Hi
thanks for the response .
sample logs: (these are coming as a single event as mentioned in screenshot)
zowin.exposed. 3600 in ns ns1.dyna-ns.net.
zowin.exposed. 3600 in ns ns2.dyna-ns....
See more...
Hi
thanks for the response .
sample logs: (these are coming as a single event as mentioned in screenshot)
zowin.exposed. 3600 in ns ns1.dyna-ns.net.
zowin.exposed. 3600 in ns ns2.dyna-ns.net.
zuckerberg.exposed. 3600 in ns ns1.afternic.com.
zuckerberg.exposed. 3600 in ns ns2.afternic.com.
zwiebeltvde.exposed. 3600 in ns docks13.rzone.de.
zwiebeltvde.exposed. 3600 in ns shades01.rzone.de
I am applying this on UF config . (/etc/system/local/propes.conf
[zone_files]
LINE_BREAKER= ([\r\n]+)
SHOULD_LINEMERGE = false
~
Hi All, Am trying to pantag search results to a dynamic address group, but getting below error.Please support if anyone come across the same . External search command 'pantag' returned error code...
See more...
Hi All, Am trying to pantag search results to a dynamic address group, but getting below error.Please support if anyone come across the same . External search command 'pantag' returned error code 2. Script output = "ERROR URLError: code: 401 reason: Key Expired: LUFR...dHc9 has expired. ".
I know. You are receiving what they send you. But you can often just talk with the sending party Anyway, since it looks like there is something ELK-like in the middle, it could be worthwhile to c...
See more...
I know. You are receiving what they send you. But you can often just talk with the sending party Anyway, since it looks like there is something ELK-like in the middle, it could be worthwhile to check the ingestion process architecture - why are there middle men? Are we ingesting into multiple desitnations from single source? Maybe we could drop the extra stuff and not only lower our license consumption but also make our data compatible with existing TAs? So the short-time soluion is of course to extract the string from one field of the json and run spath on it (there is no way I know of to do it automatically unless you want to get messy with regexes on this - another reason for getting your data tidy). But long-term solution IMO is to get the data right.
When we are trying to run a report in deployment server to get the hosts that are reporting to Splunk, it is giving below error Unable to determine response format from HTTP Header Connection fail...
See more...
When we are trying to run a report in deployment server to get the hosts that are reporting to Splunk, it is giving below error Unable to determine response format from HTTP Header Connection failed with Read Timeout The REST request on the endpoint URI /services/deployment/server/clients?count=0 returned HTTP 'status not OK': code=502, Read Timeout. Can anyone please suggest any work around.
this is a sample of event <149>Jul 23 18:54:24 fireeye.mps.test cef[5159]: CEF:0|fireeye|HX|4.8.0|IOC Hit Found|IOC Hit Found|10|rt=Jul 23 2019 16:54:24 UTC dvchost=fireeye.mps.test categoryDevic...
See more...
this is a sample of event <149>Jul 23 18:54:24 fireeye.mps.test cef[5159]: CEF:0|fireeye|HX|4.8.0|IOC Hit Found|IOC Hit Found|10|rt=Jul 23 2019 16:54:24 UTC dvchost=fireeye.mps.test categoryDeviceGroup=/IDS categoryDeviceType=Forensic Investigation categoryObject=/Host cs1Label=Host Agent Cert Hash cs1=fwvqcmXUHVcbm4AFK01cim dst=192.168.1.172 dmac=00-00-5e-00-53-00 dhost=test-host1 dntdom=test deviceCustomDate1Label=Agent Last Audit deviceCustomDate1=Jul 23 2019 16:54:22 UTC cs2Label=FireEye Agent Version cs2=29.7.0 cs5Label=Target GMT Offset cs5=+PT2H cs6Label=Target OS cs6=Windows 10 Pro 17134 externalId=17688554 start=Jul 23 2019 16:53:18 UTC categoryOutcome=/Success categorySignificance=/Compromise categoryBehavior=/Found cs7Label=Resolution cs7=ALERT cs8Label=Alert Types cs8=exc act=Detection IOC Hit msg=Host test-host1 IOC compromise alert categoryTupleDescription=A Detection IOC found a compromise indication. cs4Label=IOC Name cs4=SVCHOST SUSPICIOUS PARENT PROCESS i need to do field extractions and make the event display all the data without truncating inside the details of event
Hi at all, I tried to use this visualization to display a process tree and it runs, but I have an issue: some leaves of the tree aren't displayed: I have only around 1,900 rows, so I haven't t...
See more...
Hi at all, I tried to use this visualization to display a process tree and it runs, but I have an issue: some leaves of the tree aren't displayed: I have only around 1,900 rows, so I haven't the limit of 250,000 rows and neither the limit of 1,000 levels because I have max 5 levels. What could it be the issue? Thank you for your help. Ciao. Giuseppe
Hi Peter, Could you please check event Queue --> Event Queue Backlog: Check if event queues on the forwarders are building up (seen in metrics.log). This can happen if there's too much data be...
See more...
Hi Peter, Could you please check event Queue --> Event Queue Backlog: Check if event queues on the forwarders are building up (seen in metrics.log). This can happen if there's too much data being processed at once. Another thing to monitor is the network, during the logs stop any changes on the network utilization ( both receivers side forwarder's end ) Also ensure the following inputs on the forwarder side ( this worked in my case, but results may vary in your setup ) useACK=false autoBatch=false
In your interactions, you can use predefined tokens to set your own token, which can then be used in another panel - name will give you the name of the field (column) which was clicked
Hi @aab1 , as I said, there's only one solution: create a custom admin without that feature and without the feature of altering roles, no other solution. Ciao. Giuseppe
This can be done with CSS which you can define in your SimpleXML in a html panel. Essentially, what you need to do is to turn columns into a multi-value fields with an indicator for the format option...
See more...
This can be done with CSS which you can define in your SimpleXML in a html panel. Essentially, what you need to do is to turn columns into a multi-value fields with an indicator for the format option to pick up and change the background colour. For the indicator in your case, you could check whether the previous date is different i.e. it is the first in a series of copied dates. You can use streamstats to do this, something like this | streamstats values(catchup_updated_time) as previous_catchup_updated_time window=1 current=f
| eval catchup_updated_time=if(isnull(previous_catchup_updated_time) OR catchup_updated_time != previous_catchup_updated_time, mvappend(catchup_updated_time,"RED"), catchup_updated_time) You then use CSS to hide (display: none) the second value in the multi-value field. See this answer (and similar) for clues https://community.splunk.com/t5/Splunk-Search/How-to-color-the-columns-based-on-previous-column-valu...
Looking at our inputs.conf setup via a "splunk btool inputs list --debug", I can't see that we have the useack=true set (if that's where you are referring to). We are capturing a range of Event ID's ...
See more...
Looking at our inputs.conf setup via a "splunk btool inputs list --debug", I can't see that we have the useack=true set (if that's where you are referring to). We are capturing a range of Event ID's for reporting as below. It all works fine however after restarting the Splunk UF when the issue occurs \etc\apps\inputs_oswin_secevtlog\local\inputs.conf [WinEventLog://Security] \etc\apps\Splunk_TA_windows\default\inputs.conf blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" \etc\apps\Splunk_TA_windows\default\inputs.conf blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" \etc\apps\inputs_oswin_secevtlog\local\inputs.conf checkpointInterval = 5 \etc\apps\Splunk_TA_windows\default\inputs.conf current_only = 0 \etc\apps\inputs_oswin_secevtlog\local\inputs.conf disabled = 0 \etc\apps\inputs_oswin_secevtlog\local\inputs.conf evt_resolve_ad_obj = 1 \etc\apps\inputs_oswin_secevtlog\local\inputs.conf index = win-securityeventlog \etc\system\default\inputs.conf interval = 60 \etc\apps\Splunk_TA_windows\default\inputs.conf renderXml = true \etc\apps\Splunk_TA_windows\default\inputs.conf start_from = oldest \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist1 = EventCode=%^(104|1102)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist2 = EventCode=%^(2004|2006|2033)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist3 = EventCode=%^(33205)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist4 = EventCode=%^(4170|4624|4625|4634|4647|4648|4663|4673|4688|4719|4720|4722|4723|4724|4725|4726|4728|4732|4735|4738|4740|4742|4743|4756|4767|4768|4771|4778|4779|4781|4820)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist5 = EventCode=%^(517|528|529|538|540|551|552|592|5152|5157)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist6 = EventCode=%^(624|627|628|642|644|680|6279)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist7 = EventCode=%^(7045)$% \etc\apps\inputs_oswin_secevtlog\local\inputs.conf whitelist8 = TaskCategory=%^Network Policy Server$%
Morning Giuseppe Thanks for a quick reply. My problem with this solution is that I somehow need to ensure that 1 The Full Splunk admin can't login the SH (since the SH is managed by 3 party inclu...
See more...
Morning Giuseppe Thanks for a quick reply. My problem with this solution is that I somehow need to ensure that 1 The Full Splunk admin can't login the SH (since the SH is managed by 3 party including custom TA's) 2 The 3 party managed SH must not be able to alter the roles (so no access to the Full Admin) Hence the need for a isolated setup where the roles are set on the Peer site.
Hi @aab1 , you have to create a custom role, cloning the admin role (don't use inheritance), removing the feature you want and also the features to change user capabilities (otherwise the customizat...
See more...
Hi @aab1 , you have to create a custom role, cloning the admin role (don't use inheritance), removing the feature you want and also the features to change user capabilities (otherwise the customization isn't useful!). Then, you give to this role the grants to see only a part of indexes. Ciao. Giuseppe
Hi @Mark_Heimer , did you modified only the Correlation Search name or also the Notable name? in the Incident Review name you see the Notable name not the Correlations Search name. In addition, I ...
See more...
Hi @Mark_Heimer , did you modified only the Correlation Search name or also the Notable name? in the Incident Review name you see the Notable name not the Correlations Search name. In addition, I always prefer, when I clone a CS, move it in a custom app and don't release it in the Enterprise Security apps, in this way, I have all the customizations in a custom app, it isn't mandatory but you have a cleaner and more ordered situation. Ciao. Giuseppe
Hi I found this 2011 chat "72798" on Splunk to "considering adding the concept of an "search head user account" on the indexer to allow the indexer administrator to restrict what the search head ca...
See more...
Hi I found this 2011 chat "72798" on Splunk to "considering adding the concept of an "search head user account" on the indexer to allow the indexer administrator to restrict what the search head can do" Do anybody know if this is somehow available or doable in 2024? My case is that I need a Standalone Searchhead with access to a subset of all indexes in the Cluster. But at the same time full control of the Searchhead (Splunk Admin capabilities except changes to the searchable index list) The aim is to separate the SH to be managed by a 3 party.
Question 1: The last column is longer than the others, it's not aesthetic. I know I can adjust the height by editing "<option name="height">" this label, but the return data would be changed all t...
See more...
Question 1: The last column is longer than the others, it's not aesthetic. I know I can adjust the height by editing "<option name="height">" this label, but the return data would be changed all the time. If I set "too high", it would seem weird. I want to solve two problem. 1. Don't show the "web scroll", meaning that can have a automatic size to accommodate my column data no matter how much data I have. 2. I want my every column averagely share the space. Question 2 : If my event exists too short, it seems like too small and narrow. It's also not aesthetic. Can I make a "minimum bar chart or a circle" defined by myself. (like what I draw on the image)