Splunk Enterprise Security

Discussions

Thread Info

Splunk Query related

I've written below query, index=* sourcetype=* EventCode=* | rex field=_raw "((Process Command Line:\t)(?(.+)*))" ...

by New Member in

Splunk Enterprise Security: How to set a custom risk score based on stats results?

I would like to set a custom risk score based on the number of failed authentication attempts by a user. I created th...

by Explorer in

stix Threat Intelligence Upload

Splunkers, Once a stix formatted IOC file has been successfully uploaded via Splunk Enterprise Security "Upload Th...

by New Member in

How do I change bar chart color based on value?

I've tried: <option name="charting.fieldColors">{"Blocks_Blocked":0x006400, "Allowed_block":0xCCCC00, "Allowed":0...

by New Member in

Splunk App for Enterprise Security: How does Identity Management work?

Hello everyone, I was tasked with changing over our Identity management information in splunk since we switched ve...

by Explorer in

ES Tuning Question

Hello All, I am working on tuning the Network-Unroutable Host Activity -Rule search and we are trying to exclude o...

by Contributor in

Installing on a Clustered Splunk Enterprise

This application provides a ".spl" to install, which is perfect for "single server splunk". Since we run a cluster...

by Explorer in

Calculate Percentage of Packets

So i have a splunk query that returns the below output IP Packets 1.1.1.1 100 1.1.1.2 200 400 200 1.1.1.3 100 100 ...

by New Member in

Splunk Query

Hi, After Extracting a field using regex. I now need to compare whether that particular field contains any command...

by Explorer in

Setting up Demisto in Splunk?

I'm hosting both Demisto and Splunk ES (Both free edition) on the same network. I have added the API key for Splunk i...

by New Member in

Adaptive Response Variables

Hello, I utilize Adaptive Response quite a bit for automatically creating incident tickets and dumping all of the ...

by Path Finder in

Enterprise Security: Why can’t we see the bunit field, that should be part of the Asset and Identity framework?

We got the message that the bunit field belongs to the Asset and Identity framework and therefore should appear in th...

by Motivator in

How can I setup alerts when there are any additions on an Active Directory Group and when local administrative accounts are created?

Alert when - Additions to critical Active Directory groups such as Domain Admins, Enterprise Admins, Key Management G...

by New Member in

Help with a search to check recent activity and set alert

Hi, I would like to make sure I got this correct and I cant seem to find the answer anywhere. I added the whole sear...

by Engager in

SAP hybris integration

Hello experts,i am in the process of integrating SAP hybris with splunk for monitoring. If someone has done this inte...

by Explorer in

ES License Question

Hi! In our company we have Splunk "Enterprise Term License - No Enforcement (6.5)" and we have ES in this license. In...

by Engager in

Heavy Forwarder Configuration Query

Hi All, I have inherited Splunk Enterprise in my company which includes 3 Indexers, 2 Search Head and each Deploym...

by Path Finder in

Phantom: "Run Playbook in Phantom" Servers not being listed as Options

In Splunk ES, under the alert actions for saved searches, there are 2 options for sending alerts to Phantom. Send...

by Path Finder in

IP Reputation App - Everything has visitor_id = 1

All of my searches are returning visitor_type =1 for all domains that I run ipreputation on. An example is 125.7.1...

by Path Finder in

update asset list contents

I have an asset list. the owner changed for several assets. Now I just want to change the owner name against specific...

by Path Finder in

How do I remove IOCs from a KV store?

When we first got Splunk ES, one of my colleagues decided to try adding in IOCs from the Mandiant APT1 report. These ...

by Engager in

How to extract a field with a NULL/blank value

I am working with winevent logs for failed logons (Event 4625) and I have a log that has null/blank values for Accoun...

by New Member in

Need a suggestion in buying recorded future for my organization

Hello, We are planning to buy recorded future for my organization to integrate with splunk ES. We have small I...

by Communicator in

Splunk App for Enterprise Security ERROR

I have licences for splunk enterprise security. So I tried to upload Splunk App for Enterprise Security but I get err...

by Engager in

Splunk Enterprise Security / OpsGenie integration issue

Hello, I’d like to know if anyone was able to integrate OpsGenie with the last versions of Splunk (7.2.X) and/or l...

by Communicator in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Splunk Query related

Splunk Enterprise Security: How to set a custom risk score based on stats results?

stix Threat Intelligence Upload

How do I change bar chart color based on value?

Splunk App for Enterprise Security: How does Identity Management work?

ES Tuning Question

Installing on a Clustered Splunk Enterprise

Calculate Percentage of Packets

Splunk Query

Setting up Demisto in Splunk?

Adaptive Response Variables

Enterprise Security: Why can’t we see the bunit field, that should be part of the Asset and Identity framework?

How can I setup alerts when there are any additions on an Active Directory Group and when local administrative accounts are created?

Help with a search to check recent activity and set alert

SAP hybris integration

ES License Question

Heavy Forwarder Configuration Query

Phantom: "Run Playbook in Phantom" Servers not being listed as Options

IP Reputation App - Everything has visitor_id = 1

update asset list contents

How do I remove IOCs from a KV store?

How to extract a field with a NULL/blank value

Need a suggestion in buying recorded future for my organization

Splunk App for Enterprise Security ERROR

Splunk Enterprise Security / OpsGenie integration issue

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability

ES Notable Security Domain Issue

adding a custom field to notable and update the va...

es_notable_events Query

Saved Search in Source Code

Adding comment (link) to Next Steps (In an alert u...