Splunk Enterprise Security

Discussions

Thread Info

JSON to CIM mapping

Hi All, We have a scripted input, which indexes JSON data into Splunk and using SPATH we have writing our correlat...

by Explorer in

Splunk Web scripts and Splunk enterprise Scripts

Can someone help me understand the difference between Splunk Web and Splunk enterprise? and the Python scripts that i...

by Observer in

how to get syslog data from prisma-cloud to splunk??

in My cloud different tools are there like jira,servicenow and there i can send alert notification to that tools ...

by Explorer in

Help with a query

Hi All I have this query index=checkpoint sourcetype=opsec:anti_virus OR sourcetype=opsec:anti_malware Prote...

by Explorer in

Change Time Format of ldapsearch attribute AccountExpired

Hi all, I have been trying to make a search where i can monitor the expired user accounts. So far i have this ...

by Communicator in

addon page not found

after installing nagios addon on splunk web showing page not found is there anyone who can help on this???

by Path Finder in

Problem with a query

Hi Need you help please with a query; "| tstats summariesonly=true allow_old_summaries=true dc(Malware_Attack...

by Explorer in

How to avoid mixng values of assets by 'entitymerge' command in ES

Hi Splunkers , any advice how to avoid mixng values in assets by entitymerge command? I have 5 fileds marked as Mu...

by Contributor in

REST API to Modify ES Correlation Search

Hello, I am trying to use Splunk's REST API in order to change portions of existing correlation searches created wi...

by Explorer in

Where can I find the TAXII data?

We enabled the TAXII feed and we see under Threat Intelligence Audit that the TAXII feed polling was starting. Where ...

by Motivator in

How to find source and sourcetype of notable

Hi Folks, I want find all source and sourcetype for enable notables in Splunk ES. Please advise. Regards, D

by Engager in

Splunk Common Information Model (CIM): How to distinguish between login and logout events in the Authentication data model?

Can someone tell me what in the Authentication data model distinguishes between login and logout? http://docs.splunk....

by Builder in

HowTo deploy a set of correlation search within new app to different Splunk ES

Hello everyone, i have a set of correlation search (about 250) to deploy in different Splunk ES. Instead of writi...

by Engager in

Using custom content with MITRE ATT&CK Framework

I have custom content that I've created in SSE and mapped to various parts of the MITRE Framework. The problem is SSE...

by Loves-to-Learn in

API AWS query question

Hi This is my API AWS query: "search index=aws userIdentity.type=Root eventName=ConsoleLogin earliest=-10d | rex...

by Explorer in

How can I verify (using splunk internal logs) that port 8089 is indeed with SSL and the TLS version used?

My question is, how can I prove that the Splunk server.conf enableSplunkdSSL is indeed working and with the sslVersio...

by Path Finder in

Incident rewiew does not show events.

Good day, I have noticed that the incident review shows no events, for about a day. The indexers were reviewed by m...

by Engager in

Splunk entreprise security status "Pending..."

Has anyone presented this problem?

by Builder in

Asset and identity management merge prio into lookup

Hi there, The situation is as follows. We've a scheduled search running which is doing LDAP query on Active direct...

by Explorer in

Percentage of Indexes’ logs in 24 hours.

Can someone help me to identify Percentage of Indexes’ logs in 24 hours.? I have pulled using count like this :inde...

by Path Finder in

Jobs with warning message Splunk ES

This warning message indicates that even though it has errors, it is still running or is definitely not working? As...

by Builder in

Customize Notable Status Order in Dropdown

Hi everyone, I have a request from our security team to reorder our notable event statuses in the dropdown. We h...

by Communicator in

Cookie login - Secure set to true and httponly

Hello, Do you know how I can put HttpOnly and Secure to true in cookie login? Security team request It to me. ...

by Explorer in

ES Correlation Search index configuration

Hello friends, We have Splunk ES and we stored our data in different indexes (OS logs, Network logs, ...) I have ...

by Path Finder in

SPLUNK ES Notable Event Closure

When closing a notable event in SPLUNK Enterprise Security, there are typically the following fields available Sta...

by SplunkTrust in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

JSON to CIM mapping

Splunk Web scripts and Splunk enterprise Scripts

how to get syslog data from prisma-cloud to splunk??

Help with a query

Change Time Format of ldapsearch attribute AccountExpired

addon page not found

Problem with a query

How to avoid mixng values of assets by 'entitymerge' command in ES

REST API to Modify ES Correlation Search

Where can I find the TAXII data?

How to find source and sourcetype of notable

Splunk Common Information Model (CIM): How to distinguish between login and logout events in the Authentication data model?

HowTo deploy a set of correlation search within new app to different Splunk ES

Using custom content with MITRE ATT&CK Framework

API AWS query question

How can I verify (using splunk internal logs) that port 8089 is indeed with SSL and the TLS version used?

Incident rewiew does not show events.

Splunk entreprise security status "Pending..."

Asset and identity management merge prio into lookup

Percentage of Indexes’ logs in 24 hours.

Jobs with warning message Splunk ES

Customize Notable Status Order in Dropdown

Cookie login - Secure set to true and httponly

ES Correlation Search index configuration

SPLUNK ES Notable Event Closure

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

How do I test/check to see if my new "local" ES Th...

Free Training Online Classes

Editing the alert that is sent to PagerDuty

Throttling Notables - Do Underlying Alerts Need to...

How long are asset list field values stored in the...