Splunk Enterprise Security

Discussions

Thread Info

How to use tstats command with datamodel and like function

How to use tstats command with like function. Ex: | tstats count(eval(Authentication.action, "failure%")) as failu...

by Path Finder in

How to invoke adhoc queries

After installing and configuring this application I am unable to get the adaptive response to run. I continue to get ...

by Engager in

Splunk ESM - The contributing events drill-down search is not the same as my correlation rules "Notable action" drill-down search

I've changed an existing correlation search and it's drill-down in the adaptive response actions, but when the notabl...

by New Member in

Splunk Enterprise Security: Is it possible to prepopulate adaptive response action form with data from notable event?

Hi, Is it possible to prepopulate an adaptive response action's form from the notable event? Let's say my notab...

by Explorer in

Disaster Recovery for ES SH cluster Enviornment

what is the solution for DR where ES app is in Sh cluster?

by Explorer in

Is there anyway in Android SDK to avoid storing logs in clear on the device before sending to server?

I found the log in plain text on my device during the test, can I add a custom write and custom read feature with an ...

by New Member in

How to detect Splunk searches ran by users without justification?

We are looking for query to detect Splunk queries without business justification and also random validation of busine...

by Path Finder in

Upgrade 5.2.2 to 5.3 - is the documentation wrong or is it me ?

Hello, I'm using Splunk 7.2.6 and ES 5.2.2 (on a SHC) and I want to upgrade ES to 5.3 on this SHC environment. ...

by Path Finder in

Splunk Enterprise Security: Error SA-Utils/bin/data_migrator.py

hi After installing Enterprise Security, 4.7.6, we are constantly getting error in the console msg="A script e...

by Engager in

How to integrate SA-Investigator with ES

Greetings-- I installed SA-Investigator on our ESSearchHead, but I do not understand how to launch the App. It app...

by Communicator in

Splunk Enterprise Security send notable event as email - missing server in ES?

Hello everybody, we have a problem sending notable events from Splunk ES as an email. Email notification works fin...

by Communicator in

Connection Between Phantom and Splunk

Hi Has anyone run into issues connecting "to" Splunk "From" Phantom App? I have tried 443 and 8089 I keep gett...

by Explorer in

Splunk Upgrade best methodology or approach for Enterprise and ES

I am looking to upgrade the following and the approach below. My question is this upgrade optimal and will sustain? T...

by New Member in

Tstats with inputlookup to check for a malicious IP with the authentication datamodel

Here is my SPL, what am I doing wrong? |tstats count from datamodel=Authentication where ([|inputlookup threatconn...

by New Member in

Is it possible to tag logs associated with the event_id when a notable event triggers?

I looked around, but could not find anyone asking this question specifically. Basically, when a notable event trigger...

by New Member in

Can multiple search head clusters connected to the same index use port 8080?

Hello, Currently we have Single Search Head Cluster with Enterprise Security and single Indexer Cluster. As part o...

by Explorer in

Using Enterprise security

am about to register for Using Enterprise Security but i would like to make sure if am going to receive an official m...

by Explorer in

Problem with Enterprise Security Correlation Search

This Enterprise Security correlation search "Anomalous Audit Trail Activity Detected" is generating a whole bunch of ...

by Explorer in

Splunk CIM upgrade

Currently we are having Splunk CIM 4.11.0 and we would like to upgrade it to Splunk 4.13.0 (to add new Endpoint data ...

by Explorer in

Playbook Having Issues executing

Hi For some reason none of my playbooks finish executing. They simply stay in a loop Even if it is a simple tes...

by Explorer in

CIM on two separate search heads

We have two search heads: - First is used with Enterprise Security with CIM installed and acceleration enabled on som...

by Explorer in

Splunk Enterprise Security: How to view events associated to "Change - Abnormally High Number of Endpoint Changes by User - Rule" source?

Hello, i would like to see the Events associated to this source "Change - Abnormally High Number of Endpoint Chang...

by Path Finder in

Where to get official powerpoint slides for instructors on course "Using Enterprise Security"?

I am supposed to give training for this course "Using Enterprise Security", where can I get an official powerpoint s...

by Explorer in

How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

1st time configuring a feed in the Splunk App for Enterprise Security and I'm spinning my wheels. HELP  I have the S...

by Path Finder in

The meaning of security metrics in Glass Tables

Hi everyone, I am newbie in Splunk. Now I need do a network Diagram in Glass Tables but I don't know exactly the m...

by New Member in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

How to use tstats command with datamodel and like function

How to invoke adhoc queries

Splunk ESM - The contributing events drill-down search is not the same as my correlation rules "Notable action" drill-down search

Splunk Enterprise Security: Is it possible to prepopulate adaptive response action form with data from notable event?

Disaster Recovery for ES SH cluster Enviornment

Is there anyway in Android SDK to avoid storing logs in clear on the device before sending to server?

How to detect Splunk searches ran by users without justification?

Upgrade 5.2.2 to 5.3 - is the documentation wrong or is it me ?

Splunk Enterprise Security: Error SA-Utils/bin/data_migrator.py

How to integrate SA-Investigator with ES

Splunk Enterprise Security send notable event as email - missing server in ES?

Connection Between Phantom and Splunk

Splunk Upgrade best methodology or approach for Enterprise and ES

Tstats with inputlookup to check for a malicious IP with the authentication datamodel

Is it possible to tag logs associated with the event_id when a notable event triggers?

Can multiple search head clusters connected to the same index use port 8080?

Using Enterprise security

Problem with Enterprise Security Correlation Search

Splunk CIM upgrade

Playbook Having Issues executing

CIM on two separate search heads

Splunk Enterprise Security: How to view events associated to "Change - Abnormally High Number of Endpoint Changes by User - Rule" source?

Where to get official powerpoint slides for instructors on course "Using Enterprise Security"?

How to configure an FS-ISAC feed in Splunk App for Enterprise Security 3.3 with a Soltra Edge server?

The meaning of security metrics in Glass Tables

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

Free Training Online Classes

Editing the alert that is sent to PagerDuty

Throttling Notables - Do Underlying Alerts Need to...

How long are asset list field values stored in the...

Documentation for SA-AccessProtection / DA-ESS-Acc...