All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hey everyone,   We have a Splunk SOAR client who has a Microsoft tenant with several domains. They asked if we can scope the "Windows Defender ATP" app in Splunk SOAR to be limited to the 2 domains... See more...
Hey everyone,   We have a Splunk SOAR client who has a Microsoft tenant with several domains. They asked if we can scope the "Windows Defender ATP" app in Splunk SOAR to be limited to the 2 domains their team is responsible for. Is this something that can be done from the app configuration itself in SOAR? Or would this be something done in the Microsoft tenant? Or are there any other options?
can i pls get another search that can show last logon date for active directory service account
Has anyone be able to get adaudit plus to integrate with Splunk Enterprise?  I followed these instructions but have not gotten any data to show on the indexer. SIEM integration | Admin settings | AD... See more...
Has anyone be able to get adaudit plus to integrate with Splunk Enterprise?  I followed these instructions but have not gotten any data to show on the indexer. SIEM integration | Admin settings | ADAudit Plus (manageengine.com) Also contacted ManageEngine support which has not be able to figure out the issue.  I searched the forum and found this old thread but no one had a response. How to get audit plus manager logs into splunk ent... - Splunk Community Any help is appreciated, thanks.
its not working
I am trying to figure out where Splunk is getting it's data to populate the "Host Name" column in the Splunk GUI for the Forwarder Management section, when selecting the Clients tab. I would like th... See more...
I am trying to figure out where Splunk is getting it's data to populate the "Host Name" column in the Splunk GUI for the Forwarder Management section, when selecting the Clients tab. I would like the host name to be FQDN  (server1.x.xx)instead of it's current version (server1). It doesn't seem to pull from any Splunk .conf files that I can see located on any Windows UF. For reference, this only applies to Windows servers running Splunk UF agent. I have already modified the inputs.conf (host = $decideOnStartup) and server.conf (hostnameOption = fullyqualifiedname) to no avail. Any help will be greatly appreciated.
thank you for reply... I successfully make a connection between Splunk ES and Splunk SOAR... but I Can't make the connection between them automatically Do you have a solation for that? 
This is a pretty big question. I would recommend you start here: https://docs.splunk.com/Documentation/SOARExport/4.3.2/UserGuide/Configureoverview for how to connect Splunk and Splunk SOAR. From the... See more...
This is a pretty big question. I would recommend you start here: https://docs.splunk.com/Documentation/SOARExport/4.3.2/UserGuide/Configureoverview for how to connect Splunk and Splunk SOAR. From there, you'll need to set up the mechanism for sending alerts to SOAR and a playbook within SOAR for processing them the way you need to. What action you want to do on the endpoint will determine how to set that playbook up. If this is leveraging Defender, for example, you can set up an action to call Defender to quarantine an endpoint or something like that. It will vary a lot depending on your exact use case.
Haha yeah I guess so, fwiw I see both on ours... Some processes are suspended when they crash others just crash and vanish from task manager. Truthfully i'm not sure what the difference is between t... See more...
Haha yeah I guess so, fwiw I see both on ours... Some processes are suspended when they crash others just crash and vanish from task manager. Truthfully i'm not sure what the difference is between that behavior is.
It appears the problem still around.  I am upgrading to 7.3.1 and still getting the error.  I had to use the CLI option to upgrade. 
thank you
| tstats count where index=* by index, sourcetype
Hi @whitecat001, you could try: index=* sourcetype=your_sourcetype in this way you can know which is the index. Ciao. Giuseppe
what command can i run if am not sure where an index for a data associated with a sourcetype is stored in splunk
So basically we moved from crashes (9.1) to process suspended (9.2)...I would prefer the first, at least something was collected. Thanks a lot for the feedback.   Regards
@ivan5593  This is certainly possible using an authentication account which will give you a token to interact with the SOAR API.  The you just need to use the correct API endpoint with the correc... See more...
@ivan5593  This is certainly possible using an authentication account which will give you a token to interact with the SOAR API.  The you just need to use the correct API endpoint with the correct payload to send events to SOAR: https://docs.splunk.com/Documentation/SOARonprem/5.3.1/PlatformAPI/Using  If you want to initiate a playbook from JIRA than you need the playbook_run API endpoint with the correct payload.  I would also say that the JIRA app has an On Poll action that you can setup with some JQL to only pull in what you want and it will just create containers for you whenever it polls and finds something new. This would be better if you had playbooks that ran on ingestion into SOAR.  -- Hope this helps! If so please mark as a solution for future. Happy SOARing!  --
Hello! I'm trying to integrate Splunk SOAR - Splunk - Jira to update the ticket status. The source of truth will be Jira, so any update should be propagated from Jira to the other Splunk products.  ... See more...
Hello! I'm trying to integrate Splunk SOAR - Splunk - Jira to update the ticket status. The source of truth will be Jira, so any update should be propagated from Jira to the other Splunk products.  I was wondering about configure a webhook in Jira that triggers a playbook in Splunk SOAR, and update the tickets. Is there any way to accept webhooks in Splunk SOAR? Maybe a better way to do this integration? Thanks in advance!
Awesome, Its working! Thank you very much!
Unfortunately, support has been slow to get us a patched version or 9.2.2 ahead of it's general release. They said that 9.2.2 release was being pushed back. I dunno, still in a holding pattern on my ... See more...
Unfortunately, support has been slow to get us a patched version or 9.2.2 ahead of it's general release. They said that 9.2.2 release was being pushed back. I dunno, still in a holding pattern on my end. That's concerning to hear that it didn't work for you... the "suspended behavior" is what i'm seeing on the existing 9.2.1 version.
Hello! I'm trying to resolve issues with splunkd being killed by OOM Reaper and it would be nice to know which saved search (or ad-hoc search) is consuming too much RAM. In Linux messages from Searc... See more...
Hello! I'm trying to resolve issues with splunkd being killed by OOM Reaper and it would be nice to know which saved search (or ad-hoc search) is consuming too much RAM. In Linux messages from Search Head I have a PIDs of reaped splunkd processes and the question is how to get PID of splunkd for particular saved search from _internal index. Scheduler events have SID field like this: sid="scheduler_aS5zLnNva29sb3Y_czdfc2llbV9uZXR3b3Jr__RMD58313482a27867d57_at_1716903900_27923" Is the last part of SID (27923) a Linux process ID? Or maybe I can get PID from some other source?
No, i downgraded my operating system to Server 2019 and everything started working.  Ran into a different issue afterwards unfortunately. Too much data was being forwarded and had to start using a he... See more...
No, i downgraded my operating system to Server 2019 and everything started working.  Ran into a different issue afterwards unfortunately. Too much data was being forwarded and had to start using a heavy forwarder.