Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Confusing in Windows Export Certificate Rule

zksvc
Communicator
‎08-27-2024 03:09 AM

According to Windows Export Certificate - Splunk Security Content it using macros in the first query 

`certificateservices_lifecycle` EventCode=1007 
| xmlkv UserData_Xml 
| stats count min(_time) as firstTime max(_time) as lastTime by Computer, SubjectName, UserData_Xml 
| rename Computer as dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `windows_export_certificate_filter`

 

And in `certificateservices_lifecycle` macros is (source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational OR source=XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational)

zksvc_0-1724752713713.png

I only know in SPL we can't get result if write query with source in the first position, so i add index=* before `certificateservices_lifecycle` but unfortunately i don't get any result.

Then i'm using metasearch for check it available or not with this query 

First query :
| metasearch index=* source IN ("XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational")

Second query : 
| metasearch index=* source IN ("XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational")

 

and then i only got 0 result.

The question is if i want to get data from source="XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational" did i need setting it in Endpoints or can solved it in Splunk ? 

 

Thanks

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎08-27-2024 04:50 AM

"I only know in SPL we can't get result if write query with source in the first position"

It is not true. If you don't specify index conditions explicitly, Splunk uses default indexes for your user's role (which might be an empty set). Conditions in a search are _not_ positional.

OK, having that out of the way...

1) metasearch is an old command, rarely used nowadays since most use cases can be more effectively covered with other methods. In your case it would be

| tstats count where index=* source IN ("XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational")

2) Well, do you _have_ any data of this kind? If you haven't ingested it from the endpoint, you can't search from it. That's what the search result tells you. (I assume you're searching over decently wide time range and you have access to relevant indexes)

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎08-27-2024 04:50 AM

"I only know in SPL we can't get result if write query with source in the first position"

It is not true. If you don't specify index conditions explicitly, Splunk uses default indexes for your user's role (which might be an empty set). Conditions in a search are _not_ positional.

OK, having that out of the way...

1) metasearch is an old command, rarely used nowadays since most use cases can be more effectively covered with other methods. In your case it would be

| tstats count where index=* source IN ("XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational")

2) Well, do you _have_ any data of this kind? If you haven't ingested it from the endpoint, you can't search from it. That's what the search result tells you. (I assume you're searching over decently wide time range and you have access to relevant indexes)

Reply
Solved! Jump to solution

zksvc
Communicator
‎08-27-2024 06:10 AM

Hi @PickleRick 
Thanks for your reply, and knowledge about source can called in the first position.

Sorry i don't know that because in many case i got it always solved when i add index=* before the source. 

zksvc_0-1724764160097.png

And with your query i only get 0 count, so i think it because my client don't ingest in the Endpoint.

Thankyou for your reply and your information. 

Danke 🍻

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...