to provide answer themselves, by explaining how to create your own add-on, I would really appreciate detailed description that will involve such notes as: required skills, difficulty, how long it will take, and whether it's the best practice in such situations or there are more efficient ways. Again, the main goal for me is to get my logs from Fudo PAM (coming over syslog) parsed properly.  Thank you for taking your time reading my post and replying to it ❤️ ... View more

Hello Splunkers! In the Security Posture by default there are no filters that would allow us to adjust the time, meaning, we see the summary about notable events over the last 24 hours. I want to change that, I have added a time picker that I would like to bind to one dashboard in the security posture - "Key indicators" so that I can see for example the summary of notable events over the last 12 hours or 7 days. Can someone please explain what needs to be done on time picker or dashboard in order to achieve this, or maybe is there an easier way to do this?  Thanks for taking your time reading and replying to my post ❤️ ... View more

Hello, Splunkers! I am learning Splunk ES and trying to understand how urgency value is assigned for notables generated from the correlation searches. I went over this article: How urgency is assigned to notable events in Splunk Enterprise Security - Splunk Documentation  . So, if severity is assigned in the settings of the correlation search, where do we assign the priority to assets? Can someone please explain or provide a documentation page of how this process (assigning priority) is done exactly? Specifically, I would really appreciate if someone could share, where should this be configured, whether on Enterprise Security itself, or elsewhere, is it done through GUI, or it requires manually editing some config files.    Also, a bit stupid question, but, can we also assign priority to identities, for example to indicate higher priority for admin accounts rather than usual accounts.    Thank you for taking your time reading and replying to my post ❤️ ... View more

Hello, Splunkers! I hope there are some SOC analysts around who are using Splunk Enterprise and Splunk ES in their work. I've been learning Splunk for the past month and I have worked with Splunk ES a bit and tried configuring some correlation searches with automated notable generation along with email notification alerts. I now have to present some cases in my test lab, where I have an attacker who performs some malicious activity that triggers some of the correlation searches that I have configured, and then I need to demonstrate the full investigation process from SOC analyst's POV.  The problem is, I have almost 0 knowledge of how SOC operates and if they were to use Splunk Enterprise and Enterprise Security app, what would they do exactly? Would they just go over all the new notables and look at the drill-down searches trying to understand what notables are related to other notables? Would they try to correlate the events by time? Would they only work around Splunk ES, or would they also go to the dashboards and search for some data there?  I would appreciate it if someone could explain how SOC works with Splunk ES in case of some simple, uncomplicated attacks, that trigger 2-3 correlation searches max.   Also small question, since I have the email notifications configured, who is usually the one receiving the email notifications about triggered correlation searches, is it a SOC director, or analyst, or someone else? Please let me know if more information is required, I would love to provide as many details as needed, as long as I get the best answer that would help me. Thanks in advance for taking the time to read and reply to my post! ... View more

Hello splunkers! I have a simple question regarding Splunk data models and regular searches, I have found some answers, but I would like to dig deeper.  What's the advantage of using the data models? Like, why would we want to use the data models instead of regular searches where we just label the indexes in which we want to search for the data?  I know so far that the data models allow searching through multiple sources (network devices and workstations) by having the standardized fields. I also know about the data accelaration, that we can use tstats in our searches on accelerated data models in order to speed up the searches. Is there a particular scenario where we must use data models and not using them will not work? (I am using Enterprise Security as well, so if there is any scenario that involves this app, it is most welcome) I would really appreciate a well-detailed answer. Thank you for taking time reading and replying to my post ❤️ ... View more