- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help with table results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help with table results
Hi Splunk community,
I am trying to determine the impact of removing Adobe Flash from our environment.
I have done basic search and the results returned are much higher than expected. This would most probably be because staff are accessing external content as well as internally hosted.
Is it possible to have a query that tells me which url has invoked flash player?
I have tried:
event_simpleName=ProcessRollup* FileName=FlashUtil*_ActiveX.exe
and
FileName=Flash*.ocx
Neither of them return dns requests or url.
So far to get some answers I do a separate search (query) on the host based on the timestamp (of the results of above query) looking up the dns request.
Example result:
Domainname: host: user: filename: commandline:
ssl.gstatic.com computer123 user123 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
https: // docs.google.com/spreadsheets/z/xyz/edit?usp=drive_web
Most DNS requests are within fraction of the second or +1 second.
Finding a computer with useful data is a draw of the luck and very time consuming.
Is anyone able to help with the above query?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
event_simpleName=ProcessRollup* FileName=FlashUtil*_ActiveX.exe
The query above returns, hostname, timestamp of execution, username, and others but i don't get the dns requests or url that invoked flash player.
So far to get around this I do another separate search (query) on the host, based on the timestamp (of the results of above query) looking up the dns request.
Example result:
Domainname: host: user: filename: commandline:
ssl.gstatic.com computer123 user123 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" https://docs.google.com/spreadsheets/z/xyz/edit?usp=drive_web
Most DNS requests are within fraction of the second or +1 second.
I am trying to create one query that gives me the hostname, username, timestamp, app, e.g. FlashUtil*_ActiveX.exe and dns request or url, or commandline.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi To4kawa,
Thanks to replying.
We use Crowdstrike as endpoint protection and all loge are feed by the ent-point agent to our cloud Crowdstrike platform.
I am novice to the splunk query language, as I just recently started exploring it.
Could you provide an example?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is not about what to do with the query, but about first understanding which log contains the event.
The results I'm giving you as an example are not from Flash, and you need to find the log first.
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
