Hi,
I am doing some email count analysis and run into the following problem.
For inbound email the recipients field contains a string of email addresses(it could be few or hundreds of addresses) each separated by ";".
Using eval recipient=split(recipients,";") I am able to split them but they are all split into a single field recipient which contains multiple values.
I want to do ...|search recipient="abc@abc.com" | timechart span=1d by recipient however the search returns timechart for ALL users in the receipent field.
I was thinking about using regex but I do not know how many fields to extract based on various number of recipients for each email message.
... View more
Ok I got here....
| eval severity=if(category=="INFO","informational", " ")
What should my last argument be if I want the severity to stay unmodified if it does not equal INFO ?
... View more
Hi,
I am trying to calculate a field from a data that I receive from a vulnerability system.
severity field returns "unknown" which screws my dashboards.
I want to eval a field `'category' and if it equals INFO, set field 'severity' to Informational
search ... | eval severity=if(category,"INFO","Informational")
... View more
the search was missing `` around drop_dm_object_name("All_Identities")
Corrected and run it but it does not populate first and last name.
... View more
I have a lookup with 461 usernames. I want to input the lookup to Splunk and display corresponding First and Last name from Splunk Enterprise Security Identities.
Any ideas how to construct that search?
|inputlookup users | `identities`
user
xxxx
yyyy
zzzz
...
... View more
Understood. When used wget --no-check-certificate a file was downloaded with no issues.
C:\Program Files (x86)\GnuWin32\bin>wget --no-check-certificate https://publicsu
ffix.org/list/effective_tld_names.dat
SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc
syswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc
--2016-10-27 14:06:13-- https://publicsuffix.org/list/effective_tld_names.dat
Resolving publicsuffix.org... 63.245.213.24
Connecting to publicsuffix.org|63.245.213.24|:443... connected.
WARNING: cannot verify publicsuffix.org's certificate, issued by `/C=US/O=DigiCe
rt Inc/CN=DigiCert SHA2 Secure Server CA':
Unable to locally verify the issuer's authority.
WARNING: certificate common name `static-san.mozilla.org' doesn't match requeste
d host name `publicsuffix.org'.
HTTP request sent, awaiting response... 200 OK
Length: 190800 (186K) [text/plain]
Saving to: `effective_tld_names.dat'
100%[======================================>] 190,800 614K/s in 0.3s
2016-10-27 14:06:13 (614 KB/s) - `effective_tld_names.dat' saved [190800/190800]
... View more
There seems to be a problem with the certificate trust. It cold be something to do with TLS 1.2
Any ways to bypass the certificate verification in Splunk?
C:\Program Files (x86)\GnuWin32\bin>wget https://publicsuffix.org/list/effective
_tld_names.dat
SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc
syswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc
--2016-10-27 13:20:47-- https://publicsuffix.org/list/effective_tld_names.dat
Resolving publicsuffix.org... 63.245.213.24
Connecting to publicsuffix.org|63.245.213.24|:443... connected.
ERROR: cannot verify publicsuffix.org's certificate, issued by `/C=US/O=DigiCert
Inc/CN=DigiCert SHA2 Secure Server CA':
Unable to locally verify the issuer's authority.
ERROR: certificate common name `static-san.mozilla.org' doesn't match requested
host name `publicsuffix.org'.
To connect to publicsuffix.org insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
... View more
mozilla_public_suffix_list is set to update every 3 hours and it keeps failing every time it tries to update.
I checked the site and it is accessible -
https://publicsuffix.org/list/effective_tld_names.dat
What other information would you like to see to help diagnose?
... View more
After moving to Splunk 6.5 from Splunk 6.3.3, the following threat intelligence sources fail to download. Splunk ES was upgraded to 4.5
I checked the server has internet access. I also excluded corresponding URLs from the proxy.
msg="A threat intelligence download has failed" stanza="hailataxii_malware" status="Retrieved document from TAXII feed
msg="A threat intelligence download has failed" stanza="mozilla_public_suffix_list" status="threat list download failed after multiple retries
... View more
Here is the stanza (...\etc\apps\SplunkEnterpriseSecuritySuite\local\inputs.conf). I disabled it for now since it is not working correctly:
[threatlist://RansomwareTracker IP]
delim_regex = ,
description = Ransomware Tracker IP
fields = description:$3,ip:$8
ignore_regex = (^#|^\s*$)
interval = 43200
retries = 3
retry_interval = 60
skip_header_lines = 0
timeout = 30
type = threatlist
url = https://ransomwaretracker.abuse.ch/feeds/csv/
weight = 1
disabled = 1
... View more
Here is my configuration options and results I am seeing in ip_intel lookup. It seems to be wrong ....
Type: threatlist
URL: https://ransomwaretracker.abuse.ch/feeds/csv/
Weight: 1
Delimiting regular expression: ,
Fields: description:$4,ip:$8,domain:$5
Ignoring regular expression: (^#|^\s*$)
Skip Header lines: 0
... View more
Has anybody incorporated Ransomwaretracker (https://ransomwaretracker.abuse.ch/feeds/csv/) as a Threat Intelligence Feed in Splunk Enterprise Security?
I am wondering if someone could share settings used for Parsing Options:
Extracting regular expression
Fields
Ignoring regular expression
Skip header lines
... View more
Is there an efficient way to extract the two values to one field ? Lets say User(name, last) ? Or should the fields be merged after being extracted?
... View more
I am not an expert with regex and I am trying to extract a field name= First, Last out of the following string
user=LDAP://Server OU=Typical,OU=Users,OU=Branch,DC=domain,DC=com/First\, Last
Any help is appreciated
... View more
These is a default config. It is supposed to filter out events 4662 that contain junk and only leave events 4662 which contain GPO changes ( see for details http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/)
GPO changes were done today and I can see these events on Windows Event Viewer on DC.
... View more
No, the regular expression Message="Object Type:\s+(?!groupPolicyContainer)" filters out the junk
I am just looking to see Group Policy Changes which I know took place earlier today in the morning and I can see that events within Windows Event Viewer
... View more