All Topics

Top

All Topics

I am trying to use the Splunk Add-on for Tomcat  first time. When I try Add Account this results in error message below. I think the add-on expects Java to be somewhere. Java is installed on my all-i... See more...
I am trying to use the Splunk Add-on for Tomcat  first time. When I try Add Account this results in error message below. I think the add-on expects Java to be somewhere. Java is installed on my all-in-one Splunk server, where the add-on is installed. How do I make Java available to this add-on? Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_tomcat/lib/splunktaucclib/rest_handler/handler.py", line 142, in wrapper for name, data, acl in meth(self, *args, **kwargs): File "/opt/splunk/etc/apps/Splunk_TA_tomcat/lib/splunktaucclib/rest_handler/handler.py", line 107, in wrapper self.endpoint.validate( File "/opt/splunk/etc/apps/Splunk_TA_tomcat/lib/splunktaucclib/rest_handler/endpoint/init.py", line 85, in validate self._loop_fields("validate", name, data, existing=existing) File "/opt/splunk/etc/apps/Splunk_TA_tomcat/lib/splunktaucclib/rest_handler/endpoint/init.py", line 82, in _loop_fields return [getattr(f, meth)(data, *args, **kwargs) for f in model.fields] File "/opt/splunk/etc/apps/Splunk_TA_tomcat/lib/splunktaucclib/rest_handler/endpoint/init.py", line 82, in <listcomp> return [getattr(f, meth)(data, *args, **kwargs) for f in model.fields] File "/opt/splunk/etc/apps/Splunk_TA_tomcat/lib/splunktaucclib/rest_handler/endpoint/field.py", line 56, in validate res = self.validator.validate(value, data) File "/opt/splunk/etc/apps/Splunk_TA_tomcat/bin/Splunk_TA_tomcat_account_validator.py", line 85, in validate self._process = subprocess.Popen( # nosemgrep false-positive : The value java_args is File "/opt/splunk/lib/python3.9/subprocess.py", line 951, in __init_ self._execute_child(args, executable, preexec_fn, close_fds, File "/opt/splunk/lib/python3.9/subprocess.py", line 1837, in _execute_child raise child_exception_type(errno_num, err_msg, err_filename) FileNotFoundError: [Errno 2] No such file or directory: 'java'
Hi, I'm using the Journald input in univarsal forwarder to collect logs form journald: https://docs.splunk.com/Documentation/Splunk/9.3.2/Data/CollecteventsfromJournalD. When the data comes, I set th... See more...
Hi, I'm using the Journald input in univarsal forwarder to collect logs form journald: https://docs.splunk.com/Documentation/Splunk/9.3.2/Data/CollecteventsfromJournalD. When the data comes, I set the sourcetype dynamically based on the value of the journald TRANSPORT field. This works fine. After that, I would like to apply other transforms to the logs with a certain sourcetypes e.g. remove the logs if the log has a certain phrase. Unfortunately, for some reason, the second transform is not working. Here is the props and configs that I'm using   here is my transforms.conf:   [set_new_sourcetype] SOURCE_KEY = field:TRANSPORT REGEX = ([^\s]+) FORMAT = sourcetype::$1 DEST_KEY = MetaData:Sourcetype   [setnull_syslog_test] REGEX = (?i)test DEST_KEY = queue FORMAT = nullQueue   here is my pros.conf:   [source::journald:///var/log/journal] TRANSFORMS-change_sourcetype = set_new_sourcetype   [sourcetype::syslog] TRANSFORMS-setnull = setnull_syslog_test   Any idea why the setnull_syslog_test transform is not working?
I cannot get auth to work for the HTTP Input in the Splunk trial. curl -H "Authorization: Splunk <HEC_token>" -k https://http-inputs-<stack_url>.splunkcloud.com:8088/services/collector/event -d '{... See more...
I cannot get auth to work for the HTTP Input in the Splunk trial. curl -H "Authorization: Splunk <HEC_token>" -k https://http-inputs-<stack_url>.splunkcloud.com:8088/services/collector/event -d '{"sourcetype": "my_sample_data", "event": "http auth ftw!"}' My Splunk URL in https://<stack_url>.splunkcloud.com I've scoured the forums and web trying a number of combinations here. The HTTP Input is in the Enabled state on the Splunk console. Any help is appreciated. Thank you    
I want to set up splunk alert that can have two threshold  1. if the time is between 8 AM to 5PM - alert if AvgDuration is greater than 1000ms 2. If time is between 5pm to next day 8AM - alert if ... See more...
I want to set up splunk alert that can have two threshold  1. if the time is between 8 AM to 5PM - alert if AvgDuration is greater than 1000ms 2. If time is between 5pm to next day 8AM - alert if avgduration is greater than 500ms How do i implement this Query am working on <mySearch>| bin _time span=1m| stats avg(msg.DurationMs) AS AvgDuration by _time, msg.Service | where AvgDuration > 1000
Can someone please help me with dashboard search query that will look for all alerts configured in splunk and list only those alerts having index=* 
Hi, I am using splunk otel,  send log to splunk enterprise.For different sourcetype, I want to do different thing, like add field, remove fields can you guide me, thanks a lot.   For below, it wor... See more...
Hi, I am using splunk otel,  send log to splunk enterprise.For different sourcetype, I want to do different thing, like add field, remove fields can you guide me, thanks a lot.   For below, it work. ```       transform/istio-proxy:         error_mode: ignore         log_statements:         - context: log           statements:           - set(attributes["johnaddkey"], "johnaddvalue") ```   For below, it does not work. ```       transform/istio-proxy:         error_mode: ignore         log_statements:         - context: log           statements:           - set(attributes["johntestwhere"], "johnvaluewhere") where attributes["sourcetype"]             == "kube:container:istio-proxy" ``` For below, it does not work. ```       transform/istio-proxy:         error_mode: ignore         log_statements:         - context: log           conditions:           - attributes["sourcetype"] == "kube:container:istio-proxy"           statements:           - set(attributes["johnaddkeyc"], "johnaddvaluec")  ```    
Hello everyone, I have found posts over the last 10 years with a specific error/bug(?). The src and dest IP addresses are swapped for the Cisco ASA event with ID 302013. If you look in the app,... See more...
Hello everyone, I have found posts over the last 10 years with a specific error/bug(?). The src and dest IP addresses are swapped for the Cisco ASA event with ID 302013. If you look in the app, it even points out that these two fields are knowingly swapped. However, for the following TearDown event of the same connection, the IPs are not swapped. I am trying to figure out why this is the case. Since this postings about this topic has been around for 10 years now and the app says: "# direction is outbound - source and destination fields are swapped" ... it can't be an error. But I can't explain it. Can anyone comment on this? Example: <166>Dec 23 2024 10:36:04: %ASA-6-302013: Built outbound TCP connection 224811914 for dmz-sample-uidoc_172.27.252.0/27_604:172.27.252.1/8200 (172.27.252.1/8200) to fwr_sample_172.20.25.0/26:172.27.13.131/62388 (172.27.13.131/62388) Result: src=172.27.13.131 || dest = 172.27.252.1 <166>Dec 23 2024 10:36:04: %ASA-6-302014: Teardown TCP connection 224811914 for dmz-sample-uidoc_172.27.252.0/27_604:172.27.252.1/8200 to fwr_sample_172.20.25.0/26:172.27.13.131/62388 duration 0:00:00 bytes 0 TCP FINs from fwr_sample_172.20.25.0/26 Result: src=172.27.252.1 || dest = 172.27.13.131 Thanks and best regards Jan
We are currently trying to integrate Zoom logs using Splunk Connect for Zoom. We have a Load Balancer (LB) in front of a Heavy Forwarder (HF) in our configuration, but the URL validation is failing ... See more...
We are currently trying to integrate Zoom logs using Splunk Connect for Zoom. We have a Load Balancer (LB) in front of a Heavy Forwarder (HF) in our configuration, but the URL validation is failing when configuring the Zoom App webhook. I could not find any reference to load balancer (LB) configuration in the documentation. Therefore, we would like to confirm whether Splunk Connect for Zoom supports configuration via an LB If so, please let us know if there are any additional settings required for LB or HF.
Hello, I am getting an error message "Sorry (170037) This folder is no longer available" when trying to register for now 3 courses including Search Under the Hood, Data Models and Introduction to Ent... See more...
Hello, I am getting an error message "Sorry (170037) This folder is no longer available" when trying to register for now 3 courses including Search Under the Hood, Data Models and Introduction to Enterprise Security. what is  going on? 
Hello,   While trying to deploy the ES using the Deployer GUI, I want to Enable SSL However I faced the below:  
Hi, I installed a splunk app and events are sent to default index. But I need to change the index to be a custom index. I tried to create  local/inputs.conf file and repackaged the app. The app was ... See more...
Hi, I installed a splunk app and events are sent to default index. But I need to change the index to be a custom index. I tried to create  local/inputs.conf file and repackaged the app. The app was rejected when I uploaded it to splunk cloud even if I changed the appID.    I also looked at Splunk ACS API, but could not figure out if that can be used to customize configuration files and what are the endpoint URL to use. thanks in advance.
See https://community.splunk.com/t5/Splunk-Search/Upgrade-to-5-x-some-of-my-existing-searches-are-taking-longer-to/m-p/158429
We have a TrueSight integration with Splunk that is sending results when a certain event occurs. Sometimes no events are being sent, and I want to document only the first time when it happens, for e... See more...
We have a TrueSight integration with Splunk that is sending results when a certain event occurs. Sometimes no events are being sent, and I want to document only the first time when it happens, for example: Time 0 5 10 15 20 25 30 35 40 45 50 55 0 5 10 15 20 25 30 # of Events 3 4 0 0 0 8 15 2 0 5 55 66 0 0 0 0 0 8 9   I want to include also 0 values that occurs only the first time and not all the times when we have an alert.   Please assist  
I'm new to Splunk and trying to display table in the below format after reading data from json. Could someone help me with the splunk query. Transaction Name pct2ResTime Transaction 1  4198 ... See more...
I'm new to Splunk and trying to display table in the below format after reading data from json. Could someone help me with the splunk query. Transaction Name pct2ResTime Transaction 1  4198 Transaction 2 1318 Transaction 3 451 JSON file name: statistics.json {   “Transaction1” : {     "transaction" : "Transaction1”,     "pct1ResTime" : 3083.0,     "pct2ResTime" : 4198.0,     "pct3ResTime" : 47139.0   },   "Transaction2” : {     "transaction" : "Transaction2”,     "pct1ResTime" : 1151.3000000000002,     "pct2ResTime" : 1318.8999999999996,     "pct3ResTime" : 6866.0   },   "Transaction3” : {     "transaction" : "Transaction3”,     "pct1ResTime" : 342.40000000000003,     "pct2ResTime" : 451.49999999999983,     "pct3ResTime" : 712.5799999999997   } }
Hi,  I have created a new token under Settings > Access Tokens And by right I should be getting a token ID to be copied immediately (for use elsewhere). However after creating and waiting on multi... See more...
Hi,  I have created a new token under Settings > Access Tokens And by right I should be getting a token ID to be copied immediately (for use elsewhere). However after creating and waiting on multiple tokens, I cannot see this token ID to be copied anywhere.   Could I get some help with knowing where or how to copy this token ID?  Thank you!
Trying to get success and failure status count using below query but its not filtering out the duplicate URLs, Can someone help me into this? I want result in less number of rows but lob, URI, API_St... See more...
Trying to get success and failure status count using below query but its not filtering out the duplicate URLs, Can someone help me into this? I want result in less number of rows but lob, URI, API_Status  and its count should show. "*/prescriptions/eni/api/api-cw/*" (URI != "*/prescriptions/eni/api/api-cw/legacySession/cache*") | stats count by lob,URI,API_Staus Result is coming as below,  
We have a very vanilla SC4S configuration that has been working flawlessly with a cron job to do "service sc4s restart" every night to upgrade.  We just discovered that a few nights ago, it did not c... See more...
We have a very vanilla SC4S configuration that has been working flawlessly with a cron job to do "service sc4s restart" every night to upgrade.  We just discovered that a few nights ago, it did not come back from this nightly restart. When examining the journal with this command: journalctl -b -u sc4s We see this: Error response from daemon: pull access denied for splunk/scs, repository does not exist or may require 'docker login': denied: requested access to the resource is denied This problem could happen to ANYBODY at ANY TIME and it took us a while to complete work around it so I am documenting the whole story here.
I'm trying to create an alert that looks through a given list of indexes and triggers an alert for each index showing zero results within a set timeframe. I'm trying with the following search:    ... See more...
I'm trying to create an alert that looks through a given list of indexes and triggers an alert for each index showing zero results within a set timeframe. I'm trying with the following search:    | tstats count where index IN (index1, index2, index3, index4, index5) BY index | where count=0     But this doesn't work because running the first line on its own only shows the indexes that are not empty and nothing, not even count=0 for the empty index. I also tried    | tstats count where index IN (index1, index2, index3, index4, index5) BY index | fillnull count value=0 | where count=0   But that doesn't work either. The problem is that if "index5", for example, is showing no results, "| tstats count..." doesn't return anything, not even a null result. So something like "| fillnull" is not working at the end because there is no "index5" row to "fillnull".  I have seen other solutions use    | rest /services/data/indexes ...   and join or append the searches to each other but since I'm on Splunk Cloud, it doesn't work due to the error "Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability".    The only working solution I have so far is to create an alert for each index I want to monitor with the following search   | tstats count where index=<MY_INDEX> | where count=0   but I would rather have a single alert running each time with a list that I can change if I need to than multiple searches competing for a timeslot and all that. I have considered other solutions like providing a lookup table with a list of indexes I want to search and using lookup to compare against the results but that seems too cumbersome.    Is there a way to trigger an alert for empty indexes from a single given list on Splunk Cloud?    
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security Content Update (ESCU) app (v4.44.0). With this release, there are 8 new analytics, 3 new... See more...
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security Content Update (ESCU) app (v4.44.0). With this release, there are 8 new analytics, 3 new analytic stories, and 261 updated analytics now available in Splunk Enterprise Security via the ESCU application update process. Content highlights include: The new Lumma Stealer analytics story includes detections related to this information-stealing malware, which leverages several obfuscation techniques like base64 encoding and clipboard manipulation to evade detection. The new Meduza Stealer analytics story includes detections designed to help identify activity related to this stealer, a relatively new threat that was first identified in 2023 and targets sensitive information like login credentials and financial details. The new PAX Stealer analytics story features detections to help identify this data-stealing malware, which is especially stealthy as it’s able to evade antivirus software. New Analytics (8) Microsoft Defender ATP Alerts Microsoft Defender Incident Alerts Windows BitLockerToGo Process Execution Windows BitLockerToGo with Network Activity Windows Credentials Access via VaultCli Module Windows RDP File Execution Windows RDPClient Connection Sequence Events Windows RunMRU Command Execution New Analytic Stories (3) Lumma Stealer Meduza Stealer PXA Stealer Updated Analytics (261) A number of analytics have been updated to address minor typos in the description field, make use of macros, or capture equivalent variants of commands. 7zip CommandLine To SMB Share Path Active Setup Registry Autostart Add DefaultUser And Password In Registry Add or Set Windows Defender Exclusion Allow Inbound Traffic By Firewall Rule Registry Allow Operation with Consent Admin Any Powershell DownloadFile Attacker Tools On Endpoint Attempted Credential Dump From Registry via Reg exe Auto Admin Logon Registry Entry BCDEdit Failure Recovery Modification Batch File Write to System32 CMD Echo Pipe - Escalation CertUtil Download With URLCache and Split Arguments CertUtil Download With VerifyCtl and Split Arguments Certutil exe certificate extraction Clear Unallocated Sector Using Cipher App Clop Common Exec Parameter Clop Ransomware Known Service Name ConnectWise ScreenConnect Path Traversal Windows SACL Conti Common Exec parameter Control Loading from World Writable Directory Create Remote Thread In Shell Application Create local admin accounts using net exe Creation of Shadow Copy with wmic and powershell Creation of Shadow Copy Credential Dumping via Copy Command from Shadow Copy Credential Dumping via Symlink to Shadow Copy Curl Download and Bash Execution DNS Exfiltration Using Nslookup App DSQuery Domain Discovery Deleting Shadow Copies Detect AzureHound Command-Line Arguments Detect Certify Command Line Arguments Detect Distributed Password Spray Attempts Detect Exchange Web Shell Detect HTML Help Spawn Child Process Detect HTML Help URL in Command Line Detect HTML Help Using InfoTech Storage Handlers Detect MSHTA Url in Command Line Detect Password Spray Attempts Detect Regasm Spawning a Process Detect Regsvcs Spawning a Process Detect Regsvr32 Application Control Bypass Detect Rundll32 Application Control Bypass - advpack Detect Rundll32 Application Control Bypass - setupapi Detect Rundll32 Application Control Bypass - syssetup Detect Webshell Exploit Behavior Detect mshta inline hta execution Disable AMSI Through Registry Disable Defender AntiVirus Registry Disable Defender BlockAtFirstSeen Feature Disable Defender Enhanced Notification Disable Defender MpEngine Registry Disable Defender Spynet Reporting Disable Defender Submit Samples Consent Feature Disable ETW Through Registry Disable Logs Using WevtUtil Disable Registry Tool Disable Security Logs Using MiniNt Registry Disable Show Hidden Files Disable UAC Remote Restriction Disable Windows App Hotkeys Disable Windows Behavior Monitoring Disable Windows SmartScreen Protection Disabling CMD Application Disabling ControlPanel Disabling Defender Services Disabling FolderOptions Windows Feature Disabling NoRun Windows App Disabling SystemRestore In Registry Disabling Task Manager Domain Controller Discovery with Nltest Domain Group Discovery With Net Domain Group Discovery With Wmic Dump LSASS via comsvcs DLL Dump LSASS via procdump ETW Registry Disabled Elevated Group Discovery With Net Enable RDP In Other Port Number Enable WDigest UseLogonCredential Registry Enumerate Users Local Group Using Telegram Excel Spawning PowerShell Excel Spawning Windows Script Host Executable File Written in Administrative SMB Share Executables Or Script Creation In Suspicious Path FodHelper UAC Bypass GPUpdate with no Command Line Arguments with Network Hide User Account From Sign-In Screen Hiding Files And Directories With Attrib exe Icacls Deny Command Impacket Lateral Movement Commandline Parameters Impacket Lateral Movement WMIExec Commandline Parameters Impacket Lateral Movement smbexec CommandLine Parameters Kerberoasting spn request with RC4 encryption Known Services Killed by Ransomware Linux Auditd File Permission Modification Via Chmod Malicious PowerShell Process - Encoded Command Malicious Powershell Executed As A Service Monitor Registry Keys for Print Monitors Net Localgroup Discovery Network Connection Discovery With Net Office Application Drop Executable Office Application Spawn Regsvr32 process Office Application Spawn rundll32 process Office Product Spawning BITSAdmin Office Product Spawning CertUtil Office Product Spawning MSHTA Office Product Spawning Rundll32 with no DLL Office Product Spawning Windows Script Host Office Product Spawning Wmic Office Product Writing cab or inf Office Spawning Control Okta Mismatch Between Source and Response for Verify Push Request Password Policy Discovery with Net Ping Sleep Batch Command PowerShell 4104 Hunting Powershell Disable Security Monitoring Powershell Processing Stream Of Data Registry Keys Used For Privilege Escalation Registry Keys for Creating SHIM Databases Remote Process Instantiation via DCOM and PowerShell Remote Process Instantiation via WMI and PowerShell Remote System Discovery with Net Resize ShadowStorage volume Rundll32 Control RunDLL World Writable Directory Rundll32 Shimcache Flush Rundll32 with no Command Line Arguments with Network Ryuk Wake on LAN Command SLUI RunAs Elevated SLUI Spawning a Process Schedule Task with HTTP Command Arguments Schedule Task with Rundll32 Command Trigger Schtasks scheduling job on remote system SearchProtocolHost with no Command Line with Network SecretDumps Offline NTDS Dumping Tool ServicePrincipalNames Discovery with SetSPN Services Escalate Exe Shim Database Installation With Suspicious Parameters Short Lived Scheduled Task Short Lived Windows Accounts Single Letter Process On Endpoint Splunk Unauthenticated Log Injection Web Service Log Spoolsv Spawning Rundll32 Spoolsv Writing a DLL Suspicious Computer Account Name Change Suspicious Copy on System32 Suspicious Process DNS Query Known Abuse Web Services Suspicious Process File Path Suspicious Process With Discord DNS Query Suspicious mshta child process Time Provider Persistence Registry WBAdmin Delete System Backups WMIC XSL Execution via URL Wget Download and Bash Execution WinEvent Scheduled Task Created Within Public Path WinEvent Scheduled Task Created to Spawn Shell WinRAR Spawning Shell Application Windows AD Cross Domain SID History Addition Windows AD Domain Controller Promotion Windows AD Domain Replication ACL Addition Windows AD Privileged Account SID History Addition Windows AD Replication Request Initiated by User Account Windows AD Replication Request Initiated from Unsanctioned Location Windows AD Same Domain SID History Addition Windows AD Short Lived Domain Controller SPN Attribute Windows AD Short Lived Server Object Windows Access Token Manipulation SeDebugPrivilege Windows Alternate DataStream - Process Execution Windows COM Hijacking InprocServer32 Modification Windows Change Default File Association For No File Ext Windows Command Shell DCRat ForkBomb Payload Windows Command and Scripting Interpreter Path Traversal Exec Windows Computer Account With SPN Windows ConHost with Headless Argument Windows Credential Access From Browser Password Store Windows Credential Dumping LSASS Memory Createdump Windows Credentials from Password Stores Chrome Extension Access Windows Credentials from Password Stores Chrome LocalState Access Windows Credentials from Password Stores Chrome Login Data Access Windows Credentials from Password Stores Creation Windows Credentials from Password Stores Deletion Windows Curl Download to Suspicious Path Windows Curl Upload to Remote Destination Windows DISM Remove Defender Windows DLL Search Order Hijacking with iscsicpl Windows Defender Exclusion Registry Entry Windows Disable Change Password Through Registry Windows Disable Lock Workstation Feature Through Registry Windows Disable LogOff Button Through Registry Windows Disable Notification Center Windows Disable Shutdown Button Through Registry Windows Disable Windows Event Logging Disable HTTP Logging Windows Disable or Modify Tools Via Taskkill Windows Domain Admin Impersonation Indicator Windows ESX Admins Group Creation via Net Windows Event Log Cleared Windows Excessive Disabled Services Event Windows Execute Arbitrary Commands with MSDT Windows Gather Victim Network Info Through Ip Check Web Services Windows Hidden Schedule Task Settings Windows Hide Notification Features Through Registry Windows Impair Defense Configure App Install Control Windows Impair Defense Disable Web Evaluation Windows Impair Defense Override SmartScreen Prompt Windows InstallUtil Remote Network Connection Windows InstallUtil URL in Command Line Windows InstallUtil Uninstall Option with Network Windows InstallUtil Uninstall Option Windows Kerberos Local Successful Logon Windows KrbRelayUp Service Creation Windows LSA Secrets NoLMhash Registry Windows MOF Event Triggered Execution via WMI Windows MSIExec Spawn Discovery Command Windows MSIExec Spawn WinDBG Windows Masquerading Explorer As Child Process Windows Masquerading Msdtc Process Windows Mimikatz Binary Execution Windows Modify Registry Disable Restricted Admin Windows Modify Registry EnableLinkedConnections Windows Modify Registry LongPathsEnabled Windows Modify Registry NoChangingWallPaper Windows Modify Registry to Add or Modify Firewall Rule Windows Modify Show Compress Color And Info Tip Registry Windows Modify System Firewall with Notable Process Path Windows Network Share Interaction With Net Windows Non Discord App Access Discord LevelDB Windows Office Product Spawning MSDT Windows PaperCut NG Spawn Shell Windows Parent PID Spoofing with Explorer Windows Privilege Escalation User Process Spawn System Process Windows Query Registry UnInstall Program List Windows Raccine Scheduled Task Deletion Windows Rasautou DLL Execution Windows Registry BootExecute Modification Windows Registry Certificate Added Windows Registry Delete Task SD Windows Registry Modification for Safe Mode Persistence Windows Regsvr32 Renamed Binary Windows Remote Assistance Spawning Process Windows Remote Service Rdpwinst Tool Execution Windows SOAPHound Binary Execution Windows Scheduled Task with Highest Privileges Windows Security Account Manager Stopped Windows Service Create SliverC2 Windows Service Create with Tscon Windows Service Creation Using Registry Entry Windows Snake Malware Service Create Windows Spearphishing Attachment Onenote Spawn Mshta Windows Special Privileged Logon On Multiple Hosts Windows Steal Authentication Certificates - ESC1 Authentication Windows System Binary Proxy Execution Compiled HTML File Decompile Windows UAC Bypass Suspicious Escalation Behavior Windows Unsecured Outlook Credentials Access In Registry Windows Valid Account With Never Expires Password Windows WinDBG Spawning AutoIt3 Winhlp32 Spawning a Process Winword Spawning Cmd Winword Spawning PowerShell Winword Spawning Windows Script Host Wscript Or Cscript Suspicious Child Process For all our tools and security content, please visit research.splunk.com. — The Splunk Threat Research Team
Using "Securing the Splunk platform with TLS" I have converted Microsoft provided certificates to pem format and verified with the "openssl verify -CAfile "CAfile.pem" "Server.pem" "  command. TLS c... See more...
Using "Securing the Splunk platform with TLS" I have converted Microsoft provided certificates to pem format and verified with the "openssl verify -CAfile "CAfile.pem" "Server.pem" "  command. TLS configuration of the web interface using web.conf is successful. TLS configuration of forwarder to indexer has failed consistently using the indexer server.conf file and the forwarder server.conf file as detailed in the doc. Our deployment is very simple; 1 indexer and a collection of windows forwarders. Has anyone been able to get TLS working between forwarder - indexer on version 9+ ? Any tips on splunkd.log entries that may point to the issue(s)?   Thanks for any help. I will be out of office next week but will return Dec 30 and check this. Thanks again.