I have a team that wants specific notables to be automatically assigned to specific team members. Is this even possible with ES? The way the team works, is that specific members are assigned notables based off severity and tags. so something with severity=critical and tag=PAM* would be assigned to user1, and something with severity=high|critical and tag= would be assigned to user2. Right now, there's rotational duties to look at IR and assign notables, and a strong desire to automate this review process. ... View more

In recent discussions with Splunkers and customers, I keep hearing about how the plan is to launch investigations in Phantom. In the recent past, all I ever heard was about how ES was the location where investigations should be managed, due to the provided investigative workbench framework. I've got zero experience with Phantom, and generic statements about investigative features in both products, leaves me confused. Do investigations mean the same thing in ES and Phantom? If so, is there a compare/contrast about what each product provides? Assuming both products are capable of allowing analysts to launch an investigation, and the customer owns both products: does Splunk have a preferred recommendation? ... View more

I have some entries in WinEventLog://Application coming from NetIQ DRA. I couldn't find any add-ons for DRA on Splunkbase, so I'm reaching out for guidance on how to identify KV pairs within the Message field and extract them. I can see that OOTB, Splunk has configs in etc/system/local/props.conf and transforms.conf that will extract KV pairs delimited by "=" or ":". In this case, the segregation is by spaces and/or tabs, and some of the keys (field names) have spaces as well, so I have to intelligently identify which portions are fields and which portions are values. Compounding the issue is that some keys and values are on separate lines; for example, take a look at TransactionID and its value in my sample event. I also need to account for the potential of a field containing multiple values, such as "Member Added". Any hints or guidance would be greatly appreciated. Message=Action MemberAdd ObjectType Group AssistantAdmin DOMAIN\joeblow-a Target DOMAIN\LA.SVC Domain Controller SERVERNAME006 Member Added DOMAIN\SERVERNAME603$ Member Added DOMAIN\SERVERNAME604$ UTC Date Wednesday, November 14, 2018 UTC Time 3:19:16 PM AssistantAdmin OnePoint OnePoint://CN=Admin\, Joe Blow,OU=Admin,OU=IT,OU=Users,OU=Town,DC=DOMAIN,DC=DOMAIN,DC=org Member Added OnePoint OnePoint://CN=SERVER603,OU=Prod,OU=Servers,OU=Computers,OU=Town,DC=DOMAIN,DC=DOMAIN,DC=org OnePoint OnePoint://CN=SERVER604,OU=Prod,OU=Servers,OU=Computers,OU=Town,DC=DOMAIN,DC=DOMAIN,DC=org Target OnePoint OnePoint://CN=LA.SVC,OU=Prod,OU=Roles,OU=Security,OU=Groups,OU=Town,DC=DOMAIN,DC=DOMAIN,DC=org TransactionID 59E98034949344d98B716B11B00A722D Sequence Number 0 ReturnCode 0x0 ... View more