cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
acadea
Explorer
Member since: ‎10-29-2020
‎11-28-2022
Community Statistics
Posts 14
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎10-29-2020
Activity Feed
View All

Re: Netwrix TA

by in Getting Data In
‎11-19-2021 07:41 AM
‎11-19-2021 07:41 AM
well, collect the other eventlog and maybe that will solve your problem ? ... View more

Re: Netwrix TA

by in Getting Data In
‎11-19-2021 07:22 AM
‎11-19-2021 07:22 AM
who logged in... where ? on Netwrix ? on Windows/AD ? there are 3 Netwrix generated eventlogs on Windows [WinEventLog://Netwrix Auditor] - > this is the same EventLog that you can see in Netwrix interface regarding events related to data collection etc [WinEventLog://Netwrix Auditor Security] - > this is containing Netwrix on Netwrix audit, that is who has started Netwrix, what changes were done in the Netwrix interface, etc. Netwrix Auditor Self-audit let's say. I suppose this is what you're describing as currently collected. [WinEventLog://Netwrix_Auditor_Integration] - > this is what you're after. It should have this format: 08/24/2021 09:56:37 AM LogName=Netwrix_Auditor_Integration SourceName=Netwrix_Auditor_Integration_API EventCode=35940 EventType=4 Type=Information ComputerName=srv-01 TaskCategory=492 OpCode=Info RecordNumber=41188878 Keywords=Classic Message= DataSource : Windows Server Action : Modified Message: Modified System Time Where : srv-01 ObjectType : System Time Who : NT AUTHORITY\SYSTEM What : System Properties\System Time When : 2021-08-24T07:36:22Z Workstation : Details : System time changed from "2021-08-24T07:36:08.173840600Z" to "2021-08-24T07:36:22.192000000Z" ... View more

Re: Netwrix TA

by in Getting Data In
‎11-19-2021 06:49 AM
‎11-19-2021 06:49 AM
yes, I've configured the netwrix powerhsll script to be executed as a scheduled task .  - also enabled the API on Netwrix ( see settings, API) - configured splunk UFW to collect the windows event log netwrix_integration_bla_bla what is the blocking point for you? ... View more

Re: Netwrix TA

by in Getting Data In
‎11-19-2021 06:04 AM
‎11-19-2021 06:04 AM
can you provide a link to that addon, I'm not able to find it on splunkbase. or perhaps you're talking about the netwrix addon for splunk  which is a powershell script that is writing netwrix events to windows event log  so that splunk ufw can collect it ? ... View more

now() + scheduled report when delayed

by in Other Usage
‎10-15-2021 06:55 AM
‎10-15-2021 06:55 AM
Hello Splunk ninjas, We all know about scheduled reports configured to use a schedule window - when they run delayed,  they still gather data for the time range that they would have covered if they started on time. In short - it will search over the time range it was originally scheduled to cover. What happens when the search query is using now() function ? Like many of the ESCU correlation searches... Example: There is a query containing : | where firstTimeSeen > relative_time(now(),1h) The report is scheduled every hour (cron =  0 * * * *)  using a search time range earliest=now, latest=-70min. Schedule window = auto. And this is a busy day therefore our query is executed 40 minutes later than scheduled. As mentioned at the begining, the time range used doesn't change, it's still :00 - :59 (previous hour). However, the now() has this definition :This function takes no arguments and returns the time that the search was started. The result set of the report is different now. Is this behavior flawed by design ? Many of the ES/ESCU correlation searches use this kind of filtering ( based on now()). How to solve this ? no schedule window ? no auto ? higher priority ? durable search ? real-time mode instead of continuous ? Thanks for your educated answers. ... View more
Labels

Re: inputlookup special fields

by in Splunk Search
‎06-24-2021 07:45 AM
‎06-24-2021 07:45 AM
thank you, I've edited/updated the initial question with an example ... View more

Re: inputlookup special fields

by in Splunk Search
‎06-24-2021 07:36 AM
‎06-24-2021 07:36 AM
that's the definition, it's obvious they are different commands but the results of those two commands should have been the same. I'm still digging, it seems the "fields" it's an array that makes me think lookup cannot deal with displaying  arrays while inputlookup can show them ... View more

inputlookup special fields

by in Splunk Search
‎06-24-2021 06:00 AM
‎06-24-2021 06:00 AM
Hello, I have recently found there is a strange difference between lookup and inputlookup commands.   |makeresults | eval uid="asdf" | lookup mydata uid |makeresults | eval uid="asdf" | join uid [| inputlookup mydata]   The "mydata" lookup is a kvstore collection, with the following columns uid, name, address, fields I was expecting these two queries to have the same results, but no. It seems the column "fields" is an array and it's returning a lot of data when used with the inputlookup command , which is not the case with the first (lookup) query. The lookup results are like this: _key | uid  | name | address | fields ...  | asdf | john | yes     | (empty) The inputlookup results are like this: _key | uid  | name | address | fields.town | fields.country ...  | asdf | john | yes     | chicago     | usa I didn't find any documentation about this. Your input is welcomed. Thanks ... View more
Labels

Re: Error after update - Threat Intel

by in Splunk Enterprise Security
‎06-24-2021 05:47 AM
‎06-24-2021 05:47 AM
hello, indeed, the old stanzas were not compatible anymore. after upgrading from 6.4.0 to 6.4.1 the issue has been fixed. thanks ... View more

Re: Threatlist scheme error - unable to initialize...

by in Splunk Enterprise Security
‎06-10-2021 04:05 AM
‎06-10-2021 04:05 AM
ok, found it, I'll leave this here if anyone else will ever encounter this: it's a bug in Splunk Enterprise Security 6.4.0 which is fixed in 6.41. Check the release notes for 6.4.1 SOLNESS-24926 Threat Intelligence Framework: Setting SPLUNK_DB triggers this error: ValueError: Illegal escape from parent directory "/opt/splunk": /splunkdata/modinputs/threatlist   https://docs.splunk.com/Documentation/ES/6.4.1/RN/FixedIssues ... View more

Threatlist scheme error - unable to initialize mod...

by in Splunk Enterprise Security
‎06-10-2021 03:21 AM
‎06-10-2021 03:21 AM
Hello, There is an error "unable to initialize modular input "threatlist"" and it's blocking all the Threat Intel features How can I troubleshoot and solve this ? Is this a python error ? The effects are the stanzas are not loaded and the Threat Intelligence Management Menu ( Configure > Data Enrichment) is not loaded and it's showing "not found". See error log below Thanks for your ideas   ... View more
Labels

Error after update - Threat Intel

by in Splunk Enterprise Security
‎06-04-2021 06:55 AM
‎06-04-2021 06:55 AM
Hello, After updating  SES to version 6.4.0, the menu Configure > Data Enrichment > Threat intelligence Management shows an empty content page with an error  "Not found" /app/SplunkEnterpriseSecuritySuite/ess_threat_intelligence_management I have also checked this article, without success. https://docs.splunk.com/Documentation/ES/6.5.1/Admin/Managethreatintelligenceuponupgrade#Recover_the_new_view_of_threat_intelligence_pages Have you encountered this, any ideas ? Thanks, ... View more
Labels

convert alerts to correlation searches

by in Splunk Enterprise Security
‎03-10-2021 03:13 AM
‎03-10-2021 03:13 AM
Hello, Having defined multiple alerts before starting  to use Enterprise Security, is there a way to convert the existing alerts to correlation searches ? Instead of sending emails as action, they will add some risk score, notable event etc How can I accomplish this without creating manually all the correlation searches from scratch. Thanks ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-28-2022 01:11 PM
Karma given to
View All