Splunk Enterprise Security

Ask a Question

Discussions

Thread Info

Splunk Enterprise Security: Why is the Notable Event Suppressions page showing only 30 out of over 300 Suppressions?

Hi there, Just noticed that the Notable Event Suppressions page in Splunk Enterprise Security (Configure --> Incid...

by Path Finder in

Splunk Enterprise Security: How to pass a token with double quotes to a correlation drilldown search?

Assuming I defined a correlation search in Splunk Enterprise Security as the following: index="_internal" sour...

by Communicator in

Splunk Enterprise Security: Why are correlations searches being saved as saved searches for some app contexts that start with "DA-ESS-"?

I tried to create a correlation search by selecting application context as "DA-ESS-AccessProtection", and I am gettin...

by Explorer in

Splunk Enterprise Security: Do I need to upgrade my ES search head to 6.4.4?

Hi, Question... in the Splunk Enterprise Security (ES) 4.5.1 Installation and Upgrade Manual it reads: *Splunk...

by Contributor in

Splunk Add-on for Microsoft Active Directory: Is this add-on compliant with Common Information Model (CIM)?

Splunkbase says Splunk Add-on for Microsoft Active Directory is complaint with CIM VERSIONS 4.0, 3.0 ( https://splunk...

by Contributor in

Splunk Enterprise Security: Why does the priority and severity of an alert change between the Incident Review and Risk Analysis dashboards?

I developed a search that is supposed to alert when a USB and executable is activated in order to see any malicious f...

by New Member in

Splunk Enterprise Security: Why is Workflow Action redirecting to the wrong app?

While I wait our new license I thought I'd ask here... I have a workflow action to look up an IP via a search stri...

by Path Finder in

How to export Incident Review Table to CSV?

How can I export Incident Review table to CSV format? Or, I was wondering if SPL to generate equivalent table is avai...

by Path Finder in

Splunk Enterprise Security: How to write a search to create a time chart or a table with notable event times by hour?

Does anyone have a search to create either a timechart or a table with the notable event times by hour? I want to cre...

by Explorer in

Splunk Enterprise Security: After upgrading from Splunk 6.3.3 to 6.5.0, why are these threat lists failing to download?

After moving to Splunk 6.5 from Splunk 6.3.3, the following threat intelligence sources fail to download. Splunk ES w...

by Path Finder in

Splunk Enterprise Security - Incident Review dashboard returning "Unknown"

Hello, I've been running into an issue where a custom correlation search alert is not returning substitution varia...

by Engager in

What are my options for loading external data to Splunk lookups if I cannot have access to the server

Lets say that I periodically get threat data in the forum of reports that contain URLs and IP addresses. I parse thes...

by Builder in

Enterprise Security Indexer Sizing for High Capacity Deployment on high IOPS storage

On all documentations says, indexer planning should be done using 100 GB/day for Enterprise Security . According to t...

by SplunkTrust in

Splunk Enterprise Security: Why can't I enable the default correlation searches as an admin user?

In our Splunk Enterprise Security instance, I can't enable the default correlation searches that come with it. I'm...

by Communicator in

How to write a search to alert if our Splunk Enterprise Security search head goes down?

Hi , We are looking to create an alert if for any reason a search head went down. This is for our Splunk Enterpris...

by Path Finder in

How to set Urgency in a correlation search based on failure count?

The urgency in a correlation search is calculated by the corr. search severity + the asset/identity priority. Is ...

by Path Finder in

Search notable event with TAG value

Hi I assign a TAG to event_id (notable event) in the Incident Review. My question is, How to search all the no...

by Explorer in

Splunk App for Enterprise Security: Empty csv lookup file (contains only a header) for table ppf_threat_activity

New install of ES 3.3, the populating search appears not to have run... How can I jump start this lookup?

by Splunk Employee in

Splunk Enterprise Security: What do certain parts of my correlation search mean?

Hello everyone i've just looking into content management correlation searches' code and I couldn't understand some pa...

by Explorer in

How do I stop the "threat list download failed after multiple retries" messages on disabled threat inputs?

It looks like the seven iblocklist feeds included in Splunk Enterprise Security (ES) 4.5.0 are now subscription based...

by Contributor in

How can I track future Splunk version updates before they are released?

I want to be able to track future Splunk versions, such as the current version 6.5.1 before they are released. I am u...

by New Member in

Splunk App for ES Health Check: How to add and list multiple indexers?

I have the Splunk App for ES Health Check running. In the configuration, I have the dedicated ES (Enterprise Security...

by Explorer in

Why am I getting error "msg="A script exited abnormally" input="./bin/collector.path"" every hour?

Every hour I receive the error: msg="A script exited abnormally" input="./bin/collector.path" stanza="default" sta...

by Explorer in

Splunk Enterprise Security: https://s3.amazonaws.com/alexa-static/top-1m.csv.zip is no longer working. Is there a new source for this file?

https://s3.amazonaws.com/alexa-static/top-1m.csv.zip is hard coded into Splunk Enterprise Security SA-ThreatIntellige...

by Path Finder in

Splunk Enterprise Security: Why am I receiving "Search could not be updated: [HTTP 500]" error when trying to save correlation search as ess_admin?

In Splunk Enterprise Security (ES), we cannot save a correlation search as a user with ess_admin. This works if user ...

by Explorer in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Splunk Enterprise Security: Why is the Notable Event Suppressions page showing only 30 out of over 300 Suppressions?

Splunk Enterprise Security: How to pass a token with double quotes to a correlation drilldown search?

Splunk Enterprise Security: Why are correlations searches being saved as saved searches for some app contexts that start with "DA-ESS-"?

Splunk Enterprise Security: Do I need to upgrade my ES search head to 6.4.4?

Splunk Add-on for Microsoft Active Directory: Is this add-on compliant with Common Information Model (CIM)?

Splunk Enterprise Security: Why does the priority and severity of an alert change between the Incident Review and Risk Analysis dashboards?

Splunk Enterprise Security: Why is Workflow Action redirecting to the wrong app?

How to export Incident Review Table to CSV?

Splunk Enterprise Security: How to write a search to create a time chart or a table with notable event times by hour?

Splunk Enterprise Security: After upgrading from Splunk 6.3.3 to 6.5.0, why are these threat lists failing to download?

Splunk Enterprise Security - Incident Review dashboard returning "Unknown"

What are my options for loading external data to Splunk lookups if I cannot have access to the server

Enterprise Security Indexer Sizing for High Capacity Deployment on high IOPS storage

Splunk Enterprise Security: Why can't I enable the default correlation searches as an admin user?

How to write a search to alert if our Splunk Enterprise Security search head goes down?

How to set Urgency in a correlation search based on failure count?

Search notable event with TAG value

Splunk App for Enterprise Security: Empty csv lookup file (contains only a header) for table ppf_threat_activity

Splunk Enterprise Security: What do certain parts of my correlation search mean?

How do I stop the "threat list download failed after multiple retries" messages on disabled threat inputs?

How can I track future Splunk version updates before they are released?

Splunk App for ES Health Check: How to add and list multiple indexers?

Why am I getting error "msg="A script exited abnormally" input="./bin/collector.path"" every hour?

Splunk Enterprise Security: https://s3.amazonaws.com/alexa-static/top-1m.csv.zip is no longer working. Is there a new source for this file?

Splunk Enterprise Security: Why am I receiving "Search could not be updated: [HTTP 500]" error when trying to save correlation search as ess_admin?

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability

ES Notable Security Domain Issue

adding a custom field to notable and update the va...

es_notable_events Query

Saved Search in Source Code

Adding comment (link) to Next Steps (In an alert u...