<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Query Help in Alerting</title>
    <link>https://community.splunk.com/t5/Alerting/Query-Help/m-p/530719#M9983</link>
    <description>&lt;P&gt;Does any of this data represent the events you are looking for?&lt;/P&gt;</description>
    <pubDate>Tue, 24 Nov 2020 23:35:43 GMT</pubDate>
    <dc:creator>ITWhisperer</dc:creator>
    <dc:date>2020-11-24T23:35:43Z</dc:date>
    <item>
      <title>Query Help</title>
      <link>https://community.splunk.com/t5/Alerting/Query-Help/m-p/530701#M9978</link>
      <description>&lt;P&gt;I have been tasked with writing Queries for the following and I am not sure how to go about it:&lt;/P&gt;&lt;TABLE width="1021"&gt;&lt;TBODY&gt;&lt;TR&gt;&lt;TD width="316"&gt;&lt;P&gt;&lt;STRONG&gt;Detection / Event Name&lt;/STRONG&gt;&lt;/P&gt;&lt;/TD&gt;&lt;TD width="705"&gt;&lt;P&gt;&lt;STRONG&gt;Event Description&lt;/STRONG&gt;&lt;/P&gt;&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD width="316"&gt;&lt;P&gt;Master Password Use&lt;/P&gt;&lt;/TD&gt;&lt;TD width="705"&gt;&lt;P&gt;The master password used to access the backend vault was used&lt;/P&gt;&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD width="316"&gt;&lt;P&gt;Backend Vault Built in Admin Use&lt;/P&gt;&lt;/TD&gt;&lt;TD width="705"&gt;&lt;P&gt;The built-in admin account on the backend vault was used&lt;/P&gt;&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD width="316"&gt;&lt;P&gt;Sssd.conf modified on linux server&lt;/P&gt;&lt;/TD&gt;&lt;TD width="705"&gt;&lt;P&gt;The sssd.conf file was modified on a linux server&lt;/P&gt;&lt;/TD&gt;&lt;/TR&gt;&lt;/TBODY&gt;&lt;/TABLE&gt;</description>
      <pubDate>Tue, 24 Nov 2020 22:47:39 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/Query-Help/m-p/530701#M9978</guid>
      <dc:creator>jasonballard</dc:creator>
      <dc:date>2020-11-24T22:47:39Z</dc:date>
    </item>
    <item>
      <title>Re: Query Help</title>
      <link>https://community.splunk.com/t5/Alerting/Query-Help/m-p/530710#M9979</link>
      <description>&lt;P&gt;What data do you have regarding these events?&lt;/P&gt;</description>
      <pubDate>Tue, 24 Nov 2020 23:19:22 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/Query-Help/m-p/530710#M9979</guid>
      <dc:creator>ITWhisperer</dc:creator>
      <dc:date>2020-11-24T23:19:22Z</dc:date>
    </item>
    <item>
      <title>Re: Query Help</title>
      <link>https://community.splunk.com/t5/Alerting/Query-Help/m-p/530711#M9980</link>
      <description>&lt;P&gt;I was told to base them on "&lt;SPAN&gt;Privileged Access Management (PAM) logs"&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 24 Nov 2020 23:20:24 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/Query-Help/m-p/530711#M9980</guid>
      <dc:creator>jasonballard</dc:creator>
      <dc:date>2020-11-24T23:20:24Z</dc:date>
    </item>
    <item>
      <title>Re: Query Help</title>
      <link>https://community.splunk.com/t5/Alerting/Query-Help/m-p/530712#M9981</link>
      <description>&lt;P&gt;Are those logs already in splunk? Can you provide some sample events?&lt;/P&gt;</description>
      <pubDate>Tue, 24 Nov 2020 23:21:54 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/Query-Help/m-p/530712#M9981</guid>
      <dc:creator>ITWhisperer</dc:creator>
      <dc:date>2020-11-24T23:21:54Z</dc:date>
    </item>
    <item>
      <title>Re: Query Help</title>
      <link>https://community.splunk.com/t5/Alerting/Query-Help/m-p/530714#M9982</link>
      <description>&lt;P&gt;LIke this?&amp;nbsp;&lt;/P&gt;&lt;P&gt;| `tstats` count from datamodel=Authentication.Authentication by _time,Authentication.action span=10m | timechart minspan=10m useother=`useother` count by Authentication.action | `drop_dm_object_name("Authentication")`&lt;/P&gt;</description>
      <pubDate>Tue, 24 Nov 2020 23:29:39 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/Query-Help/m-p/530714#M9982</guid>
      <dc:creator>jasonballard</dc:creator>
      <dc:date>2020-11-24T23:29:39Z</dc:date>
    </item>
    <item>
      <title>Re: Query Help</title>
      <link>https://community.splunk.com/t5/Alerting/Query-Help/m-p/530719#M9983</link>
      <description>&lt;P&gt;Does any of this data represent the events you are looking for?&lt;/P&gt;</description>
      <pubDate>Tue, 24 Nov 2020 23:35:43 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/Query-Help/m-p/530719#M9983</guid>
      <dc:creator>ITWhisperer</dc:creator>
      <dc:date>2020-11-24T23:35:43Z</dc:date>
    </item>
    <item>
      <title>Re: Query Help</title>
      <link>https://community.splunk.com/t5/Alerting/Query-Help/m-p/530720#M9984</link>
      <description>&lt;P&gt;To be honest, I am not sure where to start on this.&amp;nbsp; This is my second week in this role.&amp;nbsp;&lt;/P&gt;&lt;P&gt;The email from my boss said "&lt;SPAN&gt;If you have the cycles, below there are a list of use cases for creating alerts based on Privileged Access Management (PAM) logs.&amp;nbsp; Could you give it a go today and tomorrow to see if you can leverage Splunk to find queries that can be used as correlative rules to detect these use cases?&lt;/SPAN&gt;&lt;/P&gt;&lt;TABLE width="1021"&gt;&lt;TBODY&gt;&lt;TR&gt;&lt;TD width="316"&gt;&lt;P&gt;&lt;STRONG&gt;Detection / Event Name&lt;/STRONG&gt;&lt;/P&gt;&lt;/TD&gt;&lt;TD width="705"&gt;&lt;P&gt;&lt;STRONG&gt;Event Description&lt;/STRONG&gt;&lt;/P&gt;&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD width="316"&gt;&lt;P&gt;Master Password Use&lt;/P&gt;&lt;/TD&gt;&lt;TD width="705"&gt;&lt;P&gt;The master password used to access the backend vault was used&lt;/P&gt;&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD width="316"&gt;&lt;P&gt;Backend Vault Built in Admin Use&lt;/P&gt;&lt;/TD&gt;&lt;TD width="705"&gt;&lt;P&gt;The built-in admin account on the backend vault was used&lt;/P&gt;&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD width="316"&gt;&lt;P&gt;Sssd.conf modified on linux server&lt;/P&gt;&lt;/TD&gt;&lt;TD width="705"&gt;&lt;P&gt;The sssd.conf file was modified on a linux server&lt;/P&gt;&lt;/TD&gt;&lt;/TR&gt;&lt;/TBODY&gt;&lt;/TABLE&gt;</description>
      <pubDate>Tue, 24 Nov 2020 23:41:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/Query-Help/m-p/530720#M9984</guid>
      <dc:creator>jasonballard</dc:creator>
      <dc:date>2020-11-24T23:41:25Z</dc:date>
    </item>
    <item>
      <title>Re: Query Help</title>
      <link>https://community.splunk.com/t5/Alerting/Query-Help/m-p/530723#M9985</link>
      <description>&lt;P&gt;First, you need to check which logs and source types are supported for each item.&lt;/P&gt;&lt;P&gt;Can you present here a sample of the corresponding logs in case of detection?&lt;BR /&gt;&lt;BR /&gt;I've never done it before.&lt;BR /&gt;Can you tell by looking at /var/log/sssd/sssd_pam.log?&lt;/P&gt;</description>
      <pubDate>Wed, 25 Nov 2020 00:00:11 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/Query-Help/m-p/530723#M9985</guid>
      <dc:creator>to4kawa</dc:creator>
      <dc:date>2020-11-25T00:00:11Z</dc:date>
    </item>
    <item>
      <title>Re: Query Help</title>
      <link>https://community.splunk.com/t5/Alerting/Query-Help/m-p/530880#M9989</link>
      <description>&lt;DIV&gt;&lt;DIV class="copy-paste-block"&gt;So for the Master Password use, I think I could check the palog. if I go to C:\users\administrator\roaming\cyberark\privateark and check palog, I see entries like: "user master is working with vault prod with x records per send"&amp;nbsp;&lt;/DIV&gt;&lt;DIV&gt;&amp;nbsp;&lt;/DIV&gt;&lt;DIV&gt;As for the Backend Vault Built in Admin Use. That may be something we need to configure the Safe to send out notifications on use and you can trigger off of that email that is sent out.&lt;/DIV&gt;&lt;DIV&gt;&amp;nbsp;&lt;/DIV&gt;&lt;DIV&gt;for sssd.conf, (this is the one I know the least about) I am thinking I need to reach out to our unix/linux group and see if they have any monitoring on those files, and if they do not, we may be able to set something up like the solution for the backend vault built in admin use to send out an email when cyberark changes it. (But I am not 100% on this one.)&lt;/DIV&gt;&lt;/DIV&gt;</description>
      <pubDate>Wed, 25 Nov 2020 19:57:48 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/Query-Help/m-p/530880#M9989</guid>
      <dc:creator>jasonballard</dc:creator>
      <dc:date>2020-11-25T19:57:48Z</dc:date>
    </item>
    <item>
      <title>Re: Query Help</title>
      <link>https://community.splunk.com/t5/Alerting/Query-Help/m-p/530978#M9992</link>
      <description>&lt;UL&gt;&lt;LI&gt;If a characteristic term appears in the log, you can just search for it.&lt;BR /&gt;e.g. "&lt;SPAN&gt;user master is working&amp;nbsp;"&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;Now you can also search the output results.&lt;BR /&gt;&lt;/SPAN&gt;&lt;SPAN&gt;e.g. send out notifications&lt;BR /&gt;&lt;BR /&gt;It is possible to make a query if you have a sample of the log and a description of the source type, etc.&lt;BR /&gt;&lt;/SPAN&gt;&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 26 Nov 2020 09:55:02 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/Query-Help/m-p/530978#M9992</guid>
      <dc:creator>to4kawa</dc:creator>
      <dc:date>2020-11-26T09:55:02Z</dc:date>
    </item>
  </channel>
</rss>

