Splunk Enterprise Security

Discussions

Thread Info

Different Search Results From Two Macros With Same Contents

Hello everyone. I'm looking for some assistance with a problem where I get differing search results from what should ...

by Explorer in

How to automatically assign a recent random notable to a specific user

Hello, I would like to assign random new "unassigned" notables to a specific user. I wanted to accomplish this vi...

by Path Finder in

Different results for same search on same search head for rest call or save search.

Hello there, I get different results when I run a rest call. For example I ran a rest command to bring all the dashbo...

by Explorer in

Threat Artifacts setting

Hello Splunkers, is there any way to change that red box name as a test?? Thank you in a...

by Path Finder in

check traffic -RDP connections

Helloany ideas how can i check rdp attempts or connections in Splunk? many thanks

by Explorer in

Merging identity lookups fails

Hi Splunkers, I have an issue merging two identity lookup files on ES. In particular, my first lookup file has rows...

by Explorer in

Splunk 8.0 ES

Hi all, I am having huge problem with ES on splunk v8.0 . I upgraded my instance and when i have tried to upgra...

by Contributor in

Export Splunk Enteprise Security and move app to another server

Hello everyone, I have read the documentation about exporting Splunk ES content as an app: https://docs.splunk.co...

by Communicator in

How can I run a search that shows the time notable events were created, were assigned and then closed in ES?

Hi, I am trying to figure out a way in which i can display the creation time of notable event, the time it was assi...

by Path Finder in

is there a way to find out when a correlation search was created in Splunk ES ?

I was able to find the date when the correlation search was last updated, but cant seem to find the original creation...

by Path Finder in

How do I create a list of indexes (internal & non-internal) used by users - am getting performance errors for admin role

I am getting performance errors on the ES reg. many indexes used by users, specially the admin role. Any SPLs or dire...

by Builder in

Enterprise Security - Mitre Metrics

When I configure a correlation search with an Annotation of MiTRE ATT&CK and create a notable, I don't see any eviden...

by Path Finder in

How do I find list of assets or servers "exceeding the field limits set in the asset & identity management page" Thx

On ES am getting warning messages the " two assets are exceeding the field limits set in the asset & identity managem...

by Builder in

ldap user not showing in owner list for assigning notable

ldap authentication method is configured and users are showing on user settings page, but sometimes users not showing...

by Loves-to-Learn Lots in

Enterprise Security Sandbox Not Available

Hi, I have been trying to deploy the Enterprise Security 7 days free trial Sandbox for days now without success...

by New Member in

Need help with steps for file monitoring on Windows server for Splunk use. I found the following link. Too generic. Thx

Have a few Windows server that I need to enable file monitoring on to be sending logs to Splunk Ent. server. I could ...

by Builder in

Error when polling TAXII feeds with Enterprise Security

I am unable to make the Threat Intelligence input for hailataxii work using on-prem Splunk Enterprise. Splunk Enterpr...

by Builder in

Proofpoint ET or VirusTotal Adaptive Response action

Hello , Has anyone configured Proofpoint ET or VirusTotal Adaptive response action in ES ? Basically look up the des...

by Builder in

How to pass Multiple Values in a single token of drilldown

<query>index=index_test| dedup empID| eval tot = case (match('call.code' , "1") OR match('call.code' , "2") OR match(...

by Explorer in

Why shouldn't one copy or Synch Splunk Enterprise Reports to ES? It is not recommended why please? Thanks

I have read on Splunk.com that Ent. reports don't satisfy use cases the ones on the ES. And that they should not be c...

by Builder in

External Reverse DNS Lookup

I'm pretty new to Splunk and have currently been tasked to startup an App and am outfitting a dashboard for my team. ...

by New Member in

Is it possible, not to edit notable ownership once the notable already assigned to some other owner

Hi All, In Splunk, is it possible to keep restriction not to edit ownership once the notable already assigned to so...

by Loves-to-Learn Lots in

Notable Event Triggers but Related Query Fails to Run

Greetings Splunkers, I have recently started having triggered alerts from a couple of correlation searches that whe...

by Path Finder in

Is there a SPL to list the Reports that run on the Enterprise with errors / don't run due to the errors?

We have a ton or reports on the Splunk Ent. & I need to find if any are not finishing due to an error. Some reports a...

by Builder in

How do I Synchronizes Reports on the Splunk Enterprise with ES (Ent. security). Thx a million

I have a ton or reports on the Ent. & like to synch them with ES to save time recreating them. Which is better synchi...

by Builder in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Different Search Results From Two Macros With Same Contents

How to automatically assign a recent random notable to a specific user

Different results for same search on same search head for rest call or save search.

Threat Artifacts setting

check traffic -RDP connections

Merging identity lookups fails

Splunk 8.0 ES

Export Splunk Enteprise Security and move app to another server

How can I run a search that shows the time notable events were created, were assigned and then closed in ES?

is there a way to find out when a correlation search was created in Splunk ES ?

How do I create a list of indexes (internal & non-internal) used by users - am getting performance errors for admin role

Enterprise Security - Mitre Metrics

How do I find list of assets or servers "exceeding the field limits set in the asset & identity management page" Thx

ldap user not showing in owner list for assigning notable

Enterprise Security Sandbox Not Available

Need help with steps for file monitoring on Windows server for Splunk use. I found the following link. Too generic. Thx

Error when polling TAXII feeds with Enterprise Security

Proofpoint ET or VirusTotal Adaptive Response action

How to pass Multiple Values in a single token of drilldown

Why shouldn't one copy or Synch Splunk Enterprise Reports to ES? It is not recommended why please? Thanks

External Reverse DNS Lookup

Is it possible, not to edit notable ownership once the notable already assigned to some other owner

Notable Event Triggers but Related Query Fails to Run

Is there a SPL to list the Reports that run on the Enterprise with errors / don't run due to the errors?

How do I Synchronizes Reports on the Splunk Enterprise with ES (Ent. security). Thx a million

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

How do I test/check to see if my new "local" ES Th...

Free Training Online Classes

Editing the alert that is sent to PagerDuty

Throttling Notables - Do Underlying Alerts Need to...

How long are asset list field values stored in the...