Activity Feed
- Posted Re: Splunk Enterprise Security slow performance on All Apps and Add-ons. 05-22-2024 09:00 PM
- Posted Splunk Enterprise Security slow performance on All Apps and Add-ons. 05-22-2024 05:31 AM
- Posted Re: Splunk Enterprise Security passing fields in notable settings on Getting Data In. 05-20-2024 11:42 PM
- Karma Re: Splunk add-on for Fudo PAM | How to parse logs from Fudo? for tej57. 05-20-2024 09:20 PM
- Posted Re: Splunk Enterprise Security passing fields in notable settings on Getting Data In. 05-20-2024 02:55 AM
- Posted Re: Splunk Enterprise Security passing fields in notable settings on Getting Data In. 05-20-2024 02:20 AM
- Karma Re: Splunk Enterprise Security passing fields in notable settings for gcusello. 05-20-2024 02:20 AM
- Posted Splunk Enterprise Security passing fields in notable settings on Getting Data In. 05-19-2024 10:28 PM
- Posted Re: How to create your own add-on? | How to parse unusual logs? on Getting Data In. 05-19-2024 02:41 AM
- Karma Re: How to create your own add-on? | How to parse unusual logs? for gcusello. 05-19-2024 02:40 AM
- Posted How to create your own add-on? | How to parse unusual logs? on Getting Data In. 05-19-2024 12:52 AM
- Posted Splunk add-on for Fudo PAM | How to parse logs from Fudo? on Getting Data In. 05-17-2024 03:34 AM
- Karma Re: Splunk Enterprise Security notables and investigations | SOC analysts work with Splunk ES for gcusello. 05-16-2024 11:24 PM
- Got Karma for Re: How to configure time picker for dashboard in Enterprise Security?. 05-16-2024 11:16 PM
- Posted Splunk Enterprise Security notables and investigations | SOC analysts work with Splunk ES on Getting Data In. 05-16-2024 10:07 PM
- Posted Re: How to configure time picker for dashboard in Enterprise Security? on Getting Data In. 05-16-2024 09:50 PM
- Karma Re: How to assign priority to an asset? Splunk ES for bowesmana. 05-15-2024 10:52 PM
- Karma Re: How does Splunk define and assign urgency in Splunk Enterprise Security? for koshyk. 05-15-2024 10:46 PM
- Got Karma for Re: How to configure time picker for dashboard in Enterprise Security?. 05-14-2024 06:59 PM
- Karma Re: How to configure time picker for dashboard in Enterprise Security? for Temuulen0303. 05-14-2024 05:25 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-22-2024
11:35 PM
Hi @splunky_diamond, yes it's the latest! open a case to Splunk Support, as I said this is an old resolved bug. Ciao. Giuseppe
... View more
05-20-2024
11:49 PM
Hi @splunky_diamond , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉
... View more
05-20-2024
06:01 AM
1 Karma
Hello @splunky_diamond , I am unsure if there are any apps/TAs available for Fudo PAM data. The best would be to write magic 8 props for parsing the data. You can find the relevant documentation links below: - https://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkdoeswithyourdata - https://docs.splunk.com/Documentation/Splunk/latest/Data/Overviewofeventprocessing - https://docs.splunk.com/Documentation/Splunk/latest/Data/Createsourcetypes - https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Configuring_new_source_types Thanks, Tejas. --- If the above solution helps, an upvote is appreciated.
... View more
05-19-2024
03:00 AM
Hi @splunky_diamond , it's always a pleasure! Ciao. Giuseppe
... View more
05-16-2024
11:04 PM
2 Karma
Hi @splunky_diamond , there's one general answer to all your questions: it depends on your internal procedures (or playbooks), in other words, it depends on how you work. Answering to your questions: 1) the take in charge action is usually the first action, so I always saw that investigations were started after a SOC analyst took in charge one or more Notables (often more Notables are take in charge and associated to an investigatin in block). 2) usually I saw that SOC Anaysts change the status on their Notables by themselves. 3) as I said it depends on your internal procedures, anyway, the closing is tracked. Ciao. Giuseppe
... View more
05-16-2024
09:50 PM
1 Karma
Update: it actually did work! I just opened the dashboard in a search and the time-picker is indeed applied.
... View more
05-12-2024
05:05 PM
1 Karma
See this https://docs.splunk.com/Documentation/ES/7.3.1/Admin/Formatassetoridentitylist So your search will be index=my_asset_source ...
| eval priority="high"
| table nt_host priority ...
| outputlookup my_asset_definition.csv You just need to fill in the gaps so you can collect the fields mentioned in the document. Set the priority as you want it to be based on your business rules for defining how you want to assign priority.
... View more
05-11-2024
04:03 AM
1 Karma
Hi @splunky_diamond , good for you, see next time! let me know if I can help you more, or, please, accept one answer (eventually your last) for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉
... View more
05-06-2024
02:32 AM
1 Karma
This is the document you might want to read to understand how Splunk reads the configs. Also @gcusello 's remark about system/local vs. configured in app is valid.
... View more
05-05-2024
10:37 PM
Thank you so much for such a detailed addition @PickleRick !
... View more
05-05-2024
10:43 AM
1 Karma
@splunky_diamond your welcome Here's 's some more security tips to help you discovery some more. 1. Many Security people use this app to help them with there Security Use cases, I use it myself - so many good features, it can also make use case recommendations based on on your data sources. https://splunkbase.splunk.com/app/3435 2. ESCU - Provides regular Security Content updates to help security SOC / analysts to address ongoing time-sensitive threats, attack methods, and other security issues. https://splunkbase.splunk.com/app/3449 3. Here you will find so many use cases for reference - great place to baseline your security monitoring strategy. https://research.splunk.com/
... View more
05-01-2024
11:48 PM
3 Karma
1. In order to run DB connect you need to run it on a Heavy Forwarder, as it contains many component’s that are pre-requisites. Use the below link for more details https://docs.splunk.com/Documentation/DBX/3.16.0/DeployDBX/HowSplunkDBConnectworks 2. In short yes, Splunk has in built functions to be able to send data to different destinations, using the UF, so simple example, if you have Splunk on premise and Splunk in cloud, you can send to both if desired. Parsing the data, has performance gains if going via the HF, it will examine the data, and transform it, there are many sub parts to the pipeline process. In terms of the fast mode when you parse data before indexing, the extracted fields are available for use in searches, regardless of whether you're using fast mode or not, the fast mode is one of three modes, allows you to search for available data using a different criterion. See the three below links for more details: https://docs.splunk.com/Documentation/Splunk/9.0.4/Forwarding/Routeandfilterdatad https://docs.splunk.com/Documentation/Splunk/9.2.1/Deploy/Datapipeline https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Search/Changethesearchmode 3. If you data source can only send API data to Splunk, then this is a good option (it’s basically agentless) and called the HTTP event collector. https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UsetheHTTPEventCollector
... View more
04-29-2024
09:20 PM
1 Karma
Thank you very much kprior201! The issue was that I was executing the search not within the ES app when I was testing it, but in the Search and Reporting app. I did not have some of the manually extracted fields in my ES app, once I added them, the correlation search worked well!
... View more
04-28-2024
06:42 AM
Hello @splunky_diamond, As stated by 2 folks, resource consumption depends on multiple factors. If you are planning to enable ~15 use cases in ES for learning purpose with all-in-one test environment, 32 GB RAM, 32 vCPU, and 200 GB hard disk should be enough. Base configuration for ES is as below - https://docs.splunk.com/Documentation/ES/7.3.1/Install/DeploymentPlanning
... View more
