how do I make splunk es to check my uploaded logs

testttt · ‎06-05-2024

I have installed splunk es app and uploaded botsv1.stream_http.json (https://github.com/splunk/attack_data)

but incident_review and ess_security_posture is not hitting any event

how do I make splunk es to check my uploaded logs and generate a list of alerts like below. Please note that I am not checking the logs forwarded by agent, but the log files uploaded on the browser side

thank you

kiran_panchavat · ‎06-05-2024

@testttt There are no notable events that you can produce because you have uploaded sample events to Splunk. Could you please create an instance, send the logs to Splunk, and attempt to produce the notable events? such as unsuccessful login attempts and bruteforce attacks.

testttt · ‎06-06-2024

I created a dvwa application and used SplunkUniversalForwarder to forward the log to port 9997, containing events such as sql injection and brute force cracking,

but incident_review and ess_security_posture is not hitting any event

how do I make splunk es to check my uploaded logs

using Enterprise Security

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?