Last update. We got a workaround from Splunk support for displaying more than 30 suppressions inside of ES. It's in the comments here: https://answers.splunk.com/answers/482839/splunk-enterprise-security-why-is-the-notable-even-1.html ... View more

I'm pushing on the ES devs to fix this. Threat Intel docs list description as required but the ES intel processing tosses it and gives you the description of the input. If you are careful you can manually patch several macros and searches to get threat intel values to come through regardless of the original intel source input. I'd recommend others report this as a bug against ES via a support ticket if you want the change. ... View more

Here with the modified one index=wineventlog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) |rex field=_raw "(?ms)^(?P\d+\S+\s\S*\s\w+)" | eval status=case(EventCode=630, "Account Deletion", EventCode=4726, "Account Deletion", EventCode=624, "Account Creation", EventCode=4720, "Account Creation") |transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2 | where duration < 86400 | eval Account_Created_Time=mvindex(time,0)|eval Account_Deleted_Time=mvindex(time,1) |eval Created_Account_EventCode =mvindex(EventCode,0)|eval Deleted_Account_EventCode =mvindex(EventCode,1)|eval Account_Created_By =mvindex(src_user,0)|eval Account_Deleted_By=mvindex(src_user,1) | table Account_Created_Time Account_Created_By Created_Account_EventCode user Account_Deleted_Time Deleted_Account_EventCode Account_Deleted_By | eval Account_Deleted_By=if(isnull(Account_Deleted_By),Account_Created_By,Account_Deleted_By) | Rename user as Account_Created_And_Deleted | ... View more