Activity Feed
- Posted Issue with event_id Not Appearing When Sending Events from Splunk ES to SOAR on Splunk SOAR. 01-15-2025 04:58 AM
- Tagged Issue with event_id Not Appearing When Sending Events from Splunk ES to SOAR on Splunk SOAR. 01-15-2025 04:58 AM
- Karma Re: Assistance with Alerts Related to PowerShell Execution Policy in Splunk for General_Talos. 01-15-2025 04:30 AM
- Posted Assistance with Alerts Related to PowerShell Execution Policy in Splunk on Splunk Enterprise Security. 01-05-2025 04:42 AM
- Tagged Assistance with Alerts Related to PowerShell Execution Policy in Splunk on Splunk Enterprise Security. 01-05-2025 04:42 AM
Topics I've Started
01-15-2025
04:58 AM
Description: Hello, I am experiencing an issue with the "event_id" field when transferring notable events from Splunk Enterprise Security (ES) to Splunk SOAR. Details: When sending the event to SOAR using an Adaptive Response Action (Send to SOAR), the event is sent successfully, but the "event_id" field does not appear in the data received in SOAR. Any assistance or guidance to resolve this issue would be greatly appreciated. Thank you
... View more
- Tags:
- splunk ES
Labels
- Labels:
-
using SOAR ⁄ Phantom
01-05-2025
04:42 AM
Hello everyone, I am facing an issue with the alerts triggered by the "Set Default PowerShell Execution Policy To Unrestricted or Bypass" (Correlation Search) rule in Splunk, as many alerts are being generated unexpectedly. After reviewing the details, I added the command `| stats count BY process_name` to analyze the data more precisely. After executing this, the result was 389 processes within 24 hours. However, it seems there might be false positives and I’m unable to determine if this alert is normal or if there’s a misconfiguration. I would appreciate any help in identifying whether these alerts are expected or if there is an issue with the configuration or the rule itself. Any assistance or advice would be greatly appreciated. Thank you in advance.
... View more
- Tags:
- splunk ES
Labels
