Hello, Need to color cells in a dashboard table based on duplicate cell values (2 or more) within the same row.  Here is the formatting code for the attached example.       <format type="color"> <colorPalette type="sharedList"></colorPalette> <scale type="sharedCategory"></scale> </format>       Thanks and God bless, Genesius ... View more

Hello, I have this ldapsearch that returns  10's of thousands of records.      | ldapsearch search=(&(objectClass=User)(!(objectClass=computer)))     I want to filter on the whenCreated attribute to return new users in the past 7 days, sliding window. Is it possible to perform filtering by one or more attributes on the ldapsearch command line? I know I can use Splunk evals after  the ldapsearch command to do this. Thanks and God bless, Genesius ... View more

Hello, As we know, trying to create an all-encompassing search for the log4j is a very difficult task because of the infinite number of possibilities for entering the letters jndi and any of the possible protocols; ex. ldap; dns; https; etc. We came up with this SPL, which has been very successful. However, there is a good possibility of some false positives. We haven't found too many though.     index=* AND "\$" ```All sites discussing log4j examples containing at least one dollar sign. Therefore, we are only reporting those types of events.``` ```No evidence (thus far) has been shown that these logs would contain log4j-type strings. Therefore, these logs are excluded.``` AND NOT source IN (/var/adm/messages, /var/adm/sulog, /var/adm/syslog*, /var/log/authlog, /var/log/messages, /var/log/secure, /var/log/syslog, /var/log/sudo.log, bandwidth, cpu, interfaces, iostat, netstat, openPorts, protocol, ps, top, vmstat, nfsiostat) AND NOT sourcetype=syslog ```These 12 strings have been found in events with different variations of the log4j string.``` AND ((Basic AND Base64) OR "/securityscan" OR "/callback" OR exploit OR "/nessus" OR (interact OR interactsh) OR kryptoslogic OR "service.exfil.site" OR secresponstaskfrce OR billdemirkapi OR mburpcollab OR leakix) ```Flags/Indicators to match the different strings above.``` | eval base64=if(match(_raw,"Base64"),"X","") | eval dnsscan=if(match(_raw,"/securityscan"),"X","") | eval exploit=if(match(_raw,"Exploit"),"X","") | eval nessus=if(match(_raw,"/nessus"),"X","") | eval interact=if(match(_raw,"interact") or match(_raw,"interactsh"),"X","") | eval kryptos=if(match(_raw,"kryptoslogic"),"X","") | eval exfilsite=if(match(_raw,"service.exfil.site"),"X","") | eval secrettask=if(match(_raw,"secresponstaskfrce"),"X","") | eval billdemirk=if(match(_raw,"billdemirkapi"),"X","") | eval burpcollab=if(match(_raw,"mburpcollab"),"X","") | eval leakix=if(match(_raw,"leakix"),"X","") ```These are the known protocols where log4j attacks have been seen. These matches look for the first letter used for each protocol (j), followed by anything, then the next letter (n), etc. This "hopefully" will catch any/all possible variations used by attackers. Note: A future search is being designed to find where URL Encoding repalces any/all of the letters within each JNDI protocol string.``` | where match(_raw,"j.*n.*d.*i.*\:.*l.*d.*a.*p") or match(_raw,"j.*n.*d.*i.*\:.*d.*n.*s") or match(_raw,"j.*n.*d.*i.*\:.*r.*m.*i") or match(_raw,"j.*n.*d.*i.*\:.*l.*d.*a.*p.*s") or match(_raw,"j.*n.*d.*i.*\:.*n.*i.*s") or match(_raw,"j.*n.*d.*i.*\:.*i.*i.*o.*p") or match(_raw,"j.*n.*d.*i.*\:.*c.*o.*r.*b.*a") or match(_raw,"j.*n.*d.*i.*\:.*n.*d.*s") or match(_raw,"j.*n.*d.*i.*\:.*h.*t.*t.*p") or match(_raw,"j.*n.*d.*i.*\:.*h.*t.*t.*p.*s") or match(_raw,"(\:)*-") or match(_raw,"lower\:") or match(_raw,"upper\:") or match(_raw,"date\:") or match(_raw,"env\:") or match(_raw,"jndi") | sort 0 -_time | table _time, index, host, source, status, base64, dnsscan, exploit, nessus, interact, kryptos, exfilsite, secrettask, billdemirk, burpcollab, leakix, _raw, http_user_agent,   We have found events also substituting URL Encoded characters for jndi........ Please let me, and the rest of our Splunk community, know if there are any issues with this search. Also, any new text signatures discovered other than those in Step 2. And any other discoveries. Together, let's find, stop this vulnerability.  Thanks and God bless, Genesius   ... View more

Hello, Anyone else having trouble posting on Answers? Thanks and God bless, Genesius ... View more

Hello, This article, https://research.splunk.com/stories/log4shell_cve-2021-44228/ , lists many log4j attack vectors and how Splunk can help detect them. This includes what datamodels to implement/use and the SPL. However, the SPL includes various macros. And these macros do not exist on my Splunk implementation. Where do I find these macros? Thanks and God bless, Genesius ... View more

Hello, Checking out this answer is helpful, except if the value of the column is multivalue. How do you remove the blue hyperlink color and background from an image when you click on it?   <html> <style> #tableWithDrilldown2 table tbody tr td,#tableWithDrilldown2 table thead th a{color: white !important;} </style> </html> <table id="tableWithDrilldown2">   This is the value of one of the columns in our dashboard table.   | eval events=case( pt="1-acc",TIME." ".dur." ".pt." Code=".cde." ".certStatus." for ".user, pt="2-pay",TIME." ".dur." ".pt." ".user." Code=".cde." ".week." $".gross." Bal: $".bal, pt="3-new",TIME." ".dur." ".pt." ".user." Code=".cde)   This is an example of the output of only two users. The combination of events can be in different orders and have 1, 2, or all 3 of the types of events (acc, pay, new). NOTE: The time between the set of the events of the two users is a coincidence, and not common.   19:35:09.3 10.7 1-acc Code=0000 Success for Jessie 19:35:19.2 09.8 3-new Jessie Code=2801 19:36:56.3 01:37.1 2-pay Jessie Code=0000 03-27-2021 $0 Bal: $17250 19:45:09.3 10.7 1-acc Code=0000 Success for Billie 19:45:19.2 09.8 3-new Billie Code=2801 19:46:56.3 01:37.1 2-pay Billie Code=0000 03-27-2021 $0 Bal: $17250     Thanks and God bless, Genesius ... View more