Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About hettervik
hettervik
Builder
Member since:
09-25-2015
Tuesday
Community Statistics
| Posts | 250 |
| Solutions | 20 |
| Karma Given | 99 |
| Karma Received | 45 |
| Member Since | 09-25-2015 |
Activity Feed
- Got Karma for Re: Assets Exceeding Field Limits, Source: [merge]. 04-11-2023 02:17 AM
- Got Karma for Re: Assets Exceeding Field Limits, Source: [merge]. 04-11-2023 02:17 AM
- Got Karma for Re: Assets Exceeding Field Limits, Source: [merge]. 03-29-2023 06:45 AM
- Got Karma for Re: How to make the Splunk ES Risk-Based Alerting risk threshold search case insensitive. 03-06-2023 03:17 AM
- Karma Risk based alerting - Contributing Risk Events Drilldown not working? for torstein1. 09-26-2022 08:06 AM
- Got Karma for Re: How to make the Splunk ES Risk-Based Alerting risk threshold search case insensitive. 09-21-2022 09:25 PM
- Posted Re: Risk isn't showing up in the Edit Correlation Search on Splunk Enterprise Security. 09-16-2022 06:49 AM
- Posted Re: Risk Score, Risk Event and Risk Object is not showing in the notable event. on Splunk Enterprise Security. 09-15-2022 04:14 AM
- Karma Re: Is an admin-user available by default on a Splunk Universal Forwarder (UF)? for gcusello. 09-15-2022 04:06 AM
- Posted Re: Is an admin-user available by default on a Splunk Universal Forwarder (UF)? on Security. 09-15-2022 12:54 AM
- Posted Is an admin-user available by default on a Splunk Universal Forwarder (UF)? on Security. 09-08-2022 12:58 AM
- Posted Re: How to stop getting duplicate events from WindowsUpdateLog? on Getting Data In. 09-02-2022 06:51 AM
- Karma Re: The Notable Generation doesn't produce the expected results? for davidem. 08-26-2022 07:44 AM
- Posted Re: RBAC for Notable events? on Splunk Enterprise Security. 08-26-2022 07:41 AM
- Posted Re: How can I view the source index where Splunk Enterprise Security take the event? on Splunk Enterprise Security. 08-26-2022 07:32 AM
- Got Karma for Re: How to exclude events with same session_id - Remote Desktop Network Bruteforce. 08-26-2022 07:30 AM
- Posted Re: How to exclude events with same session_id - Remote Desktop Network Bruteforce on Splunk Enterprise Security. 08-26-2022 07:13 AM
- Posted Re: The Notable Generation doesn't produce the expected results? on Splunk Enterprise Security. 08-26-2022 06:51 AM
- Karma Re: Is there any way to securely disable the delete command in Splunk? for gcusello. 08-25-2022 07:56 AM
- Posted Re: Is there any way to securely disable the delete command in Splunk? on Security. 08-25-2022 07:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 |
09-16-2022
06:49 AM
Do you want a correlation search to add risk score to an object? If so, you have to edit the correlation search in Splunk ES, and then add a "Risk Analysis" response action, all the way at the bottom of the edit page. There you can add risk scores to users and systems from you correlation search.
... View more
09-15-2022
04:14 AM
Hi. Yes, I see the confusion. The fields you add under the response action "Risk Analysis" are not added the the notable event itself (index=notable), they are added to the risk event (index=risk). These risk events are used for Risk-Based Alerting, among other things. If you want the "user" and "app" fields to be added to the notable event, just make sure these fields are present in the final output of your correlation search, and you shoud see them in the incident.
... View more
09-15-2022
12:54 AM
I've done some digging in the documentation. For UFs on Windows it's specified that if you don't specify the "SPLUNKPASSWORD" and "SPLUNKUSERNAME" flags, the UF install without an admin user at all. https://docs.splunk.com/Documentation/Forwarder/9.0.1/Forwarder/InstallaWindowsuniversalforwarderfromaninstaller For potential older UFs with default credentials we've concluded that the easiest way to make sure these doesn't exist, is to delete all password files from all Windows UFs, deleting all users if any. For Linux UFs the documentation doesn't specify what happens when you don't create an admin user on install, or if it's even possible to not create an admin user. We could assume it works the same way as for Windows UFs, but have to do some testing. I will comment this on the official documentation, so perhaps it's updated on next release. https://docs.splunk.com/Documentation/Forwarder/9.0.1/Forwarder/Installanixuniversalforwarder
... View more
09-08-2022
12:58 AM
We're looking over our environment for potential safety flaws. One question that came up is whether an admin-user is available by default on Splunk Universal Forwarders (UF). I'm not thinking about the user the UF runs as on the OS, but an admin user on the application layer. Earlier Splunk Enterprise had a default admin password "changeme". Did this also apply for UFs? How can we make sure that there is no admin users on our UFs, or that if there is, that they have proper passwords?
... View more
Labels
- Labels:
-
authentication
09-02-2022
06:51 AM
Seems like this problem has been addressed in newer versions of the supported Splunk Windows TA. https://docs.splunk.com/Documentation/AddOns/released/Windows/Configuration#Configure_Windows_Update_Logs_in_inputs.conf
... View more
08-26-2022
07:41 AM
In general, as notable events are stored in a separate index (called "notable"), the permission for the indexes for the original events doesn't apply anymore. However, I guess you could add the index field from the original events to the notable event, call it e.g. "original_index", and then create a search filters for different user groups, so that for example users with access to index "foobar" can only see notable events with "original_index=foobar". I'm not sure how this would work for incidents in Splunk ES though, as I understand that viewing incidents in the "Incident Review" in Splunk ES is not the same as looking up events from the notable index per se, and that search filters might not apply here.
... View more
08-26-2022
07:32 AM
If you want index to be included as a field in the incident itself, you could add "index" as an incident review event attribute. Configure > Incident Management > Incident Review Settings > Incident Review - Event Attributes For this to work you would also have to make sure that the index field is included in the output of your correlation searches as well. This would require edits to a lot of the out-of-the-box correlation searches that use the tstats command on data models.
... View more
08-26-2022
07:13 AM
1 Karma
Note that "session_id" is not an eval field in the Network Traffic data model, meaning that it could be null for some entries. If you add session_id to the by clause, these entries would be dismissed. If this is the case, you can either use the "fillnull_value" argument on the tstats command, or instead of adding session_id after the by clause, add it as a values function. | tstats summariesonly=t count values(All_Traffic.session_id) as session_id min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic by All_Traffic.src All_Traffic.dest All_Traffic.dest_port
... View more
08-26-2022
06:51 AM
You haven't activated the alert throttling in the correlation search by chance? That could explain it. Alternatively, if the alert run frequently over a small timespan, e.g. run each 5 minutes and searches in the last 5 minutes, and there's also a delay in the logs to Splunk, the alert could "miss" the logs. The solution to this would be to add a delay to the search, so that it e.g. searches from -10m to -5m instead of -5m to now.
... View more
08-25-2022
07:49 AM
Thanks. Though we have a distributed environment, so if the attacker gets access to CLI on the search head, they still cannot delete the data on the indexers. We have extra layers of protection for the indexers. Therefore it would still help to be able to disable the delete command, if I'm not missing something.
... View more
08-25-2022
04:54 AM
In Splunk there exist a delete command. Any admin in Splunk can give themself the capability to use this command. In theory, if a single admin user in our Splunk environment is compromised, the attacker can delete all data from the Splunk indexers. I know that the data is not actually deleted from disk when using the delete command, but still it is for all practical purposes deleted. Is there any way to securely disable the delete command/capability in Splunk, so that not even administrators can get access to it? Preferably we want to disable the command on the indexer layer, so that even if the OS on the server hosting the search head is compromised the command cannot be used. Alternatively, if the command can be disabled on the search head in a way that it cannot be re-enabled through the web interface, that is better than nothing.
... View more
- Tags:
- delete
Labels
- Labels:
-
permissions
08-16-2022
03:32 AM
2 Karma
Don't need an answer to this question, just wantet to share my solution.
... View more
08-16-2022
03:29 AM
We've starter lookin into Risk-Based Alerting (RBA) in Splunk ES, and noticed that the logic for the risk notables is in fact case sensitive for risk objects (users and systems, mostly). This is a bit counterintuitive, as the Asset & Indentity (A&I) settings clearly says that it is are not case sensitive, but we figured out that RBA doesn't use A&I at all, and instead just used the fieldvalue for the user/system directly, without having any logic to merge users/systems under different aliases. I've made a small change to the RBA alert "Risk Threshold Exceeded For Object Over 24 Hour Period" to at least make it case insensitve, in case anyone else need a fix for this problem as well. Just change the two first lines for the search from this: | tstats `summariesonly` sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk by All_Risk.risk_object,All_Risk.risk_object_type
| `drop_dm_object_name("All_Risk")` To this: | tstats `summariesonly` sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, values(All_Risk.tag) as tag, values(source) as source from datamodel=Risk.All_Risk by All_Risk.risk_object,All_Risk.risk_object_type
| `drop_dm_object_name("All_Risk")`
| eval risk_object=lower(risk_object)
| stats sum(risk_score) as risk_score, sum(risk_event_count) as risk_event_count, values(annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(tag) as tag, values(source) as source, dc(source) as source_count by risk_object, risk_object_type
... View more
Labels
- Labels:
-
configuration
-
correlation search
07-01-2022
03:00 AM
In your case the error message seems to be linked to a specific script, in a specific stanza, in a specific app. I would look into that particular input script, "duo_input.py". Perhaps it's using unsupported Python 2 (as opposed to Python 3)?
... View more
06-28-2022
01:09 AM
New working link that always point to latest version 🙂 https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ScriptSetup
... View more
05-20-2022
05:43 AM
On the page "Configure data collection using a REST API call" there is a section about adding setup parameters. However, on the shell input page "Configure data collection using a shell command" there is no such section. There is a section about adding input parameters, but it's not the same. The reason I'm asking is because I'm trying to add setup parameterts to a shell input, and I just get error messages in the final validation page, no matter what I do. Should it be the same syntax as for REST-inputs, or is it different for shell inputs? See attached screenshot of what I'm trying to do. I've already tried the following versions of the parameter syntax, but I get the same error messages for all of them, and yes, I've added values to the parameters (in the Add-on Setup Parameters tab). ${__settings__.additional_parameters.my_parameter}
${additional_parameters.my_parameter}
${my_parameter} Also, I get it to work if I switch to input parameters instead, but in this case I want to use setup parameters, as I'm planning to re-use the parameters in several inputs.
... View more
Labels
- Labels:
-
scripted input
04-21-2022
06:36 AM
1 Karma
Thanks for sharing this, works great! Could also be added in the readme that it's possible to change the destination for the lookups on the target server by changing the following lines in myvariables.py. From: SplunkLookupURL = "/services/properties/lookups"
SplunkSearchURL = "/services/search/jobs" To: SplunkLookupURL = "/servicesNS/-/<yourapp>/properties/lookups"
SplunkSearchURL = "/servicesNS/-/<yourapp>/search/jobs"
... View more
04-21-2022
06:34 AM
Sorry for not updating this thread earlier. It's a while ago since I worked with this, but if I remember correctly the problem was not related to performance at all, even though the error messages might indicate so. Think this worked out after ensuring that the user account and password was correct and that there were no firewalls blocking the request from Splunk to Proofpoint. My understanding is that the Proofpoint TAP SIEM Add-on runs a test on the data input settings before saving them, which includes actually connecting to Proofpoint with the credentials, so you cannot pre-save the data input before everything else is in order as well.
... View more
03-25-2022
04:44 AM
This is great, but is there any way of finding the "search_id" of a scheduled search? I've tried using the search_id that is listed in the URL when opening the search in the GUI and the search_is that is listed on the enpoint https://<host>:<mPort>/services/search/jobs (which I found to be not the same for some reason), but I always get the result "Unknown endpoint". Anyone know how to find the correct ID for a scheduled search?
... View more
03-15-2022
08:19 AM
In Splunk ES we have correlation searches creating notable events. The timestamp of the notable event, and thus the timestamp of the incident in "Incident Review", is the time of when the correlation search ran. Is there any way to change this timestamp to a custom timestamp, i.e. the time of the actual log event in Splunk that triggered the notable event? I know one solution is to make the correlation search run really often, like every minute, which would make the timestamps quite precise, but not perfect, and also this would not be optimal with regards to performance. Also, I guess we could change the default time parsing of notable events in Splunk ES and add my own time field, e.g. "my_time_field", and use this field for time parsing instead, but then all out-of-the-box correlation searches in Splunk ES would stop working properly and it is in general not a good solution. We've made a temporary solution to this by adding a new "Incident Review Event Attribute" field called "Alert Time", which adds a new field to the incidents with the "real" timestamp, but it's not optimal, as the time of the incident itself is still the same. Is there any other way?
... View more
- Tags:
- time
Labels
- Labels:
-
correlation search
-
notable event
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Tuesday
|
Karma from
Karma given to
