Hi Splunkers, we have to connect our On Prem SOAR Solution (Palo Alto Cortex) to a Splunk Cloud instance. The dedicated SOAR integrations use API and ask: Username Password URL/Hostanem/IP Address Destination port We have some problems in destination port; we tried all the Splunk common one (9997, 8000, 8089, 8443) but we got always the Connection Timeour error. I'm wondering if, due we have a Splunk Cloud Environment, we need to ask to support some  ... View more

Hi Splunkers, we are setting a Splunk Cloud environment for a customer and we are working on Trigger Actions for alerts. We don't need, for now, some particular custom actions: afer alert triggering, sending an email to our SOC is enough. We know that fields in the events/alerts are easily usable thanks to $<field_name> notation, so how to customize the email action is not a problem. What we don't know is: if we have a custom template we want to use for our emails, with some logos and HTML code, is it possible simply put it in the message box? I mean, simply put our html code here: or we have to follow another way? And which one? ... View more

Hi Splunkers, we have an environment where for Windows Logs collection it is higly desiderated to avoid agent installation. After some searches, we found that the proper way is to use WMI. Now, what is not completely clear for us is the list of permission required for a Domain User; what we need is a short but esaustive list of permission for it. Untile now, we know that this user must: Be a domain user Belong to Event Reader group Have access to system where to collect logs Be able to read at minimum System, Application and Security logs in case of  AD DCs Be the user that execute the splunkd daemon for forwarder (HF or U, in our case HF) that must collect data with WMI Is there any other requirements we are missing?   ... View more

Hi Splunkers, today I'm here not for an issue, or better, not yet, but to "pull all togheter" the components of my task, which is forwarding Splunk data from HF to another system, an Exabeam UEBA in my case. I'm trying to prevent possibile errors I could do in changing the required files, so I may want perform a check here with you to understand if I got all I need from docs. Let me give you more context and introduce the current state. The Splunk environment installation and setup has not been performed by my team, but by another one That team has not created an outputs.conf file in SPLUNK_HOME/etc/system/local; they created each outputs.conf they required in a separate folder under the SPLUNK_HOME/etc/app one. So at this time we have a lot of outputs.conf files, but no one under SPLUNK_HOME/etc/system/local. At the same time, no props.conf and transforms.conf are present under SPLUNK_HOME/etc/system/local We must forward only a subset of data via syslog and we have to filter them with sourcetypes We have 2 destination syslog servers balanced by a Load Balancer, so we have to send data to LB VIP We are using syslog but, for some reason, we will not use the default UDP; we are going to use syslog via TCP I have no direct access to Splunk HF; the task is going to be performed with colleagues that have this access. I'm in charge of editing the required files and pass them to my colleagues, that will upload them on HF. Which documentation we used? Those one: Forward data to third-party systems  Route and filter data  Plus I searched other symylar topics here on community and tried to got some results. So, putting all data togheter, we stated that, because there are not the outputs.conf, props.conf and transforms.conf files in $SPLUNK_HOME/etc/system/local, we must: create outputs.conf,  props.conf and transforms.conf under $SPLUNK_HOME/etc/system/local folder populate them following docs If the above assumptions are right, I have some doubts about the files, because some docs points are not complete clear for me. So, suppose we want to to start forward only a subset of Windows EventID with syslog tcp; are the below conf files ok? outpust.conf:       [syslog:syslogToExabeamGroup] type = tcp server = <ipaddress>:<port>       Note that, cause I have to forward only a subset of data, I avoided the defaultGroup settings, like in the sample of Forward data to third-party systems docs. props.conf:       [<windows_sourcetype_name>] TRANSFORMS-routing1 = syslog_from_win_to_exabeam       Here I used directly the souretype name and not the syntax sourcetype::<sourcetype_name>; is it correct? Plus, even if in Forward data to third-party systems docs I have the syntax like TRANSFORMS-whatever_you_want, I followd what stated in Route and Filter Data and used a syntax like TRANSFORMS-routingX. transforms.conf:       [syslog_from_win_to_exabeam] REGEX = EventID\>(4624|4625|4648|4672|4720|4722|4723|4724|4725|4726|4728|4729|4732|4733|4740|4756|4757|4767|4768|4769|4770|4771|4776|4780|1102|4611|4663|4673|4674|4688|4697|4698|4719|4778|4779|4780|4800|4801|5136|5137|5138|5139|5140|5141|5145|6272) DEST_KEY = _SYSLOG_ROUTING FORMAT = syslogToExabeamGroup       The regex has been built based on our logs (we are receiving them in XML format). It seems all ok but I'm not sure I forgot/done bad some configuration. ... View more

Hi Splunkers, my colleague and I are going to perform, this week, a change to forward data from Splunk HF to a third party system, in this case a UEBA product. In this scenario, we have to forward not all data, but only some subsets. How to perform this is well explained in the official doc, here , so the purpose of my post is not to understand how to do this. Reading the guide, I found some point that are not completely clear, so I kindly ask you to help me to understand. Paragraph "Forward a set of data"; inside the file    transforms.conf​   we need to insert the following dest key:   DEST_KEY=_TCP_ROUTING   Do we need this because we are performing a tcp forwarding, as stated in the  file   outputs.conf   with stanza    [tcpout]   ? I mean, all times I need to perform a tcp forwarding, I must use always a stanza "tcpoutput" and I need a dest_key like the above one in case of data subsets?   What about if I need to perform a UDP forwarding? is it possible? If yes, How should I change stanzas in files? I mean, I can see that using syslog I could achieve this, but what about if I cannot/I don't want to use it?   ... View more