Dear all, I have installed Splunk Enterprise Security but the Security Posture dashboard does not show any information. Security intelligence in particular Risk Analysis does not show any information as well. I have reviewed all guides related to Enterprise Security configuration and I do not see any issues with my configuration. Generally, Splunk is collecting many logs including Office 365 logs, AD logs, and Firewall logs, and they are perfectly displayed on Apps that are specialized for particular vendor logs (for instance Microsoft 365 app for Splunk). However, they are not reflected in Enterprise Security. I have configured "Intelligence Downloads" by enabling almost all types of threats and almost all of them are downloaded successfully. I am a new person in using Splunk and do not have a decent experience of configuring Splunk. I have no idea what I should check or configure to find out the core of the problem. Could you help me in addressing this issue? I am ready to provide my current configuration if it is needed. ... View more

Dear all, Could you help me in resolving my issue I cannot address? I installed Add-on for Microsoft Windows and did everything according to instruction. Now, Splunk is receiving logs from 1 windows computer. I can see them in the data summary. The next step was the installation eventid.net app to consolidate and visualize received logs. However, when I installed and configure it according to the instruction, eventid.net does not show any logs on its dashboards. I have no idea where should I look into to find out why eventid does not work. Please, could you help me in troubleshooting this problem? I am ready to provide any screenshots of my configuration. These are some details of my configuration. I configured inputs.conf that is located in /opt/splunk/etc/apps/Splunk_TA_windows/local having indicated the following configuration: [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" index = wineventlog renderXml=false I also copied this configuration to the deployment server (/opt/splunk/etc/deployment-apps/Splunk_TA_windows/local). The configuration is successfully transmitted to the computer with Universal Forwarder. (I checked the configuration of the UF) However, when I look at event logs in the "Search and Report", I see that logs are coming with the index = "main" instead of "wineventlog" as I pointed in the inputs.conf selected fields: host = ComputerNAME index = main source = XmlWinEventLog:Security sourcetype = XmlWinEventLog I do not understand why event logs are coming with the index = main. I configured eventid.net in the following way: "The EventId App will analyze the specified index: (index="wineventlog" OR source=XmlWinEventLog*)" Thank you. ... View more