All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Good day,  I have a query to check my Entra logs to see what Conditional access policies gets hit. The returns results like this but I would like it to display only the policies that were success ... See more...
Good day,  I have a query to check my Entra logs to see what Conditional access policies gets hit. The returns results like this but I would like it to display only the policies that were success or Applied and not the ones that was not applied. CA CAName success failure failure CA-Office-MFA   CA-Signin-LocationBased CA-HybridJoined notApplied success failure CA-Office-MFA   CA-Signin-LocationBased CA-HybridJoined notApplied success success CA-Office-MFA   CA-Signin-LocationBased CA-HybridJoined What I want instead   success failure failure CA-Office-MFA   CA-Signin-LocationBased CA-HybridJoined success success CA-Signin-LocationBased CA-HybridJoined success failure CA-Signin-LocationBased CA-HybridJoined index=db_azure_entraid sourcetype="azure:monitor:aad" command="Sign-in activity" category=SignInLogs "properties.clientAppUsed"!=null NOT app="Windows Sign In" | spath "properties.appliedConditionalAccessPolicies{}.result" | search "properties.appliedConditionalAccessPolicies{}.result"=notApplied | rename "properties.appliedConditionalAccessPolicies{}.result" as CA | rename "properties.appliedConditionalAccessPolicies{}.displayName" as CAName | dedup CA | table CA CAName
OK. Let's back up a little. 1. How are the events ingested? Read from files with a monitor input or any other way? (like HEC input or a modular input). You mention UF so I suspect monitor input(s) b... See more...
OK. Let's back up a little. 1. How are the events ingested? Read from files with a monitor input or any other way? (like HEC input or a modular input). You mention UF so I suspect monitor input(s) but I want to be sure. 2. I assume you meant props.conf, not propes.conf - that was just a typo here, right? 3. Line breaking is _not_ happening on the UF. You need to have your LINE_BREAKER defined on the first heavy component that the event passes through (if you're sending from UF directly to indexers, you need this setting on the indexers).
We are developing a Splunk app that uses an authenticated external API. In order to support the Cloud Platform, we need to pass the manual check for the cloud tag, but the following error occurred, a... See more...
We are developing a Splunk app that uses an authenticated external API. In order to support the Cloud Platform, we need to pass the manual check for the cloud tag, but the following error occurred, and we couldn't pass.   ================ [ manual_check ] check_for_secret_disclosure - Check for passwords and secrets. details: [ FAILED ] key1 value is being passed in the url which gets exposed in the network. Kindly add sensitive data in the headers to make the network communications secure. ================   code: req = urllib.request.Request(f"https://api.docodoco.jp/v6/search?key1={self.apikeys['apikey1']}... req.add_header('Authorization', self.apikeys['apikey2'])   We understand that confidential information should not be transmitted via HTTP headers or POST and should not be included in URLs. Since "key1" is not confidential information, we believe there should be no issue with including it in the URL. Due to the external API's specifications, "key1" must always be included in the URL, so we are looking for a way to pass this manual check. For example, if there is a support desk, we would like to explain that there is no issue with the part flagged in the manual check. Does anyone know of such a support channel? Alternatively, if there is a way to provide additional information to reviewers conducting this manual review, we would like to know. (For example, adding comments to the source code, etc.)
Thank you for your answers. It turned out, I had to trust the ssl certificate.
Hi   thanks for the response . sample logs: (these are coming as a single event as mentioned in screenshot) zowin.exposed. 3600 in ns ns1.dyna-ns.net. zowin.exposed. 3600 in ns ns2.dyna-ns.... See more...
Hi   thanks for the response . sample logs: (these are coming as a single event as mentioned in screenshot) zowin.exposed. 3600 in ns ns1.dyna-ns.net. zowin.exposed. 3600 in ns ns2.dyna-ns.net. zuckerberg.exposed. 3600 in ns ns1.afternic.com. zuckerberg.exposed. 3600 in ns ns2.afternic.com. zwiebeltvde.exposed. 3600 in ns docks13.rzone.de. zwiebeltvde.exposed. 3600 in ns shades01.rzone.de I am applying this on UF config . (/etc/system/local/propes.conf [zone_files] LINE_BREAKER= ([\r\n]+) SHOULD_LINEMERGE = false ~
Hi All, Am  trying to pantag search results  to a dynamic address group, but getting below error.Please support if anyone come across the same . External search command 'pantag' returned error code... See more...
Hi All, Am  trying to pantag search results  to a dynamic address group, but getting below error.Please support if anyone come across the same . External search command 'pantag' returned error code 2. Script output = "ERROR URLError: code: 401 reason: Key Expired: LUFR...dHc9 has expired. ".
I know. You are receiving what they send you. But you can often just talk with the sending party Anyway, since it looks like there is something ELK-like in the middle, it could be worthwhile to c... See more...
I know. You are receiving what they send you. But you can often just talk with the sending party Anyway, since it looks like there is something ELK-like in the middle, it could be worthwhile to check the ingestion process architecture - why are there middle men? Are we ingesting into multiple desitnations from single source? Maybe we could drop the extra stuff and not only lower our license consumption but also make our data compatible with existing TAs? So the short-time soluion is of course to extract the string from one field of the json and run spath on it (there is no way I know of to do it automatically unless you want to get messy with regexes on this - another reason for getting your data tidy). But long-term solution IMO is to get the data right.
When we are trying to run a report in deployment server to get the hosts that are reporting to Splunk, it is giving below error Unable to determine response format from HTTP Header Connection fail... See more...
When we are trying to run a report in deployment server to get the hosts that are reporting to Splunk, it is giving below error Unable to determine response format from HTTP Header Connection failed with Read Timeout The REST request on the endpoint URI /services/deployment/server/clients?count=0 returned HTTP 'status not OK': code=502, Read Timeout. Can anyone please suggest any work around.
this is a sample of event  <149>Jul 23 18:54:24 fireeye.mps.test cef[5159]: CEF:0|fireeye|HX|4.8.0|IOC Hit Found|IOC Hit Found|10|rt=Jul 23 2019 16:54:24 UTC dvchost=fireeye.mps.test categoryDevic... See more...
this is a sample of event  <149>Jul 23 18:54:24 fireeye.mps.test cef[5159]: CEF:0|fireeye|HX|4.8.0|IOC Hit Found|IOC Hit Found|10|rt=Jul 23 2019 16:54:24 UTC dvchost=fireeye.mps.test categoryDeviceGroup=/IDS categoryDeviceType=Forensic Investigation categoryObject=/Host cs1Label=Host Agent Cert Hash cs1=fwvqcmXUHVcbm4AFK01cim dst=192.168.1.172 dmac=00-00-5e-00-53-00 dhost=test-host1 dntdom=test deviceCustomDate1Label=Agent Last Audit deviceCustomDate1=Jul 23 2019 16:54:22 UTC cs2Label=FireEye Agent Version cs2=29.7.0 cs5Label=Target GMT Offset cs5=+PT2H cs6Label=Target OS cs6=Windows 10 Pro 17134 externalId=17688554 start=Jul 23 2019 16:53:18 UTC categoryOutcome=/Success categorySignificance=/Compromise categoryBehavior=/Found cs7Label=Resolution cs7=ALERT cs8Label=Alert Types cs8=exc act=Detection IOC Hit msg=Host test-host1 IOC compromise alert categoryTupleDescription=A Detection IOC found a compromise indication. cs4Label=IOC Name cs4=SVCHOST SUSPICIOUS PARENT PROCESS   i need to do field extractions and make the event display all the data without truncating inside the details of event
Hi at all, I tried to use this visualization to display a process tree and it runs, but I have an issue: some leaves of the tree aren't displayed: I have only around 1,900 rows, so I haven't t... See more...
Hi at all, I tried to use this visualization to display a process tree and it runs, but I have an issue: some leaves of the tree aren't displayed: I have only around 1,900 rows, so I haven't the limit of 250,000 rows and neither the limit of 1,000 levels because I have max 5 levels. What could it be the issue? Thank you for your help. Ciao. Giuseppe
Hi Peter, Could you please check event Queue -->  Event Queue Backlog: Check if event queues on the forwarders are building up (seen in metrics.log). This can happen if there's too much data be... See more...
Hi Peter, Could you please check event Queue -->  Event Queue Backlog: Check if event queues on the forwarders are building up (seen in metrics.log). This can happen if there's too much data being processed at once. Another thing to monitor is the network, during the logs stop any changes on the network utilization ( both receivers side forwarder's end ) Also ensure the following inputs on the forwarder side ( this worked in my case, but results may vary in your setup ) useACK=false autoBatch=false
Hi @aab1 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hi again Thank you very much clarification /Best Rgds
In your interactions, you can use predefined tokens to set your own token, which can then be used in another panel - name will give you the name of the field (column) which was clicked  
Hi @aab1 , as I said, there's only one solution: create a custom admin without that feature and without the feature of altering roles, no other solution. Ciao. Giuseppe
This can be done with CSS which you can define in your SimpleXML in a html panel. Essentially, what you need to do is to turn columns into a multi-value fields with an indicator for the format option... See more...
This can be done with CSS which you can define in your SimpleXML in a html panel. Essentially, what you need to do is to turn columns into a multi-value fields with an indicator for the format option to pick up and change the background colour. For the indicator in your case, you could check whether the previous date is different i.e. it is the first in a series of copied dates. You can use streamstats to do this, something like this | streamstats values(catchup_updated_time) as previous_catchup_updated_time window=1 current=f | eval catchup_updated_time=if(isnull(previous_catchup_updated_time) OR catchup_updated_time != previous_catchup_updated_time, mvappend(catchup_updated_time,"RED"), catchup_updated_time) You then use CSS to hide (display: none) the second value in the multi-value field. See this answer (and similar) for clues  https://community.splunk.com/t5/Splunk-Search/How-to-color-the-columns-based-on-previous-column-valu...  
Looking at our inputs.conf setup via a "splunk btool inputs list --debug", I can't see that we have the useack=true set (if that's where you are referring to). We are capturing a range of Event ID's ... See more...
Looking at our inputs.conf setup via a "splunk btool inputs list --debug", I can't see that we have the useack=true set (if that's where you are referring to). We are capturing a range of Event ID's for reporting as below.  It all works fine however after restarting the Splunk UF when the issue occurs \etc\apps\inputs_oswin_secevtlog\local\inputs.conf [WinEventLog://Security] \etc\apps\Splunk_TA_windows\default\inputs.conf blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" \etc\apps\Splunk_TA_windows\default\inputs.conf blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" \etc\apps\inputs_oswin_secevtlog\local\inputs.conf checkpointInterval = 5 \etc\apps\Splunk_TA_windows\default\inputs.conf current_only = 0 \etc\apps\inputs_oswin_secevtlog\local\inputs.conf disabled = 0 \etc\apps\inputs_oswin_secevtlog\local\inputs.conf evt_resolve_ad_obj = 1 \etc\apps\inputs_oswin_secevtlog\local\inputs.conf index = win-securityeventlog \etc\system\default\inputs.conf interval = 60 \etc\apps\Splunk_TA_windows\default\inputs.conf renderXml = true \etc\apps\Splunk_TA_windows\default\inputs.conf start_from = oldest \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist1 = EventCode=%^(104|1102)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist2 = EventCode=%^(2004|2006|2033)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist3 = EventCode=%^(33205)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist4 = EventCode=%^(4170|4624|4625|4634|4647|4648|4663|4673|4688|4719|4720|4722|4723|4724|4725|4726|4728|4732|4735|4738|4740|4742|4743|4756|4767|4768|4771|4778|4779|4781|4820)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist5 = EventCode=%^(517|528|529|538|540|551|552|592|5152|5157)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist6 = EventCode=%^(624|627|628|642|644|680|6279)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist7 = EventCode=%^(7045)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist8 = TaskCategory=%^Network Policy Server$%
@wwangsa_splunk Thanks very much for the update, but AFAICT the current release is already 9.3.0 Is it also incorporated in that branch?
Morning Giuseppe  Thanks for a quick reply. My problem with this solution is that I somehow need to ensure that 1 The Full Splunk admin can't login the SH (since the SH is managed by 3 party inclu... See more...
Morning Giuseppe  Thanks for a quick reply. My problem with this solution is that I somehow need to ensure that 1 The Full Splunk admin can't login the SH (since the SH is managed by 3 party including custom TA's) 2 The 3 party managed SH must not be able to alter the roles (so no access to the Full Admin) Hence the need for a isolated setup where the roles are set on the Peer site.  
Hi @aab1 , you have to create a custom role, cloning the admin role (don't use inheritance), removing the feature you want and also the features to change user capabilities (otherwise the customizat... See more...
Hi @aab1 , you have to create a custom role, cloning the admin role (don't use inheritance), removing the feature you want and also the features to change user capabilities (otherwise the customization isn't useful!). Then, you give to this role the grants to see only a part of indexes. Ciao. Giuseppe