Hi,   Are you using a syslog server or TCP/UDP inputs from Splunk?   If you are using TCP or UDP inputs directly on Splunk your source field should show tcp:PORT or udp:PORT (unless you override the source for your inputs).   If you are using a syslog server to receive your data, I would suggest you to check configuration files and ports that are listen on the server (if you have access to this server). One other think you could check is the source of your data, since It must have some forwarding configuration to a specific host and port. ... View more

Hi, Could you please provide a sample of your logs? Based on the fields described in your search I created a sample file and could reach the results using the following query: index=... source_id=SMTP (event_id=RECEIVE) user_bunit=Energy recipient_domain="IID.com" | stats count as RECEIVE by recipient | append [ search index=... source_id=SMTP (event_id=SEND) user_bunit=Energy recipient_domain="IID.com" | stats count as SEND by recipient] | stats values(SEND) as SEND, values(RECEIVE) as RECEIVE by recipient The was my output:   ... View more

Hi, You can try to use some simple search like:   index=NETWORK_INDEX src_ip=10.0.0.0/8 AND (dest_ip=47.114.37.0/24 OR dest_ip=49.85.84.0/24 OR dest_ip=61.111.20.129/32 OR dest_ip=62.217.245.69/32 OR dest_ip=109.166.202.229/32) | stats count by src_ip, dest_ip   Or using Network Traffic data model:   | from datamodel:Network_Traffic.All_Traffic | search src_ip=10.0.0.0/8 AND (dest_ip=47.114.37.0/24 OR dest_ip=49.85.84.0/24 OR dest_ip=61.111.20.129/32 OR dest_ip=62.217.245.69/32 OR dest_ip=109.166.202.229/32) | stats count by src_ip, dest_ip   A best approach you can use is using lookups.  If you have a lookup table with fields similar to IP and STATUS, It is possible to create a lookup definition. Supposing you have the lookup below, you can create a lookup definition named ip_blacklist:   ip,status 47.114.37.0/24,blacklist 49.85.84.0/24,blacklist 61.111.20.129/32,blacklist 62.217.245.69/32,blacklist 109.166.202.229/32,blacklist   After that, you can use the lookup and its fields in your search:   index=NETWORK_INDEX src_ip=10.0.0.0/8 | lookup ip_blacklist ip as dest_ip OUTPUT status | where status="blacklist" | stats count by src_ip, dest_ip   Or using Network Traffic data model:   | from datamodel:Network_Traffic.All_Traffic | search src_ip=10.0.0.0/8 | lookup ip_blacklist ip as dest_ip OUTPUT status | where status="blacklist" | stats count by src_ip, dest_ip   ... View more

Hi, I would try to use some regex like this one:   ^.+screenconnect\.techmedia\.com\.au.+$   I have tested it using Regex101 (https://regex101.com/r/gHJVDp/2), with the URLs below:   screenconnect.techmedia.com.au screenconnect2.techmedia.com.au screenconnect.techmedia10.com.au   * I also recommend you to test this regex (and any other you build or find) in a dev environment, before using it in your production transforms.conf file. ... View more

Hi, Have you tried to force the use of Splunk's local authentication? You can do that using the "?loginType=splunk" after the "/login". Example: https://SPLUNK:8000/en-US/account/login?loginType=splunk Maybe using this endpoint you will be able to login with your admin user. ... View more

Hi, If you want to list which users are using each application, maybe the "| stats values()" can be useful:   ... | stats values(username) by application   Also, if you don't mind, you can share any query you have already tried so I can help you to to include the stats command.   ... View more

HI,   I guess that when you use the "| dedup Username" you are removing all duplicate entries of users.   As an example, if user "John" uses app A and app B, dedup command will return only one of these apps. I think the best approach for the unique users per application is to use the "| stats dc()".   You can try something like: index="autodesk-licensing" | lookup autodesklicenses.csv Feature AS product OUTPUT FriendlyName AS "product" | rename "product" AS "Application", "username" AS "Username", "lichost" AS "Hostname" | addtotals | stats dc(Username) as "Total Unique Users" by "Application"   ... View more

Hi, Maybe you can try using the query below as base for your need:   ... | eval expected_date = strftime(now(), "%m-%d-%Y 7:15") | eval expected_timestamp= strptime(expected_date, "%m-%d-%Y %H:%M") | eval event_date = strftime(_time, "%m-%d-%Y %H:%M") | eval event_timestamp = strptime(event_date, "%m-%d-%Y %H:%M") | eval diff = event_timestamp - expected_timestamp | eval result = case(diff = 0, "1", diff >= 1800, "3", 1=1, "2") | table _time, expected_date, event_date, diff, result   The output result was: _time expected_date event_date diff result 2020-06-11 07:45:00 06-11-2020 7:15 06-11-2020 07:45 1800.000000 3 2020-06-11 07:50:00 06-11-2020 7:15 06-11-2020 07:50 2100.000000 3 2020-06-11 07:00:00 06-11-2020 7:15 06-11-2020 07:00 -900.000000 2 2020-06-11 07:20:00 06-11-2020 7:15 06-11-2020 07:20 300.000000 2 2020-06-11 07:15:00 06-11-2020 7:15 06-11-2020 07:15 0.000000 1 ... View more

Sure, if you want to take a further look on the Threat Activity rule works on Splunk ES, search for the Saved Searches ending with "Threat Gen", on the DA-ESS-ThreatIntelligence context. I guess you would even be able to create a Threat Gen search for your custom list, but maybe a simplified approach would be better and faster, such as the lookup file for matching your logs. ... View more

Hi, This PC name contains a domain or any related information? If so, maybe the "ip_intel" would fit your use case. Also, in case you have not seen it yet, these are the supported types of threat intel in Enterprise Security: https://docs.splunk.com/Documentation/ES/6.1.1/Admin/Supportedthreatinteltypes In my opinion, the only attention point in case you create a custom list is to validate if your active correlation searches and Threat Activity generating searches will be able to use this custom list. One other option is to have this PC name in a IOC lookup file and create a custom search for correlating the lookup and your log sources. ... View more

Have you checked your Security Group? To make sure port 8000 is allowed from your IP? ... View more

Well, since you need to match the FQDN, I guess that using the regex proposed by @to4kawa would help you better. But just to confirm, you need "87431.always.lost.com" to match just "always.lost.com" on your IOC list? Or do you need it to also match "lost.com"? ... View more

Hi, Your Heavy Forwarder deployment is on AWS? Are you able to access the HF using SSH? If your server is deployed into an EC2 instance, I would recommend you to take a look at your Security Groups configuration, and make sure that access is allowed from your IP on the ports used by Splunk Web (default is 8000). ... View more

Hi, Maybe you could try to first extract the domain from your query field, and then search your IOC csv file. index=answers | rex field=query "\.(?<domain>\w+\.\w+?)(?:$|\/)" | eval query = mvappend(query, domain) | lookup ioc FQDN as query OUTPUT FQDN | search FQDN=* | table srcip, dstip, query, FQDN The search above had returned a table like this: Also, if you are using Splunk Enterprise Security, I recommend you to take a look on the Threat Activity Detected correlation search and on the Splunk threat feeds feature. ... View more

Yes, kind of it. We increase the risk score of an asset based on the severity of Darktrace alerts. As example, If host A has an alert that is HIGH or CRITICAL in darktrace, we would also increase risk score for host A on ES. ... View more

Hey, I am also using Splunk ES and Darktrace. We created a correlation search to create notables when Darktrace alerts logged into Splunk. It helped us on correlating the darktrace alerts with our assets and identities lists from ES, increasing risk score of users and systems based on Darktrace alerts score. Also, you should take a look at Darktrace Connector for Splunk: (https://splunkbase.splunk.com/app/3539/) ... View more

Hi, For Windows use cases I think you could consider monitoring: Windows authentication brute force attempts. Process creation and powershell execution Inclusion and Removal of users in admin groups Creation of local admin accounts Audit log clear RDP connections And much more... You can also take a look at Splunk Security Essentials (https://splunkbase.splunk.com/app/3435/) and Splunk ES Content Updates (https://splunkbase.splunk.com/app/3449/). Both apps contain lots of alerts and correlation searches you can use, some of them even mapped to MITRE ATT&CK framework. In addiction, this github repo has several monitoring rules that can be used in SIEM, including Windows use cases: https://github.com/Neo23x0/sigma Maybe Tenable App for Splunk can give you some insights about Nessus: https://splunkbase.splunk.com/app/4061/#/details ... View more

If that case, you can populate your check box options like this: <fieldset submitButton="false"> <input type="checkbox" token="deployment" searchWhenChanged="true"> <label>Deployment</label> <choice value="*">All</choice> <search> <query>index=answers source=assets.csv | dedup deployment | table deployment</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <delimiter> </delimiter> <default>*</default> <fieldForLabel>deployment</fieldForLabel> <fieldForValue>deployment</fieldForValue> </input> </fieldset> ... View more

You mean you need to dynamically populate the check box options? ... View more

Hi, I guess that you could try some searches like below: 1) | search bank="xxx" AND action="approve" | stats count 2) | search bank="yyy" AND action="decline" | stats count 3) | search bank="yyy" AND action="decline" Using just one search we would have something like this: index="IDX" source="log_sample.log" bank="xxx" AND action="approve" | stats count as xxx_approve | appendcols [| search index="IDX" source="log_sample.log" bank="yyy" AND action="decline" | stats count as yyy_decline] | appendcols [| search index="IDX" source="log_sample.log" bank="yyy" AND action="decline" | stats values(_raw) as yyy_decline_value] Let me know if this helps you or you need anything else. ... View more

Hey, I don't know if this is exactly what you wanted, but I hope It helps you. I have created a dashboard containing two checkboxes, one returns all of my deployments, and the other one returns just AWS hosts (The "All" check box is the default one). If I select the "AWS" check box I will have as results just my AWS hosts: Below is my dashboard source code: <form> <label>Assets</label> <fieldset submitButton="false"> <input type="checkbox" token="deployment" searchWhenChanged="true"> <label>Deployment</label> <choice value="*">All</choice> <choice value="aws">AWS</choice> <search> <query/> <earliest>-24h@h</earliest> <latest>now</latest> </search> <delimiter> </delimiter> <default>*</default> </input> </fieldset> <row> <panel> <table> <title>Assets</title> <search> <query>index=answers source=assets.csv deployment=$deployment$ | table hostname, os, deployment</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form> ... View more

I removed the splunk clean command from my answer, thanks for the advice. ... View more

I use python requests, above is a simple function that can be used to close notables: # STATUS # 0 - Unassigned # 1 - New # 2 - In Progress # 3 - Pending # 4 - Resolved # 5 - Closed # URGENCY # informational, low, medium, high, critical status = 5 urgency = 'low' comment = 'Closed by Python' new_owner = 'admin' rule_uids = EVENT_ID def update_notable(status, urgency, comment, new_owner, rule_uids): status = status urgency = urgency comment = comment new_owner = new_owner rule_uids = rule_uids url = 'https://SPLUNK_SERVER:8089/services/notable_update' params = {'ruleUIDs': rule_uids, 'comment': comment, 'status': status, 'urgency': urgency, 'newOwner': new_owner} response = requests.request(method='POST', url=url, data=params, verify=False, auth=HTTPBasicAuth('USER', 'PASSWORD')) return response.text Also, this link has some useful python scripts that can help you: https://www.splunk.com/en_us/blog/tips-and-tricks/how-to-edit-notable-events-in-es-programatically.html ... View more