Hey everyone, We have a Splunk SOAR client who has a Microsoft tenant with several domains. They asked if we can scope the "Windows Defender ATP" app in Splunk SOAR to be limited to the 2 domains...
See more...
Hey everyone, We have a Splunk SOAR client who has a Microsoft tenant with several domains. They asked if we can scope the "Windows Defender ATP" app in Splunk SOAR to be limited to the 2 domains their team is responsible for. Is this something that can be done from the app configuration itself in SOAR? Or would this be something done in the Microsoft tenant? Or are there any other options?
Has anyone be able to get adaudit plus to integrate with Splunk Enterprise? I followed these instructions but have not gotten any data to show on the indexer. SIEM integration | Admin settings | AD...
See more...
Has anyone be able to get adaudit plus to integrate with Splunk Enterprise? I followed these instructions but have not gotten any data to show on the indexer. SIEM integration | Admin settings | ADAudit Plus (manageengine.com) Also contacted ManageEngine support which has not be able to figure out the issue. I searched the forum and found this old thread but no one had a response. How to get audit plus manager logs into splunk ent... - Splunk Community Any help is appreciated, thanks.
I am trying to figure out where Splunk is getting it's data to populate the "Host Name" column in the Splunk GUI for the Forwarder Management section, when selecting the Clients tab. I would like th...
See more...
I am trying to figure out where Splunk is getting it's data to populate the "Host Name" column in the Splunk GUI for the Forwarder Management section, when selecting the Clients tab. I would like the host name to be FQDN (server1.x.xx)instead of it's current version (server1). It doesn't seem to pull from any Splunk .conf files that I can see located on any Windows UF. For reference, this only applies to Windows servers running Splunk UF agent. I have already modified the inputs.conf (host = $decideOnStartup) and server.conf (hostnameOption = fullyqualifiedname) to no avail. Any help will be greatly appreciated.
thank you for reply... I successfully make a connection between Splunk ES and Splunk SOAR... but I Can't make the connection between them automatically Do you have a solation for that?
This is a pretty big question. I would recommend you start here: https://docs.splunk.com/Documentation/SOARExport/4.3.2/UserGuide/Configureoverview for how to connect Splunk and Splunk SOAR. From the...
See more...
This is a pretty big question. I would recommend you start here: https://docs.splunk.com/Documentation/SOARExport/4.3.2/UserGuide/Configureoverview for how to connect Splunk and Splunk SOAR. From there, you'll need to set up the mechanism for sending alerts to SOAR and a playbook within SOAR for processing them the way you need to. What action you want to do on the endpoint will determine how to set that playbook up. If this is leveraging Defender, for example, you can set up an action to call Defender to quarantine an endpoint or something like that. It will vary a lot depending on your exact use case.
Haha yeah I guess so, fwiw I see both on ours... Some processes are suspended when they crash others just crash and vanish from task manager. Truthfully i'm not sure what the difference is between t...
See more...
Haha yeah I guess so, fwiw I see both on ours... Some processes are suspended when they crash others just crash and vanish from task manager. Truthfully i'm not sure what the difference is between that behavior is.
So basically we moved from crashes (9.1) to process suspended (9.2)...I would prefer the first, at least something was collected. Thanks a lot for the feedback. Regards
@ivan5593 This is certainly possible using an authentication account which will give you a token to interact with the SOAR API. The you just need to use the correct API endpoint with the correc...
See more...
@ivan5593 This is certainly possible using an authentication account which will give you a token to interact with the SOAR API. The you just need to use the correct API endpoint with the correct payload to send events to SOAR: https://docs.splunk.com/Documentation/SOARonprem/5.3.1/PlatformAPI/Using If you want to initiate a playbook from JIRA than you need the playbook_run API endpoint with the correct payload. I would also say that the JIRA app has an On Poll action that you can setup with some JQL to only pull in what you want and it will just create containers for you whenever it polls and finds something new. This would be better if you had playbooks that ran on ingestion into SOAR. -- Hope this helps! If so please mark as a solution for future. Happy SOARing! --
Hello! I'm trying to integrate Splunk SOAR - Splunk - Jira to update the ticket status. The source of truth will be Jira, so any update should be propagated from Jira to the other Splunk products. ...
See more...
Hello! I'm trying to integrate Splunk SOAR - Splunk - Jira to update the ticket status. The source of truth will be Jira, so any update should be propagated from Jira to the other Splunk products. I was wondering about configure a webhook in Jira that triggers a playbook in Splunk SOAR, and update the tickets. Is there any way to accept webhooks in Splunk SOAR? Maybe a better way to do this integration? Thanks in advance!
Unfortunately, support has been slow to get us a patched version or 9.2.2 ahead of it's general release. They said that 9.2.2 release was being pushed back. I dunno, still in a holding pattern on my ...
See more...
Unfortunately, support has been slow to get us a patched version or 9.2.2 ahead of it's general release. They said that 9.2.2 release was being pushed back. I dunno, still in a holding pattern on my end. That's concerning to hear that it didn't work for you... the "suspended behavior" is what i'm seeing on the existing 9.2.1 version.
Hello! I'm trying to resolve issues with splunkd being killed by OOM Reaper and it would be nice to know which saved search (or ad-hoc search) is consuming too much RAM. In Linux messages from Searc...
See more...
Hello! I'm trying to resolve issues with splunkd being killed by OOM Reaper and it would be nice to know which saved search (or ad-hoc search) is consuming too much RAM. In Linux messages from Search Head I have a PIDs of reaped splunkd processes and the question is how to get PID of splunkd for particular saved search from _internal index. Scheduler events have SID field like this: sid="scheduler_aS5zLnNva29sb3Y_czdfc2llbV9uZXR3b3Jr__RMD58313482a27867d57_at_1716903900_27923" Is the last part of SID (27923) a Linux process ID? Or maybe I can get PID from some other source?
No, i downgraded my operating system to Server 2019 and everything started working. Ran into a different issue afterwards unfortunately. Too much data was being forwarded and had to start using a he...
See more...
No, i downgraded my operating system to Server 2019 and everything started working. Ran into a different issue afterwards unfortunately. Too much data was being forwarded and had to start using a heavy forwarder.