Splunk Enterprise Security

Ask a Question

Discussions

Thread Info

I would like to find out failed login attempts with Event Code (4625) here the condition is failed login attempts with in one hour and if the failed attempts less than that what ever the event code present in the index will be displayed.?

Hi All, I would like to find out failed login attempts with Event Code (4625) , here the condition is failed login...

by Engager in

How to get word on search and save on new column tables ?

Hello guys, I have a search, sourcetype=example "testword" OR "abcd" | table _time _raw If I run this qu...

by New Member in

Help with Splunk ES Investigations Collaborators

Hello, We are using Splunk Enterprise Security and I was just wondering if there is any way to add multiple collab...

by Engager in

streams and DNS over (HTTPS or TLS)...DoH/DoT

How will Splunk address encrypted DNS collection? It's weird you need to have karma points to post a link, look up...

by Explorer in

Detecting Port Scan (nmap)

I did a test port scan using nmap. This way I could catch what I was looking for in ES. Below is my query and it show...

by New Member in

crcSalt is not working with multiple sub dir contains same file name monitoring

Hi, Am writing a monitoring stanza to on-board the files with same name but different sub-directory named using follo...

by Path Finder in

Threat Intelligence Searches Not Populating threat_activity Index

The search "Threat - Source and Destination Matches - Threat Gen" is working and producing results, only the results ...

by Path Finder in

How can I filter incoming traffic from outgoing traffic

Hi I am working on a DDoS alert. I want to detect spikes of incoming traffic. But I am not sure on how to differen...

by Communicator in

Differences between the Splunk Security courses?

Could anyone give me a synopsis of the differences between the courses "Using Splunk Enterprise Security 5.2" and "Ad...

by Explorer in

Splunk Enterprise Security: How to join with lookup

I need to cross the information of my lookup with fields from my index, and bring some information on the table, but ...

by New Member in

Is there a page view that shows all Source's for an Index

Aside from doing a search is there a configuration page that will show me all the sources sending logs to an index at...

by Engager in

Login for Splunk Security Datasets project

Hi, I registered to access the Splunk Security Datasets project and received an email with a link to login, but th...

by Champion in

Splunk Enterprise Security: How to associate business software to an asset?

I have a .csv which contains a list of business applications, the app owner, the server(hostname or same as nt_host) ...

by Path Finder in

Old Notable event marked as unassigned.

We pushed the new app out on ES cluster. After the app push, old notable events are showing up as "assigned" and our ...

by Splunk Employee in

Forescout implementation 2.8 with Splunk 6.5.3

Please refer the below details and provide me support for effective resolution : Facing issues while implementing ...

by New Member in

Looking for .conf17 FFIEC Cat initiative paper

Hello! I attended a session at .conf2017 entitled "FFIEC Cybersecurity Assessment Tool". In the presentation Curtis J...

by New Member in

oplogSize default value control

I am working with ES Splunk & want to increase the oplogSize from 1Gig to 2Gig.. From KVStore hammer .conf ta...

by Contributor in

Why is Splunk ES Contributing Events not seeing many incidents?

Hi splunkers, My question is Why I not see Contributing Events in All incidents ? I want to go directly to the ...

by Path Finder in

How to create a search condition in Splunk where an alert is based on result?

I want to get alerts for the situations which are different from below conditions: Server a B C D condition...

by New Member in

Splunk Enterprise Security: How to route data into app

Hi, I can't find any material for studying Splunk security essential app, is there any documentation or videos explai...

by Explorer in

How to black list all the ports except the approved ports using interesting ports list in splunk enterprise security?

I would like to black list (get alert) for all the ports excepting the approved port list using interesting port list...

by Explorer in

How to exclude IPs from results while using Tstats and a sourcetype that is not the same?

Current search is essentially this: | tstats values(All_Traffic.src) as src from datamodel=Network_Traffic.All...

by New Member in

Splunk Enterprise Security: Where to learn SPL, searches, and log sources?

Hi everyone, I need to learn SPL searches quickly. In particular, I need to focus on covering the log source (CWS, ...

by New Member in

Splunk Add-on for Microsoft Cloud Services: action="Unknown"

The Splunk Add-on for Microsoft Cloud Services is populating the Authentication datamodel in ES, however action="Unkn...

by Explorer in

Splunk Enterprise Security: How to secure part of the _audit index?

We have Enterprise Security installed for a specific Search Head and would like the _audit logs in a different locati...

by Communicator in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

I would like to find out failed login attempts with Event Code (4625) here the condition is failed login attempts with in one hour and if the failed attempts less than that what ever the event code present in the index will be displayed.?

How to get word on search and save on new column tables ?

Help with Splunk ES Investigations Collaborators

streams and DNS over (HTTPS or TLS)...DoH/DoT

Detecting Port Scan (nmap)

crcSalt is not working with multiple sub dir contains same file name monitoring

Threat Intelligence Searches Not Populating threat_activity Index

How can I filter incoming traffic from outgoing traffic

Differences between the Splunk Security courses?

Splunk Enterprise Security: How to join with lookup

Is there a page view that shows all Source's for an Index

Login for Splunk Security Datasets project

Splunk Enterprise Security: How to associate business software to an asset?

Old Notable event marked as unassigned.

Forescout implementation 2.8 with Splunk 6.5.3

Looking for .conf17 FFIEC Cat initiative paper

oplogSize default value control

Why is Splunk ES Contributing Events not seeing many incidents?

How to create a search condition in Splunk where an alert is based on result?

Splunk Enterprise Security: How to route data into app

How to black list all the ports except the approved ports using interesting ports list in splunk enterprise security?

How to exclude IPs from results while using Tstats and a sourcetype that is not the same?

Splunk Enterprise Security: Where to learn SPL, searches, and log sources?

Splunk Add-on for Microsoft Cloud Services: action="Unknown"

Splunk Enterprise Security: How to secure part of the _audit index?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

Free Training Online Classes

Editing the alert that is sent to PagerDuty

Throttling Notables - Do Underlying Alerts Need to...

How long are asset list field values stored in the...

Documentation for SA-AccessProtection / DA-ESS-Acc...