Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About danielansell
danielansell
Path Finder
Member since:
09-19-2018
02-11-2026
Community Statistics
| Posts | 21 |
| Solutions | 1 |
| Karma Given | 1 |
| Karma Received | 1 |
| Member Since | 09-19-2018 |
Activity Feed
- Posted Re: Detect password in username field followed by successful logon on Security. 06-30-2022 11:52 AM
- Tagged Re: Detect password in username field followed by successful logon on Security. 06-30-2022 11:52 AM
- Tagged Re: Detect password in username field followed by successful logon on Security. 06-30-2022 11:52 AM
- Tagged Re: Detect password in username field followed by successful logon on Security. 06-30-2022 11:52 AM
- Tagged Re: Detect password in username field followed by successful logon on Security. 06-30-2022 11:52 AM
- Posted Re: Average Failed Logins by Day of Week For Last 90 Days on Splunk Search. 09-15-2020 08:50 AM
- Posted Re: Search speed up on Splunk Search. 07-15-2020 08:14 AM
- Posted Re: Search speed up on Splunk Search. 07-15-2020 08:00 AM
- Posted Re: Splunk Search String on Splunk Search. 07-15-2020 07:50 AM
- Posted Re: Filtering by OS on Splunk Search. 07-15-2020 07:25 AM
- Karma Re: How to find top 20 results and then do a subsequent search? for spayneort. 06-05-2020 12:50 AM
- Got Karma for Re: Why is line breaking inconsistent - File Monitoring - Roxio SecureBurn Log file - .txt. 06-05-2020 12:50 AM
- Posted Re: Why is line breaking inconsistent - File Monitoring - Roxio SecureBurn Log file - .txt on Getting Data In. 01-21-2020 01:38 PM
- Posted Re: How to find top 20 results and then do a subsequent search? on Splunk Search. 06-21-2019 01:02 PM
- Posted Re: No data after setting up Add-on for Windows on All Apps and Add-ons. 05-02-2019 06:19 AM
- Posted Re: No data after setting up Add-on for Windows on All Apps and Add-ons. 05-02-2019 05:08 AM
- Posted Re: How to audit security logs to find password compromises? on Security. 04-29-2019 09:57 AM
- Posted Re: Why is line breaking inconsistent - File Monitoring - Roxio SecureBurn Log file - .txt on Getting Data In. 03-08-2019 08:18 AM
- Posted Re: Why is line breaking inconsistent - File Monitoring - Roxio SecureBurn Log file - .txt on Getting Data In. 03-08-2019 05:15 AM
- Posted Re: Why is line breaking inconsistent - File Monitoring - Roxio SecureBurn Log file - .txt on Getting Data In. 03-08-2019 05:01 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
06-30-2022
11:52 AM
I found your post looking for the same thing you were. I used your transaction based search to help out. I required Sub_Status=0xc0000064 as a requirement to the failed logon attempt because it means the attempt was from an unknown user. You could probably further increase the probability of detecting a password by incorporating your regex against the baduser field. I know this is almost 4 years old, but here is what I came up with: index=whatever sourcetype="wineventlog:security" EventCode=4624 OR (EventCode=4625 Sub_Status=0xc0000064) | transaction host startswith="EventCode=4624" endswith="EventCode=4625" maxspan=180s | eval baduser=mvindex(Account_Name,1), gooduser=mvindex(Account_Name=-1) | reverse | table _time, host, baduser, gooduser, Account_Name, duration Note - this search ran extremely slow for me. I decided a couple years ago I want to be able to search all logon activity very quickly, so I created a summary index with that data in it. When searching that index, my results are returned very quickly. Alternatively you can probably do an accelerated data model. Hopefully this helps somebody, even if you're no longer after the answer.
... View more
09-15-2020
08:50 AM
Try this: | base search event="login_fail" | eval weekday=strftime(_time,"%A"), date=strftime(_time,"%x") | stats count by date, weekday | stats avg(count) by weekday
... View more
07-15-2020
08:14 AM
Sounds like you're good. UI time picker should be the same as manually specifying a time in the search string.
... View more
07-15-2020
08:00 AM
That nobody else mentioned this makes me wonder if I'm the one missing something, but do you really need to search all indexes that you have access to (index=*)? Another basic one that could be easy to overlook is what is the time range you're searching? A search against All time or last 30 days, especially when searching against all indexes) will take much longer than if you really only need data from the last 24 hours.
... View more
07-15-2020
07:50 AM
1. Indexes can be viewed as a named repository for data. There are multiple reasons you would want to store certain data in one index and other data in another. These include Access controls - assign permissions to certain indexes to certain users Performance - data that your routinely search against and want fast results from can be stored separately from noisy data that you do not regularly search. Also you can specify how much (or how old) data is stored in faster storage before it transitions to slower storage. Retention - data in one index can "expire" before other data that needs stored long term index=* simply means search all indexes that the user has access to (if your account is limited, you will only see the indexes which you have been given permission to see) sourcetypes are used in Splunk to identify the type of data and how fields within that data should be extracted - there's more to it than that, but that's the gist of it. When there is no 'OR' an 'AND' is implied. 2. The short answer is yes, the message is included. Splunk generally splits Windows events into two parts where the Message field begins. Splunk does this based on sourcetype and it allows Splunk to properly extract field value pairs (e.g. AccountName=john.smith). 3. There are several fields in the data that should identify the host. The first and fastest method is simply the host field. This is valid when the environment uses the Universal Forwarder to retrieve data from the hosts. It is possible to manually load evtx files into Splunk and specify another system as the host. If the host field doesn't match up with what you expect, you can probably refer to the Computer field. Hope that helps.
... View more
07-15-2020
07:25 AM
Splunk can only help if you have the data available to filter. As someone else mentioned, winhostmon data will get OS data into Splunk. I use the Splunk Windows TA to get this data into Splunk. Then when I want to search on a specific class, I use a subsearch index=main EventCode=4624 Logon_Type=2
[index=windows OS="Microsoft Windows 10*" | fields host] That subsearch looks for all systems with a Windows 10 variant (enterprise, pro, etc) and effectively adds the hostnames as an 'OR' to your base search - basically it becomes index=main EventCode=4624 Logon_Type=2 host1 OR host2 OR host3 OR host4 If you don't have OS data in Splunk, but need the data now, you may be able to get creative and use the host name if you have a good naming convention in place - that is, if you know all workstations are running Win 10 Pro, and all workstation names start with WKS, you could simply use something like this: index=main host=wks* EventCode=4624 Logon_Type=2 That last example would just be a bandaid solution though - I wouldn't use that as a long term solution as naming conventions tend to change or systems are named improperly and then you have bad data.
... View more
01-21-2020
01:38 PM
For file details, my extraction looks like this:
(?P<FileName>.+)\s(?P<FileHash>[0-9a-fA-F]{40})\s+(?P<FileSize>\d+)bytes\s+(?P<FileModDate>\d{4}\/\d+\/\d+\s\d+:\d+:\d+
... View more
06-21-2019
01:02 PM
To add on to this answer, the subsearch provided by spayneort effectively returns the top 20 "Site Name" values as 20 "OR" seperated field=value pairs.
To further understand it, Splunk performs the subsearch first then essentially modifies your search to be:
sourcetype=site_data "Site Name"=https://url1 OR "Site Name"=https://url2 OR "Site Name"=http://url2 OR ....
... View more
05-02-2019
06:19 AM
Thanks for the response.
... View more
05-02-2019
05:08 AM
Although your question has been answered, was the Windows app sending the data to the default 'windows' index, and you were searching your own index and found no data? Just checking - I'm trying to add to my troubleshooting knowledge base.
... View more
04-29-2019
09:57 AM
To narrow down to a possible password in the username field, you need to add the Sub_Status field for a value of "0xc0000064"
index=wineventlog EventCode=4625 Sub_Status="0xc0000064"
This will return failed logon attempts where "Username does not exist."
The problem you have is that you will have a username that doesn't exist (likely a typo of the user's name, but sometimes is a password) and then you will have a valid username. Therefore, your transaction cannot be by the Account_Name field. If your target is a workstations, you can probably remove Account_Name from the transaction. Things will be more difficult if you're working with an RDP server or something else with lots of logons from different users.
Explore your data with the addition of the Sub_Status - I think that will get you closer to where you want to be.
... View more
03-08-2019
08:18 AM
1 Karma
That's my problem. I was expecting the props config to be interpreted at search time. The event I have that is broken up correctly was indexed after my props change. I didn't put two and two together with that.
I think I'll re-index the data and see if that serves my needs.
Thanks for the help - to include up above with the stats versus eval.
... View more
03-08-2019
05:15 AM
I typically use rex to test my extractions before building my field extractions in my props.conf.
Will a field extraction defined in a props.conf return multiple values - should a max_matches=0 be added to my props.conf?
If so, will I be able to perform stats functions on the multivalued field? For example, if I were to define a FileSize field in my props.conf as an extraction, and I'd like to return a total size for the burn job, would I be able to do the following:
...search... |eval DiscSize=sum(FileSize) by source
... View more
03-08-2019
05:01 AM
I added to my props.conf and did not see a change in behavior. I'm still seeing the same - one of the .txt files has been split to 10 events where each line is its own event; while 2 other .txt files are still being returned as a multi-line event.
As I understand Splunk, changes in line breaking are applied at search time, correct?
Could there be an issue in how the .txt file is formatted?
I'm generally aware that there are some quirks with how Notepad.exe handles new lines (as evidenced by trying to modify any Splunk app in Notepad - there are never any linebreaks). Because of that I use another tool that handles the new lines appropriately - are there any tools (e.g. notepad++) that could identify what type of new line is present in my .txt file?
... View more
03-08-2019
04:48 AM
The ultimate goal is actually to extract data from each file burned to CD. When each .txt file is returned as a single event, I tried to extract data though using the rex command. The first result is stored in my "FileSize" field, but it does not continue on to the remaining lines.
So alternatively, if there is a more appropriate way to populate a FileSize, FileName, etc. field from each line, without breaking the event into single line events, that would be great as well.
... View more
03-08-2019
04:37 AM
Each job results in a new file. As such, I intend to use the source field as a means to provide meaningful data (using either a transaction, or "by" to group data).
... View more
03-07-2019
11:45 AM
Everytime a CD is burned with Roxio SecureBurn, a txt file log of the cd is created. The format of the .txt log file is:
Date: Thu Mar 7 13:47:00 2019
Computer Name: ComputerName01
User Name: domain.accountname
Project includes 1 folder(s) and 2 file(s)
C:\Users\accountname\Desktop\TransferFolder\file1.txt e69f78a887b(rest of file hash)a35 3764543bytes 2019/3/7 08:13:15
C:\Users\accountname\Desktop\TransferFolder\file2.txt e69f78a887b(rest of file hash)a35 7764543bytes 2019/3/7 08:13:18
END OF FILE
My props.conf for the sourcetype I created includes:
SHOULD_LINEMERGE = false
Linebreaking is occurring inconsistently. Some of my events show up where each line is its own event, others include every bit of data in the .txt file as its own event. Any ideas - perhaps a more bulletproof way to force a break? Do Windows .txt files normally have inconsistancies with a carriage return or line breaking?
... View more
02-08-2019
06:23 AM
If anyone else is curious, I was able to simply change the WMI:UserAccounts stanza from Win32_Accounts to Win32_UserAccounts and get the results I expected.
... View more
02-08-2019
06:11 AM
I recently enabled the WMI:UserAccounts stanza in the wmi.conf of the Windows TA app and found that the WMI:UserAccounts stanza is pulling from the Win32_Accounts class rather than the Win32_UserAccounts class. Pulling from the Win32_Accounts class pulls in all the built-in Windows classes such as "Local Accounts", "Authenticated Users", CREATOR GROUP" amongst a slew of others.
I don't know about everyone else, but I was looking specifically for the entries that show up I type "net user" at the command prompt, or view the Users directory under Local Users and Groups in computer management.
Finally, for what its worth, when using the Win32_Accounts class, I had to create an entry in my props.conf to properly extract the Name field for accounts that contained spaces.
The version of the app I'm using is 4.8.3.
... View more
02-07-2019
05:22 AM
While there are likely other ways to do this, I would open an elevated command prompt and issue the start Splunk command. This will provide feedback to ensure the Splunk service is actually started, as well as giving you the URL that the Splunk service is listening on (to include https:// if you've enabled that).
Get your command prompt to the C:\Program Files\Splunk\bin directory and then type splunk start
... View more
09-19-2018
06:09 AM
I have seen how the Splunk Supporting Add-on for Active Directory (SA-ldapsearch) can give me a list of all groups, and enumerate their membership, to include both nested and direct membership. I have also seen how I can retrieve all users, and the groups which they are a member of.
Does anyone have a search where I can search Active Directory with SA-ldapsearch, specify a user, and enumerate all group membership, to include any inherited groups?
Desired Results:
User | Group | Membership Type
John.Doe | Domain Users | Direct
John.Doe | Accounting | Direct
John.Doe | Finance Dept. | Nested
I believe I had some success achieving this with the data from Active Directory monitoring - however, I'd prefer to use SA-ldapsearch for this.
... View more
