Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About PanIrosha
PanIrosha
Path Finder
Member since:
10-23-2018
06-05-2020
Community Statistics
| Posts | 14 |
| Solutions | 1 |
| Karma Given | 2 |
| Karma Received | 2 |
| Member Since | 10-23-2018 |
Activity Feed
- Got Karma for Windows Infrastructure app - Active Directory Error. 11-24-2020 05:24 PM
- Karma Re: Can you help me input Cisco AMP events to Splunk Enterprise Security? for smoir_splunk. 06-05-2020 12:50 AM
- Karma Re: How do you extract user names from a field that contains an email address? for renjith_nair. 06-05-2020 12:50 AM
- Got Karma for Windows Infrastructure app - Active Directory Error. 06-05-2020 12:50 AM
- Posted Windows Infrastructure app - Active Directory Error on All Apps and Add-ons. 11-08-2018 06:41 AM
- Tagged Windows Infrastructure app - Active Directory Error on All Apps and Add-ons. 11-08-2018 06:41 AM
- Tagged Windows Infrastructure app - Active Directory Error on All Apps and Add-ons. 11-08-2018 06:41 AM
- Tagged Windows Infrastructure app - Active Directory Error on All Apps and Add-ons. 11-08-2018 06:41 AM
- Tagged Windows Infrastructure app - Active Directory Error on All Apps and Add-ons. 11-08-2018 06:41 AM
- Tagged Windows Infrastructure app - Active Directory Error on All Apps and Add-ons. 11-08-2018 06:41 AM
- Posted Re: Can you help me with a regex field extraction? on Splunk Search. 11-01-2018 06:29 AM
- Posted Re: Can you help me with a regex field extraction? on Splunk Search. 11-01-2018 05:46 AM
- Posted Re: Can you help me with a regex field extraction? on Splunk Search. 11-01-2018 05:34 AM
- Posted Can you help me with a regex field extraction? on Splunk Search. 11-01-2018 04:51 AM
- Tagged Can you help me with a regex field extraction? on Splunk Search. 11-01-2018 04:51 AM
- Tagged Can you help me with a regex field extraction? on Splunk Search. 11-01-2018 04:51 AM
- Tagged Can you help me with a regex field extraction? on Splunk Search. 11-01-2018 04:51 AM
- Tagged Can you help me with a regex field extraction? on Splunk Search. 11-01-2018 04:51 AM
- Tagged Can you help me with a regex field extraction? on Splunk Search. 11-01-2018 04:51 AM
- Posted Re: How do you extract user names from a field that contains an email address? on Splunk Search. 10-31-2018 05:01 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 2 | |||
| 0 | |||
| 0 | |||
| 0 |
11-08-2018
06:41 AM
2 Karma
Hi Experts
I have installed and configured Splunk app for windows infrastructure in our search head as per the instruction on the Splunk Docs.
I can see all events in indexes (wineventlog, windows, msad, perfmon) etc. but i can't see any Active directory related information in the app. when i run "Customise Feature" option i can see below results;
Active Directory: Domains not found.
Detecting Domain Controllers ...
Active Directory: Domains not found.
Detecting Domain Controllers ...
Active Directory: Domain Controllers not found.
Detecting DNS ...
Active Directory: Domains not found.
any idea what might be the reason ?
Many Thanks.
... View more
11-01-2018
06:29 AM
hi @kamlesh_vaghela
i think its working now.
Step 1: i have created a regex based field transform with following settings.
Name: field_extraction_for_user
Type: RegEx Based
RegEx:(?[^@]+)
App: Cisco_AMP
Source Key: event.computer.user
Step 2: then i have created a field extraction.
App: Cisco_AMP
Name: User_Extraction
SourceType: Cisco:AMP
Type: Uses transform
Extraction/Transform: "name of the field transform above"
Thank you very much for your help.
... View more
11-01-2018
05:46 AM
@kamlesh_vaghela
below is the sample raw event
{"event": {"event_type": "Threat Detected", "timestamp_nanoseconds": 543000000, "date": "2018-10-29T12:20:53+00:00", "file": {"disposition": "Malicious", "identity": {"md5": "44d88612fea8a8f36de82e1278abb02f", "sha1": "3395856ce81f2b7382dee72602f798b642f14140", "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"}, "file_name": "f9ab116c-40f5-40db-a566-4d3d948587c3.tmp", "file_path": "\\?\C:\Users\User.Name\Downloads\f9ab116c-40f5-40db-a566-4d3d948587c3.tmp", "parent": {"disposition": "Clean", "identity": {"md5": "f8ba54ad76c8f8ec9f3d639871b30f27", "sha1": "d42ea42b362442299195a82cfb998f10b11af868", "sha256": "c0edc58682b6fa296a439da2320c8bf74d7bf5f8e83446441048687beb60a472"}, "file_name": "chrome.exe", "process_id": 13132}}, "computer": {"links": {"trajectory": "https://api.eu.amp.cisco.com", "computer": "https://api.eu.amp.cisco.com", "group": "https://api.eu.amp.cisco.com"}, "connector_guid": "ec10a6ba-1bf2-42d8-8254-77fbcea54c6a", "active": true, "hostname": "Demo-PC-001", "user": "firstName.LastName@Domain.com", "external_ip": "xxx.xxx.xxx.xxx", "network_addresses": [{"ip": "xxx.xxx.xxx.xxx", "mac": "xx:xx:xx:xx:xx:xx"}, {"ip": "xxx.xxx.xxx.xxx", "mac": "xx:xx:xx:xx:xx:xx"}, {"ip": "xxx.xxx.xxx.xxx", "mac": "xx:xx:xx:xx:xx:xx"}, {"ip": "xxx.xxx.xxx.xxx", "mac": "xx:xx:xx:xx:xx:xx"}]}, "id": 6617752838799884295, "timestamp": 1540815653, "connector_guid": "asas-weuwuey-kjhdfkjaf", "event_type_id": 1090519054, "detection": "Win.Trojan.EICAR-Test-File", "detection_id": "6617752838799884292", "group_guids": ["272362aashasah13276237623jsdhjsdjsh"]}}
... View more
11-01-2018
05:34 AM
hi @kamlesh_vaghela
Thank you for the quick response.
in the raw log has following
"user": "firstName.LastName@DomainName.com"
... View more
11-01-2018
04:51 AM
Hi All,
i have installed and configured "Cisco AMP for Endpoints" in our search head. Currently, it's forwarding all the logs to an index called "Cisco-AMP". I can see all events coming in. There is a field called "event.computer.user" this store email address of the user. i need to extract just the user name from this field and add it to another field called "User".
The following Regex does that perfectly when i run it on the search bar.
index=amp | rex field=event.computer.user "(?<user>[^@]+)"
But i need this extraction to work permanently. So i created a field extraction by taking the below steps. Then I restarted Splunk services. But i can't see the new field when i search for the Cisco amp events in the search app. Am i doing anything wrong here ?
Settings > Fields > Filed Extraction >
Destination App: Cisco-AMPEvents
Name: User_field_extract
Sourcetype: cisco:amp:event
Type: inline
Extraction and Transform: field=event.computer.user "(?<user>[^@]+)"
App Permission: Global
Thank you in advance.
... View more
10-31-2018
05:01 AM
@renjith.nair
thank you for the prompt response. did i use the correct way to create the field extraction ? is there anything need to be added ?
i tried to save this as a field extraction in Settings > Fields > Filed Extraction. below are the settings for this extraction
Destination App: Search
Name: User_field_extract
Sourcetype: SourceTypeName
Type: inline
Extraction and Transform: rex field=userId "(?.+?(?=@))"
App Permission: Global
Thank you very much.
... View more
10-31-2018
04:45 AM
@renjith.nair
wow. that work like a charm. thank you very much. this regex work fine when i run in the search bar. i can see the field getting extracted. but how can i save this extraction permanently ?
i tried to save this as a field extraction in Settings > Fields > Filed Extraction. below are the settings for this extraction
Destination App: Search
Name: User_field_extract
Sourcetype: SourceTypeName
Type: inline
Extraction and Transform: rex field=userId "(?<user>.+?(?=@))"
App Permission: Global
in the search bar, i can get the extracted field when i search with index name
index=asa | rex field=userId "(?<user>.+?(?=@))"
but it doesn't return any results when i search with the sourcetype, source or host.
any idea wht might be the reason ?
Thank you very much Renjith.
NOTE: i am using your exact regex command given in your answers.
Regards
Irosha
... View more
10-31-2018
02:21 AM
Hi @renjith.nair
the regex worked fine in my search. apparently , we have few few naming conventions. some are just firstname@domain.com. can you help me to create a regex that detect "everything" before @ sign ?
Thank you very much.
... View more
10-30-2018
08:08 AM
Hi Renjith,
Thank you very much for the quick response. will you be able to tell me how to create the field adding this this please ? i am quite new to splunk
Thank you 🙂
... View more
10-30-2018
06:22 AM
Hi Experts,
I have a data field called "userId" (FirstName.LastName@DomainName) in one of my data sources. Is there a way to create a new field called "user" just by extracting the "FirstName.LastName" part from the "userId" field ?
Thank you in advance
... View more
10-30-2018
06:10 AM
hi smoir,
i have managed to get the data to splunk enterprise security after go though all the links. thank you very much for your help
... View more
10-24-2018
06:19 AM
Hi Smoir
I have imported the cisco amp app to ES but still i cant see any data.
... View more
10-24-2018
12:39 AM
Hi Smoir,
Thank you for replying.
no its not. the app is not using "TA-" naming convention when i uploaded to the search head. its using "amp4e_events_input" as its folder name in $SPLUNKHOME\etc\apps
i will follow this document and import the app as instructed. i will keep you posted.
... View more
10-23-2018
04:45 AM
Hi,
I have installed Cisco AMP app on our indexer and i can see AMP events coming in. But, I can't see any malware information in the Splunk Enterprise Security (Security Domains > Endpoint Protection > Malware Center). ESS is installed on the search head and AMP index can be accessible from search head.
is there anything else to be configured in the search head in order to see information in the malware center?
Thank you in advance.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
