Splunk Enterprise Security

Ask a Question

Discussions

Thread Info

Splunk Enterprise Security: How to correlate IOCs within a lookup file with web traffic captured by Splunk?

Hi, I have a lookup file tracking IOCs from multiple sources. I'm looking for a way to take this list and ideally ...

by Explorer in

Splunk Enterprise Security: No new malware showing up in Malware center

No new malware showing up in Malware center. We had no malware from last two weeks, any idea, i'm very new to Splunk

by Path Finder in

Splunk Enterprise Security: Why won't a workflow action open in a new search from the Incident Review page?

I have made a workflow action item that looks up details on an IP address when there is a threat hit. This works when...

by Explorer in

Splunk Enterprise Security: Can I hold all the events which matched my correlation search?

can i hold all the events which matched the correlation search in Splunk Enterprise Security, before it gets indexed ...

by Engager in

Is it possible to add a custom pipe-line?

Hi there, I would like to add a custom pipeline before indexer pipe-line? Does Splunk provide the feasibility? ...

by Engager in

Can i get all the related events when an notable as been created ?

I have configured "Correlation Search" and I would like to grab all the related events for that notable (by skipping ...

by Engager in

Linux Auditd: How to get this app working with Splunk Enterprise Security?

I have been trying to configure the Linux Auditd app to get it 100% functioning. Some of the panes are working and so...

by Explorer in

Why does Incident Review fail to load after upgrading the Splunk App for Enterprise Security to version 3.3.1?

After upgrading my ES installation to version 3.3.1, the Incident Review page fails to load. The Firefox console show...

by Champion in

Splunk Enterprise Security: How can I get Incident Review to refresh itself automatically?

I have Splunk Enterprise Security and I want Incident Review to refresh itself automatically. What is the best way to...

by Champion in

Splunk Enterprise Security: Is it possible to create a correlation search on admin activity and if yes, what data model is suitable for it?

i want to see an event in incident review on admin activity, how to create a correlation search for, give me advice g...

by Path Finder in

Splunk Enterprise Security: How to change the default time range inside the app?

I know how to change the default time range in the search head but it only applies to the Search & Reporting app. Doe...

by Path Finder in

How to present my search results as a table of selected fields?

So, I am not clear whether this has been asked before, but I'll ask it directly. I want to present the results of ...

by Explorer in

What methods are you using to do your Splunk Enterprise Security Incident Review Suppression?

We have a lot of indicators in our Splunk Incident Review queue, and I am having a challenging time with Splunk Enter...

by Explorer in

Splunk Enterprise Security: Why is the Notable Event Suppressions page showing only 30 out of over 300 Suppressions?

Hi there, Just noticed that the Notable Event Suppressions page in Splunk Enterprise Security (Configure --> Incid...

by Path Finder in

Splunk Enterprise Security: How to pass a token with double quotes to a correlation drilldown search?

Assuming I defined a correlation search in Splunk Enterprise Security as the following: index="_internal" sour...

by Communicator in

Splunk Enterprise Security: Why are correlations searches being saved as saved searches for some app contexts that start with "DA-ESS-"?

I tried to create a correlation search by selecting application context as "DA-ESS-AccessProtection", and I am gettin...

by Explorer in

Splunk Enterprise Security: Do I need to upgrade my ES search head to 6.4.4?

Hi, Question... in the Splunk Enterprise Security (ES) 4.5.1 Installation and Upgrade Manual it reads: *Splunk...

by Contributor in

Splunk Add-on for Microsoft Active Directory: Is this add-on compliant with Common Information Model (CIM)?

Splunkbase says Splunk Add-on for Microsoft Active Directory is complaint with CIM VERSIONS 4.0, 3.0 ( https://splunk...

by Contributor in

Splunk Enterprise Security: Why does the priority and severity of an alert change between the Incident Review and Risk Analysis dashboards?

I developed a search that is supposed to alert when a USB and executable is activated in order to see any malicious f...

by New Member in

Splunk Enterprise Security: Why is Workflow Action redirecting to the wrong app?

While I wait our new license I thought I'd ask here... I have a workflow action to look up an IP via a search stri...

by Path Finder in

How to export Incident Review Table to CSV?

How can I export Incident Review table to CSV format? Or, I was wondering if SPL to generate equivalent table is avai...

by Path Finder in

Splunk Enterprise Security: How to write a search to create a time chart or a table with notable event times by hour?

Does anyone have a search to create either a timechart or a table with the notable event times by hour? I want to cre...

by Explorer in

Splunk Enterprise Security: After upgrading from Splunk 6.3.3 to 6.5.0, why are these threat lists failing to download?

After moving to Splunk 6.5 from Splunk 6.3.3, the following threat intelligence sources fail to download. Splunk ES w...

by Path Finder in

Splunk Enterprise Security - Incident Review dashboard returning "Unknown"

Hello, I've been running into an issue where a custom correlation search alert is not returning substitution varia...

by Engager in

What are my options for loading external data to Splunk lookups if I cannot have access to the server

Lets say that I periodically get threat data in the forum of reports that contain URLs and IP addresses. I parse thes...

by Builder in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Splunk Enterprise Security: How to correlate IOCs within a lookup file with web traffic captured by Splunk?

Splunk Enterprise Security: No new malware showing up in Malware center

Splunk Enterprise Security: Why won't a workflow action open in a new search from the Incident Review page?

Splunk Enterprise Security: Can I hold all the events which matched my correlation search?

Is it possible to add a custom pipe-line?

Can i get all the related events when an notable as been created ?

Linux Auditd: How to get this app working with Splunk Enterprise Security?

Why does Incident Review fail to load after upgrading the Splunk App for Enterprise Security to version 3.3.1?

Splunk Enterprise Security: How can I get Incident Review to refresh itself automatically?

Splunk Enterprise Security: Is it possible to create a correlation search on admin activity and if yes, what data model is suitable for it?

Splunk Enterprise Security: How to change the default time range inside the app?

How to present my search results as a table of selected fields?

What methods are you using to do your Splunk Enterprise Security Incident Review Suppression?

Splunk Enterprise Security: Why is the Notable Event Suppressions page showing only 30 out of over 300 Suppressions?

Splunk Enterprise Security: How to pass a token with double quotes to a correlation drilldown search?

Splunk Enterprise Security: Why are correlations searches being saved as saved searches for some app contexts that start with "DA-ESS-"?

Splunk Enterprise Security: Do I need to upgrade my ES search head to 6.4.4?

Splunk Add-on for Microsoft Active Directory: Is this add-on compliant with Common Information Model (CIM)?

Splunk Enterprise Security: Why does the priority and severity of an alert change between the Incident Review and Risk Analysis dashboards?

Splunk Enterprise Security: Why is Workflow Action redirecting to the wrong app?

How to export Incident Review Table to CSV?

Splunk Enterprise Security: How to write a search to create a time chart or a table with notable event times by hour?

Splunk Enterprise Security: After upgrading from Splunk 6.3.3 to 6.5.0, why are these threat lists failing to download?

Splunk Enterprise Security - Incident Review dashboard returning "Unknown"

What are my options for loading external data to Splunk lookups if I cannot have access to the server

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services

Free Training Online Classes

Editing the alert that is sent to PagerDuty

Throttling Notables - Do Underlying Alerts Need to...

How long are asset list field values stored in the...

Documentation for SA-AccessProtection / DA-ESS-Acc...