currently for asset correlation with ips we have infoblox ,but that only works when we are in the company premises and ip assigned on asset is part of company network.when someone works from home and...
See more...
currently for asset correlation with ips we have infoblox ,but that only works when we are in the company premises and ip assigned on asset is part of company network.when someone works from home and the ip of asset changes due to personal internet that ip does not get added to the asset lookup as its not part of infoblox flow. i was thinking maybe using zscaler to add ip details for the asset but if there is any successful way someone used to mitigate this would be helpful .
Hi @SATYENDRA.DAS,
Your screenshot is cut off a little above where the list of agents should be visible. When I filter by the same results, I do see a list.
Is there a way to run a search for all correlation searches and see their response actions? I want to see what correlation searches create notable events and which ones do not. For example, which ...
See more...
Is there a way to run a search for all correlation searches and see their response actions? I want to see what correlation searches create notable events and which ones do not. For example, which ones only increase risk score. I had hoped to use /services/alerts/correlationsearches however it doesn't appear that endpoint exists anymore?
This just means that the script being called did not run to completion. I recently had a confusing problem that caused this exact error. I had a working design where I had a sendalert named "my_sen...
See more...
This just means that the script being called did not run to completion. I recently had a confusing problem that caused this exact error. I had a working design where I had a sendalert named "my_send_alert" which called a python script named "my_send_alert.py" which then called a shell script named "my_send_alert_alt.sh". It all worked great. So I cloned it to create a different one and it didn't work, giving this error. The problem ended up being that I named the shell script the same name as the python script and splunk was SKIPPING calling the python script and was calling the shell script directly! I simply changed the name of the shell script and all was well. So in summary: All 3 named the same does not work.
This DOES NOT work:
my_send_alert(alert_actions.conf) -> my_send_alert.py -> my_send_alert.sh
This DOES work:
my_send_alert(alert_actions.conf) -> my_send_alert.py -> my_send_alert_alt.sh
This should also work:
my_send_alert(alert_actions.conf) -> my_send_alert.sh
Hi @ITWhisperer
My requirement is to fetch the value from the latest event (even if I restrict the search to 30 mins).
Example :
Query : index = events_prod_tio_omnibus_esa ( "SESE023" ) sour...
See more...
Hi @ITWhisperer
My requirement is to fetch the value from the latest event (even if I restrict the search to 30 mins).
Example :
Query : index = events_prod_tio_omnibus_esa ( "SESE023" ) sourcetype=Log_mvs
| rex field=msg "(ADV|ALERT REACH)\s* (?<Nb_msg>[^\s]+)"
| rex field=msg "NB\s* (?<Msg_typ>[^\s]+)"
| table Nb_msg
Result :
I want to display the value "Nb_msg" in the result if there is any event in the last 15 mins. if there is no event in the last 15 mins , then display the value "0" in the result.
Currently with the query (attached above) , i am getting the value "Nb_msg" from all the events generated in last 15 mins.
Hi @LearningGuy, sorry there was a misunderstanding: it isn't possible to update un index- It's possible to display the index data enriched with the phone by a lookup. Otherwise, it's possible to ...
See more...
Hi @LearningGuy, sorry there was a misunderstanding: it isn't possible to update un index- It's possible to display the index data enriched with the phone by a lookup. Otherwise, it's possible to save the events of the old index in a new one, enriched also with phone number. Ciao. Giuseppe
Hi @gcusello If I am not an admin, Is it possible to do the following? (refer to my main question) I want to allow ONLY my team within "App1" to have read and write access to "Test" dashboard....
See more...
Hi @gcusello If I am not an admin, Is it possible to do the following? (refer to my main question) I want to allow ONLY my team within "App1" to have read and write access to "Test" dashboard. Thanks
Hi @gcusello there are logs for the windows onesettings service "This service offers to report telemetry data back to MS about OS health, build info, etc. in order to keep the computer "healthy" ...
See more...
Hi @gcusello there are logs for the windows onesettings service "This service offers to report telemetry data back to MS about OS health, build info, etc. in order to keep the computer "healthy" . We came accross this setting recently. The logs are written to "Microsoft\Windows\Privacy-Auditing\" and they are in Windows Event Log I am not sure whether these events can be tracked using Splunk add-on for windows, any thoughts on this? Thanks
Hi @gcusello When you said it's possible to add new field into past data in a summary index, is it a new entry/insert or an update ? In my example, Is it possible to update (not insert) "Phone"...
See more...
Hi @gcusello When you said it's possible to add new field into past data in a summary index, is it a new entry/insert or an update ? In my example, Is it possible to update (not insert) "Phone" field in "test_1" past data (_time/timestamp is in the past) ? Do I need to have permission to perform an update to an index? I think I only can perform insert, but not delete or update Your sample query is moving new data to the new index "test_2", not to same "test_1" past data if you have these information in a lookup, way do you need to save it in the index? the main_index has a large set of data, it's very slow doing a lookup in dashboard, that's why i filtered necessary data and moved it to summary index Past:
index=main_index + csv data ===> index=summary report="test1"
Now: I updated csv data with a phone field
index=main_index + csv data ===> index=summary report="test2"
Can I update (not insert) only "phone" field from "test2" to "test1" with Past timestamp? OR Can I update (not insert) only "phone" field from "main index+CSV" to "test1" with Past Timestamp?
index=main_index + csv data (NEW) ===> index=summary report="test1" (PAST Timestamp)
Thank you
Hi @Dayalss , yes, there are seven apps for Qualys, two of them seem to be related to vulnerabilities. I'm not a Qualys expert, so I don't know which app is the one for your requirements. Ciao. G...
See more...
Hi @Dayalss , yes, there are seven apps for Qualys, two of them seem to be related to vulnerabilities. I'm not a Qualys expert, so I don't know which app is the one for your requirements. Ciao. Giuseppe
If I understand correctly, then yes; you could use a single to display a number, you just need a search to calculate the number for your. The stats command can easily count the number of events retur...
See more...
If I understand correctly, then yes; you could use a single to display a number, you just need a search to calculate the number for your. The stats command can easily count the number of events returned by the search.
Hi @gcusello , I have installed the Qualys Vulnerabilities app , but it does not full fill our requirement. We need to build custom dashboards , but there is data mismatch. Need to fix it. ...
See more...
Hi @gcusello , I have installed the Qualys Vulnerabilities app , but it does not full fill our requirement. We need to build custom dashboards , but there is data mismatch. Need to fix it. Regards, Dayal
The inputs.conf stanza tells Splunk to run your script. What the script does depends on how it is written. It may want to get the files it should read from a script-specific configuration file.
Hi @anooshac , if you see in the Splunk Dashboard Examples app (https://splunkbase.splunk.com/app/1603 ) there's exactly also this example. Ciao. Giuseppe
Sure, you have a couple of options there. You can either add adaptive response actions to your Splunk ES correlation searches (if you're using those) or you can set up a saved search to export exactl...
See more...
Sure, you have a couple of options there. You can either add adaptive response actions to your Splunk ES correlation searches (if you're using those) or you can set up a saved search to export exactly the results you want to. When I last worked on this (it's been about a year), I found that the saved search method was more reliable. I used a search similar to the Incident Response view search ("Incident Review - Main" in SA-ThreatIntelligence) as my use case was to forward notable events to the SOAR platform.