About meetmshah - Splunk Community

Topics I've Started

Hello @Albert_Cyber, You have used the right way of Configure -> Incident Management -> Incident Review Settings -> Incident Review - Event Attributes. Just make sure you click the save button at the very bottom (I have seen a customer who had a similar issue and all it needed was to click on the "Save" button at the very end) If the issue is still not resolved, can you please provide below information / screenshots - - Search results showing the field is available - Notable configuration (AR) screenshot - Event Attributes screenshot

Hello @Rob2520, If you go to Content -> Manage Bookmarks section, there's a button for "Backup and Restore", have you tried that? Below screenshot for reference - Please accept the solution and hit Karma, if this helps!

Hello, Just checking through if the issue was resolved or you have any further questions?

Hello, Just checking through if the issue was resolved or you have any further questions?

Hello, Just checking through if the issue was resolved or you have any further questions?

Hello, Just checking through if the issue was resolved or you have any further questions?

Hello, Just checking through if the issue was resolved or you have any further questions?

Hello @jmmontejo, I am unable to run the Dashboard in Splunk. Can you please paste the full XML?

Hello @10061987, You can use fields from the first line of the results in the alert, e.g. $result.email$ assuming your search includes the email field. Then if you trigger the alert for each result (rather than just once), each result will execute the action with its corresponding row from the events. Reference - https://community.splunk.com/t5/Alerting/Splunk-Alerts-How-to-use-email-address-from-variable/m-p/633020#:~:text=You%20can%20use%20fields%20from,corresponding%20row%20from%20the%20events. Please accept the solution and hit Karma, if this helps!

Hello @nina, There are a few ways - - If you are planning to showcase some use cases as a part of Project - Splunk Security Essentials (https://splunkbase.splunk.com/app/3435) does have some built-in datasets. For example for Sample Brute Force Attack Detection - https://github.com/splunk/botsv3 does have a number of sample datasets for multiple sourcetypes - You can use EventGen (https://splunkbase.splunk.com/app/1924) to generate "more" events based on existing event formats. Please accept the solution and hit Karma, if this helps!

Hello @grotti, If I understand the issue correctly, you are getting the expected results, but not for 12 hours. Is that right? If so, you can use "| addinfo" command as below - | inputlookup append=T incident_review_lookup | addinfo | where time>=info_min_time | rename user as reviewer | `get_realname(owner)` | `get_realname(reviewer)` | eval nullstatus=if(isnull(status),"true","false") | `get_reviewstatuses` | eval status=if((isnull(status) OR isnull(status_label)) AND nullstatus=="false",0,status) | eval status_label=if(isnull(status_label) AND nullstatus=="false","Unassigned",status_label) | eval status_description=if(isnull(status_description) AND nullstatus=="false","unknown",status_description) | eval _time=time | fields - nullstatus It would give you the results based on whatever time range you are selecting from time range picker. Please accept the solution and hit Karma, if this helps!

Hello @drew19, Does `suppression` macro helps? If not, I would suggest creating a custom macro where you can filter based on fields and use the same in all the searches 🙂 Please accept the solution and hit Karma, if this helps!

Hello @ThuLe, There should be input available in the dropdown menu - Can you please confirm if this is something you are looking for? Please accept the solution and hit Karma, if this helps!

Hello @VK18, If you are using ES, you would be able to see the Retention Period under ES -> Audit -> Data Model Audit - You can also see the retention period through below search - | rest /services/admin/summarization by_tstats=t splunk_server=local count=0 | eval key=replace('title',"tstats:DM_".'eai:acl.app'."_",""),datamodel=replace('summary.id',"DM_".'eai:acl.app'."_","") | rename summary.time_range AS retention | eval retention=retention/(60*60*24) | table datamodel retention Please accept the solution and hit Karma, if this helps!

Hello @almomani, First and foremost, if the new SHC build is not in place - you can build a cluster and include the current SH as a member to replicate the KOs along with KVStore. However, if two clusters are already in place, you will manually need to append values for incident_review_comment_lookup, incident_review_lookup, incident_updates_lookup. You may also want to have events under notable and risk indexes if required. Please let me know if you have any follow-up questions. Also, please test it out on dev/pre-prod before appending values in Production.

AFAIK, Splunk Add-on for Cisco ASA inputs just monitors either syslog dumped files or monitors the port. In either of the case, Splunk will "ingest whatever is sent to it' and won't have anything to do with how events are being received or what happens before the file is written. So better way to troubleshoot is why the file itself has duplicate events (because Splunk only monitors what we ask for)

Hello @ornaldo, per my experience, I feel the issue should be from Syslog end and not from Splunk. Can you please check if the events are duplicated from Syslog end? Maybe check in the raw file or create a tcpdump and validate the duplicate events?

Hello @mike4860, I have usually seen people taking either of the 2 approches - Upload events from UI through tgz/csv etc. Use Eventgen (https://splunkbase.splunk.com/app/1924) on HF/UF to generate dummy events Please hit Karma, if this helps!

Hello @rjk123, Per https://docs.splunk.com/Documentation/Splunk/8.2.0/DistSearch/DeploymultisiteSHC#Search_head_clusters_do_not_have_site_awareness - Search head clusters do not have site awareness Site awareness is less critical for a search head cluster than an indexer cluster. If a search head cluster member is missing a replicated copy of a search artifact, the cluster proxies it from another member, which could reside on the same site or on another site I believe it's Okay to have both the clusters in a same site. Please accept the solution and hit Karma, if this helps!

Hello @gwes77, Can you please confirm what's the value of the action field? Because both, success and failed authentication does have "(`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$)" in common but not action. Below screenshots for your reference -

Hello @qq-stan, Have you checked https://splunkbase.splunk.com/app/4251 for MCAP?

Hello @JLopez, Can you check if this is something you want - | rest splunk_server=local count=0 /servicesNS/-/SplunkEnterpriseSecuritySuite/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | where disabled=0 | eval actions=split(actions, ",") | rename title as "Correlation Search", cron_schedule as "Cron Schedule" "dispatch.earliest_time" as "Earliest Time" dispatch.latest_time as "Latest Time" actions as "Actions" action.correlationsearch.annotations as "Annotations" | eval flag=if(LIKE(Annotations,"%mitre_attack%"),1,0) | table "Correlation Search" "Cron Schedule" "Earliest Time" "Latest Time" "Actions" Annotations flag

Hello @WillBryant, Have you checked - https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/adaptiveresponseframework/exampleadaptiveresponse/ https://www.youtube.com/watch?v=OT11XMB8Bu0

I believe "script://./bin/uptime.sh" inputs would help you.

Can you please share search / Dashboard XML?

Karma from

User

Karma Count

2

1

1

1

1

Karma given to

User

Karma Count

Community Manager

1