hi i have some process data in the source=ps  want to get status if down. i have observed it can be done using PID. for example one command ./cybAgent.bin  which is running with some PID and after stopped it and started it PID will change and new PID is showing in the splunk data but how we can determine when its stopped below are the events before and after restarted 10/20/23 12:07:31.000 PM root    6043    0.7    1.2    6769248    201544    ?    Ssl    Oct06    158:59    ./cybAgent.bin    -a host = testhost 10/20/23 12:07:02.000 PM root    6043    0.7    1.2    6769248    201544    ?    Ssl    Oct06    158:59    ./cybAgent.bin    -a host = testhost           10/20/23 3:50:30.000 PM root 20414 1.0 1.1 6766164 189864 ? Ssl 01:41 2:12 ./cybAgent.bin -a host = testhost 10/20/23 3:50:03.000 PM root 20414 0.9 1.1 6766164 189864 ? Ssl 01:41 2:11 ./cybAgent.bin -a host = testhost

@Ragamonster you will need to use REST to find the task you want to add the note to and then POST the note to that task. https://docs.splunk.com/Documentation/SOARonprem/6.1.1/PlatformAPI/RESTNotes  Specifically look at the below: You can do this using the HTTP app but I prefer using the sessions API as it's pre-authenticated and gives you a lot more control: https://docs.splunk.com/Documentation/SOARonprem/6.1.1/PlaybookAPI/SessionAPI  -- Hope this helps. If so please mark as a solution for future readers. Happy SOARing! --

Hi, I am having this same issue at the moment as the domain i manage is completely airgapped form the internet so no cloud connectivity. After some digging i found have read there are events in the event viewer. Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational 1116 - MALWAREPROTECTION_STATE_MALWARE_DETECTED 1117 - MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN 1118 - MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED 1119 - MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED I haven't tested them yet as i have literally just found them online this minute and came across this message board at the same time.  I hope this helps and if you have found anything extra can you put them in here too. Im going set up the forwarder now to collect these and create a dashboard  KR Richard 

If anybody still facing this issues and could not figured out the solution. In my case, I had to change view type.  You can see here there are three options to choose Raw, List, Table. If you want to set JSON syntax highlight by default, you should choose List view.  

Hello ttovarzoll, Thank you for providing your solutions. Unfortunately it doesn't work in all cases as showed in the following screenshots where the 'User Account Control' is filled. I can image that this is also the case for other fields. Did you came across this issue and do you perhaps have an solution for this?     Kind regards, Jos

The only way volunteers can help you concretely is for you to post sample or mock data (anonymize as needed) in text, illustrate desired results (in text), then explain the logic between illustrated data and results.  Forget Splunk.  What would you be looking for in the data you illustrate to determine status by PID?  What does "status of process based on PID" even mean? Do you mean listing status of process grouped by PID? (Splunk and many data query languages call this group-by.)

Have you looked up Create a CSV lookup definition?  You can define a field as match type CIDR.  The question is extremely vague.  If you want concrete help, illustrate mock data, desired results, and explain the logic between data and desired results.