Splunk Enterprise Security

Discussions

Thread Info

How to set up Splunk_SA_CIM- error keeps popping up?

I am currently trying to set up the Splunk_SA_CIM application but it displays "An error occurred fetching assets. Ple...

by Explorer in

Enabled Correlation Search not running?

I have enabled several correlation searches in ES. Those search run normally and return result as expected if I searc...

by Loves-to-Learn Lots in

Azure: Is there a way Splunk, by default, extracts the fields from nested JSON logs?

Hi All, Is there a way Splunk by default to extracts the fields from nested JSON logs? Right now Splunk is parsing...

by New Member in

SplunkES -Data Enrichment - Asset and Identity Management- How does the content update work?

The changes of the data source are not immediately reflected and some old information remains for several minutes. ...

by Explorer in

How can I add Spamhaus Datasets for Splunk?

hello sir How i add spamhaus dataset in splunk ,??? any guide or process?? please help i already ...

by Observer in

How to convert String to Integer search?

Hi team, I have "file_size" in my extracted fields and the values are 1.56 KB,5.03 MB, 1.06 B. and those values a...

by Path Finder in

What is the Splunk pricing annually for dealing 10 GB data per day?

I want to know the splunk cost annually for dealing 10 GB data per day

by New Member in

Collect command does not work for a certain source in an index?

As mentioned in the title above, collect command is not able to add an event to a source of an index. The collect com...

by Engager in

Splunk jobs not completing- Why are they running at over 100%, some as high as over 150%?

Hey everyone! Has anyone ever experienced jobs running over 100%, sometimes as high as 150%/160% and not completin...

by Observer in

How do I delete reports created by Splunk Enterprise Security?

Hello, I wanted to ask if there was a way I can delete reports created by Enterprise Security? There are reports c...

by Explorer in

Splunk ES Drill-Down- How do I receive 2 separate notable alerts?

I created the following correlation alerts in ES with Notable Index=fw (dest_ip=1.2.3.4 OR dest_ip=1.2.3.5) The...

by Loves-to-Learn in

More Enterprise Security Correlation Search Variable Substitution for Contributing Events- Is there documentation?

As in previous posts I am talking about using variables or tokens in the Contributing Events part of enterprise secur...

by Explorer in

Is there a drill down search variable substitution?

Hi I have two questions here 1.In the drill down search i have given dest=$dest$ and it is not working and wh...

by Path Finder in

How to know the correlation search query and time range conditions for two of these use cases?

Please let me know the correlation search query and time range conditions for two of these usecases. I have windows p...

by Engager in

How to make Splunk ES override urgency changes?

Hi all, I have a correlation search that passes alerts from another system into ES and I need to prevent the urgen...

by Path Finder in

Why are risk objects not being normalized against assets and identities?

I'm using RBA and am having issues with duplicate notables for the same thing. For example, I'll get a notable for bo...

by Loves-to-Learn Lots in

Why am I not getting the correct percentage difference?

HelloKindly assist me in this query/solution.I have a long list of IPs that logged in. Out of this list, I want to kn...

by Path Finder in

Risk based alerting - Contributing Risk Events Drilldown not working?

Hi, I have problems with the drilldown button in the "Risk Event Timeline" view for an Risk Notable. When expan...

by Explorer in

Search for failed logins: Why is the search creating false positive alerts?

Hello, I have created a search for failed logins for win,linux and network devices from authentication datamodel b...

by Engager in

Enterprise Security Threat Intelligence - Lookup population?

Hi,I'm starting with ES Threat Intelligence and am wondering, how threat intel data is populated to the KV stores use...

by Motivator in

Is there a way to query ES investigations for artifacts?

Is there a way to query ES investigations for artifacts? For example, suppose that I have a current notable with a h...

by Communicator in

Unable to find sourcetype="ms365:defender:incident:alerts"?

Unable to find sourcetype="ms365:defender:incident:alerts"can u pls help

by Explorer in

Comparing IP Addresses after using the Join Command?

Hi Team, I am trying to compare IP addresses but I am unable to find any logic that can do so with the below query...

by Explorer in

Fields Not Showing After I Add Them in The Incident Review Settings Page?

Hi All, I want to display some additional fields and I have added them by following the below method: Configure...

by Explorer in

How to join information into one table?

Hi peeps,I want to join below information result in one table: 1st queryindex=sslvpn| iplocation src_ip| search Co...

by Path Finder in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

How to set up Splunk_SA_CIM- error keeps popping up?

Enabled Correlation Search not running?

Azure: Is there a way Splunk, by default, extracts the fields from nested JSON logs?

SplunkES -Data Enrichment - Asset and Identity Management- How does the content update work?

How can I add Spamhaus Datasets for Splunk?

How to convert String to Integer search?

What is the Splunk pricing annually for dealing 10 GB data per day?

Collect command does not work for a certain source in an index?

Splunk jobs not completing- Why are they running at over 100%, some as high as over 150%?

How do I delete reports created by Splunk Enterprise Security?

Splunk ES Drill-Down- How do I receive 2 separate notable alerts?

More Enterprise Security Correlation Search Variable Substitution for Contributing Events- Is there documentation?

Is there a drill down search variable substitution?

How to know the correlation search query and time range conditions for two of these use cases?

How to make Splunk ES override urgency changes?

Why are risk objects not being normalized against assets and identities?

Why am I not getting the correct percentage difference?

Risk based alerting - Contributing Risk Events Drilldown not working?

Search for failed logins: Why is the search creating false positive alerts?

Enterprise Security Threat Intelligence - Lookup population?

Is there a way to query ES investigations for artifacts?

Unable to find sourcetype="ms365:defender:incident:alerts"?

Comparing IP Addresses after using the Join Command?

Fields Not Showing After I Add Them in The Incident Review Settings Page?

How to join information into one table?

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

ES Notable Security Domain Issue

adding a custom field to notable and update the va...

es_notable_events Query

Saved Search in Source Code

Adding comment (link) to Next Steps (In an alert u...