I would like to be able to define an alert for various forms of scanning activity (Broadscanning, Port Scanning, and application specific scanning like web vulnerability scannign). Based on the alert, I would like to take action to block the source IP address. I understand that the Palo Alto Networks App for Splunk can perform this sort of action with it's pantag. How do I build similar functionality into my Enterprise search or Splunk Enterprise Security (ES) apps. I imagine that the steps are: 1) Make pantag available to ES *either install Palo Alto app for Splunk or add pantag.py to my ES server *somehow set up credentials to allow pantag to submit a request to panorama 2) Create integration *Create a workflow to call the new command *create a custom alert action? Does this seem about right? Where can i learn how to do these things? ... View more

I am not very network savvy. Trying to get my home router to syslog to Splunk to look at connection info in the Home Monitor app. I can see events in the bandwidth_test sourcetype, so I know that I have the app running . If I go to settings|Data inputs|UDP, I can see UDP port 514 enabled with source type RT-N66U And in Windows Firewall, I can see that I have created an inbound rule called Splunk Syslog, which allows local port UDP 514, and remote port: all ports On my RT-N66U router I have set remote log server to my Splunk install's IP address. But in app, I see no logs and in the search app, I do not see events from syslog or RT-N66U or asus. I tried running netstat -p UDP, that returns nothing. netstat -p TCP does return a lot of high ports and 8000, 8191 (I think these are the Splunk app) Any clues/advise on what I am missing? ... View more

I have a dashboard that gives daily totals 1/1/17 500 1/2/17 332 1/3/17 509 I would like to be able to drill down to look at events making up the daily total. Is there a way for me to modify click.value to indicate the beginning and end of the day? what would I put in my earliest and latest values for the drill-down search? ... View more

My dashboard is based on a datamodel but it has drilldowns to the actual logs If I have a multiselect for actions (A, B, C), I can set the valuePrefix with a delimiter of "OR" <input type="multiselect" token="form_action"> <label>Action</label> <choice value="=A">A</choice> <choice value="=B">B</choice> <choice value="=C">C</choice> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>DataModel.action</valuePrefix> <delimiter> OR </delimiter> <default>=A,=B</default> <initialValue>=A,=B</initialValue> </input> So that based on selections, I can define DataModel search terms to DataModel.action=A OR DataModel.action=B However the actual event log does not have the field DataModel.action. It only has "action". So when I do a drilldown to the log events, I would like to be able so drill down to a search that includes action=A OR action=B The two ideas that I have to do this are rename the prefix to just "action" and delay my datamodel search terms until after I have selected from my datamodel: |tstats count from datamode=DataModel by DataModel.action | eval action=DataModel.action | search $form_action$ create field alias for my log source field action called DataModel.action then searches for DataModel.action should work IMO, the first option is bad because it does not allow further variation in log sources. So if I had visualizations that might drill down to different log sources, with different field names for "action", I could not create those drill downs The second option is slightly better but I would also not like to start creating aliases for logs source to match data models Is there a better way to do this? ... View more

I have a lookup table with IP address indicators that I would like to be alerted on whether the IP address is the source or destination. Is there a way to compare my indicators against both source and destination IP addresses so that a match on either one counts? If I had a single indicator, the search would look like |tstats count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.src_ip=8.8.8.8 or All_Traffic.dest_ip=8.8.8.8 When I have a lookup, I know how to search vs just source or destination, tstats summariesonly=t count FROM datamodel=Network_Traffic.All_Traffic GROUPBY All_Traffic.src_ip | search [inputlookup ipLookups.csv | fields + ipAddress| rename ipAddress as All_Traffic.src_ip] |table All_Traffic.src_ip count But is there a way for my ipAddress values to be compared against both source and destination so that a match on either one counts? As I think about it, I suppose that I could append an entire search but it feels like something that should be accomplishable in one pass append version, showing an overly complex search for something simple: tstats summariesonly=t count FROM datamodel=Network_Traffic.All_Traffic GROUPBY All_Traffic.src_ip | search [inputlookup ipLookups.csv | fields + ipAddress| rename ipAddress as All_Traffic.src_ip] | rename All_Traffic.src_ip as ip | table type ip count |append [ tstats summariesonly=t count FROM datamodel=Network_Traffic.All_Traffic GROUPBY All_Traffic.dest_ip | search [inputlookup ipLookups.csv | fields + ipAddress| rename ipAddress as All_Traffic.dest_ip] | rename All_Traffic.dest_ip as ip | table type ip count ] ... View more

I am trying to get all DHCP records for machines on which an authentication attempt was made for a user. I am doing this with a subsearch on the Authentication datamodel for the authentication sources. One thing that I noticed is that sometimes my authentication info has the machine name, while other times it has the IP Address source, but prepended with "::ffff:" That extra bit at the front makes the source unfindable in DHCP logs. Is there a way for my tstats result to remove the "::ffff:" I have tried |tstats count FROM datamodel=Authentication WHERE Authentication.user="<user>" Authentication.action="failure" by Authentication.src | eval src=ltrim(Authentication.src,"::ffff:") | fields src for which I end up with an empty field called src and (longshot) |tstats count FROM datamodel=Authentication WHERE Authentication.user="userName" Authentication.action="failure" by ltrim(Authentication.src,"::ffff:") which give me the error Error in 'tstats' command: Invalid argument: '::ffff:)' if it matters, here is the larger query sourcetype=DhcpSrvLog "DNS Update Successful" [|tstats count FROM datamodel=Authentication WHERE Authentication.user="userName" Authentication.action="failure" by Authentication.src | rename Authentication.src as search] | table time dest dest_ip ... View more