Splunk Enterprise Security

Discussions

Thread Info

Asset investigator

Dear Experts, I want to achieve below: 1- I want that when I put hostname/server name in asset investigator it ...

by Communicator in

Creating Assets csv file correlating logs from dhcp and Cisco ISE

We are creating assets inventory using different logs in Splunk. For this purpose, we first created list of “nt_host”...

by Engager in

How many resources would I need to receive 150 GB per day?

Hello team, I want to build a new SIEM using Splunk. I hope to receive between 100 and 150 GB of data per day. ...

by Path Finder in

Need assistance with ES error after upgrade from 5.2.2 to 5.3

I did upgraded my SPLUNK ES v5.2.2 to 5.3. none of the configure options are not working. Options like ES permiss...

by Communicator in

Example of "adaptive response action" execute error

Hi Splunkers, I followed the example of "adaptive response action" in this website https://dev.splunk.com/view/enterp...

by Loves-to-Learn in

Join command working

When nesting two commands using join, how can I verify if the Join command is returning the value of the field. [...

by Engager in

Wildcard for domain search

I am trying to find the domain that came in the logs but were faked to look similar for our domain. So if my domain i...

by New Member in

Splunk Enterprise Security requires a deployment client, but should I configure my ES search head as a deployment client?

I'm setting up a fresh install of Splunk Enterprise Security 4 and have a question about the deployment client requir...

by Path Finder in

How to use "nodename" in tstats

In the default ES data model "Malware", the "tag" field is extracted for the parent "Malware_Attacks", but it does no...

by New Member in

Notables are not getting created

This is a totally weird situation. I have few correlation searches for which notables are suppose to be generated ...

by New Member in

Which are the Best Recommended Splunk ES Webinars ?

Hello Splunkers, Being on a tight schedule as I cannot be watching webinars in most of my time, I would like to kn...

by Path Finder in

ERROR ConfReplicationThread - Content Length too large , csv

After extensive "googling" I didnt come to a comfortable consensus on what my next move should be. I am having bundle...

by Path Finder in

Splunk Enterprise Security upload app

Hello, I would like to upload a custom app to Splunk Enterprise Security Sandbox Cloud environment and/or is possible...

by New Member in

Meraki Syslog events to TA-meraki are not showing up in ESS

Myron, Thank you for taking the time to put into this TA. It's appears to be really useful with the way that Merak...

by Path Finder in

To detect if Local admin account has been used to logon to a system

Team, I am trying to setup a use case about To detect if Local admin account has been used to logon to a system , ...

by New Member in

Custom Bar Chart Colours Not Working

Hi, I have the following search in an ES dashboard panel to order incidents throughout the month by severity in a ...

by Explorer in

LDAP query for identities for Enterprise Security

I’m trying to populate my users with the following query. One of the issues I have is certain users don’t have the ma...

by Explorer in

Setting alias for multivalued field for ES/CIM compliance

I created an alias for the X_MS_Forwarded_Client_IP (ADFS events) to equal to src. The X_MS_Forwarded_Client_IP is a ...

by Influencer in

Correlation search - Stream events

I'll start with the goal of what I am trying to accomplish first. I'd like to be able to detect any source sending da...

by Path Finder in

Dynamically populate search dashboard after transaction

Hello, I'm trying to create a dashboard for our email logs, that allows a user to input fields like sender, recipi...

by Engager in

Removing 1 IP from a threat Intel list without removing the entire list?

We are using Splunk es. We started porting list into the threat intel feeds. Our analyst wants to remove a single IP ...

by Engager in

No Notables is getting generated however i can get the results when correlation searches are run mannually

Since morning i am observing my notables are not getting created. I can see the Notable names in Security posture but...

by New Member in

splunk cloud es notable index empty

Hello Splunkers we have splunk managed cloud ES and i have enabled all correlation searches as per doc the way we do ...

by Path Finder in

How to extract email addresses from URLs using regex?

I have URL's that contain email addresses that I would like to extract via rex into an email field: SAMPLE RAW: ...

by Explorer in

Splunk ES - Troubleshooting Web Data Model

We have ES up and running and I'm starting to review the various Security Domains and relevant dashboards/reports. ...

by Influencer in

Get Updates on the Splunk Community!

Splunk Enterprise Security

Discussions

Asset investigator

Creating Assets csv file correlating logs from dhcp and Cisco ISE

How many resources would I need to receive 150 GB per day?

Need assistance with ES error after upgrade from 5.2.2 to 5.3

Example of "adaptive response action" execute error

Join command working

Wildcard for domain search

Splunk Enterprise Security requires a deployment client, but should I configure my ES search head as a deployment client?

How to use "nodename" in tstats

Notables are not getting created

Which are the Best Recommended Splunk ES Webinars ?

ERROR ConfReplicationThread - Content Length too large , csv

Splunk Enterprise Security upload app

Meraki Syslog events to TA-meraki are not showing up in ESS

To detect if Local admin account has been used to logon to a system

Custom Bar Chart Colours Not Working

LDAP query for identities for Enterprise Security

Setting alias for multivalued field for ES/CIM compliance

Correlation search - Stream events

Dynamically populate search dashboard after transaction

Removing 1 IP from a threat Intel list without removing the entire list?

No Notables is getting generated however i can get the results when correlation searches are run mannually

splunk cloud es notable index empty

How to extract email addresses from URLs using regex?

Splunk ES - Troubleshooting Web Data Model

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout

Retrieve Notable urgency within Adaptive Response

adding a custom field to notable and update the va...

es_notable_events Query

Saved Search in Source Code

Adding comment (link) to Next Steps (In an alert u...