Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About MonkeyK
MonkeyK
Builder
Member since:
05-13-2014
03-24-2023
Community Statistics
| Posts | 262 |
| Solutions | 14 |
| Karma Given | 41 |
| Karma Received | 34 |
| Member Since | 05-13-2014 |
Activity Feed
- Posted Re: Is there an efficient way to do field summary on a large set of source types? on Splunk Enterprise. 03-24-2023 01:24 PM
- Posted Re: How do I rehydrate a sparkline from a lookup? on Splunk Search. 03-18-2023 08:40 AM
- Karma Re: How do I rehydrate a sparkline from a lookup? for ITWhisperer. 03-18-2023 08:40 AM
- Karma Re: How to check 10 days prior to an event in Splunk for a failed login attempt? for PickleRick. 03-18-2023 05:41 AM
- Posted How do I rehydrate a sparkline from a lookup? on Splunk Search. 03-18-2023 05:33 AM
- Karma Re: why does mvappend fail in my alert? for bowesmana. 03-15-2023 07:41 AM
- Posted Re: why does mvappend fail in my alert? on Splunk Search. 03-15-2023 07:40 AM
- Got Karma for Re: why does mvappend fail in my alert?. 03-14-2023 02:29 PM
- Posted Re: why does mvappend fail in my alert? on Splunk Search. 03-14-2023 07:02 AM
- Posted Re: why does mvappend fail in my alert? on Splunk Search. 03-14-2023 06:52 AM
- Posted Why does mvappend fail in my alert? on Splunk Search. 03-13-2023 05:42 PM
- Posted Re: Is there an efficient way to do field summary on a large set of source types? on Splunk Enterprise. 12-11-2022 07:54 PM
- Posted Re: Is there an efficient way to do field summary on a large set of source types on Splunk Enterprise. 12-05-2022 01:43 PM
- Posted Re: Is there an efficient way to do field summary on a large set of source types on Splunk Enterprise. 12-05-2022 07:06 AM
- Posted Is there an efficient way to do field summary on a large set of source types? on Splunk Enterprise. 12-02-2022 03:34 PM
- Got Karma for Re: list all fields within a sourcetype. 06-30-2022 01:18 PM
- Karma Re: How do I list fields vertically in an email alert? for DanielPriceUK. 06-01-2022 10:53 AM
- Posted How do I list fields vertically in an email alert? on Alerting. 05-31-2022 06:59 AM
- Posted Re: How do I extract a multivalued field from a windows event on Splunk Search. 04-25-2022 08:02 PM
- Posted How do I extract a multivalued field from a windows event on Splunk Search. 04-25-2022 06:33 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-24-2023
01:24 PM
Fair question. When I want to focus on a particular part of my SPL, I often start with "<base search> | " so that I keep the focus on what I am interested in. In this case "<base search>" is how I restrict the results to the sourcetypes of interest to my SOC. I actually pull that from a list of critical data sources which is maintained by the SOC For my purposes, I am only trying to understand fields by sourcetype I am using index in the dedup command |bin span=3h _time |dedup 10 index sourcetype _time host This allows me to consider 10 records from every index in every 3 hour period. I do that because I worry that different workloads (which get ingested into different indexes), may decide to change the format of what they send. This way I only consider common fields in a sourcetype across all indexes. If I didn't account for different indexes, it might be possible that I evaluate different indexes each time and therefore would , may conclude that there is a change when the common fields actually did not change If I wanted the field listing per index, I'd just modify the "stats" and "eventstats" to include index in the "by" clause.
... View more
03-18-2023
05:33 AM
Sometimes I run a really complex query and accumulate results in a lookup table. I recently tried doing this and including a sparkline, which gave me a field that looked like trend ##__SPARKLINE__##,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,63,55,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 If I just run "|inputlookup" to visualize that data, I just get the raw data back. Is there a command that turns the stored sparkline data back into a sparkline?
... View more
Labels
- Labels:
-
stats
03-15-2023
07:40 AM
Hadn't seen the printf. That's gonna be my goto for formatting alerts going forward
... View more
03-14-2023
07:02 AM
1 Karma
This is a good question. My reasoning is that tabular data sent to a ticketing system does not read well for an analyst. My opinion is that readability is very important, especially for the analyst who may have just been woken up to handle a critical severity alert that I created. Maybe not this particular alert, but I got to realizing that I need to make alerts present better. Furthermore as my company started doing service-now integration, the SN alert action actually only allows for one field as alert data (there's a "short description" that is used for the alert subject and a "description" field that actually describes it) Consequently, I've taken to creating an mvfield called "Alert" that summarizes everything. I tend to build something like this as the last line of my alerts eval Alert=mvappend("time seen: "._time,
"hostname: ".hostname,
"user: ".user,
"details: ",details,
" ", " ",
"deep links",
"splunk: ".myInlineBuiltSplunkSearch,
"source system: ".sourceSystemAddressForMoreInfo) I suppose that I could use straight up concatenation, if I can figure out how to insert a newline via eval. I've just happened to find that mvappend formats consistently and nicely and all references that I've found say to do newlines with an mv field
... View more
03-14-2023
06:52 AM
yes, I checked the field "decrypted" and it does have a value in the alert, just not added to "WhatRan" As to permissions, not sure how to understand that one. Current version of the alert that I am evaluating is still private, owned by me. So I think that it runs with my permissions.
... View more
03-13-2023
05:42 PM
I've been trying to write an alert that notifies our SOC when someone tries to obfuscate their command with base64 encoding.
I used to be able to append a decoded output (using decrypt2) to the command line run doing something like this (very simplified)
|<search for base64 encoded commands>
| decrypt field=encoded atob emit('decrypted')
| fields - encoded
| eval decrypted="decrypted: ".replace(replace(replace(replace(decrypted,"\.\.\.","~&_&~"),"\.","")," "," "),"~&_&~",".")
| eval command_line="command_line: ".command_line
| eval WhatRan=mvappend(command_line," ",decrypted)
works great in my search, but when I alert on it, the field "decrypted" does not get appended to "WhatRan". I can click on the alert search result and not see the value of "decrypted" in "WhatRan", and then immediately run the search and get the value of "decrypted" in "WhatRan"
What makes this happen? Can it be corrected?
... View more
Labels
- Labels:
-
other
12-11-2022
07:54 PM
I got it. And it definitely starts with PickleRick's answer <base search> |bin span=3h _time |dedup 10 index sourcetype _time host ```get a good cross section of the sourcetype in all of it's use cases``` | stats count count(*) as * by sourcetype |untable sourcetype field fieldCount |eval stCount=if(field=="count", fieldCount,null()) |eventstats max(stCount) as stCount by sourcetype |eval pctCov=fieldCount/stCount |search pctCov>=.5 |table sourcetype field pctCov
... View more
12-05-2022
01:43 PM
right, probably could have better explained. | inputlookup dataDictionary.csv is my lookup of all indexes and sourcetypes in the environment. Of the 1400 we have there are about 180 that the SOC is specifically interested in and of that there 70 sourcetypes that the SOC considers critical to their work. I used the first clause as a subsearch to get one sourcetype to act on. In this case the 5th sourcetype when critical sourcetypes are sorted ascending I do this because I need to pick a sourcetype to do fieldsummary on. I don't know how to do fieldsummary on more than one sourcetype and have the result tie back to the sourcetype of interest, hence the request for help. I limit the amount of data to evaluate with dedup | dedup 10 index sourcetype says to get 10 records of the sourcetype for each index that uses that sourcetype. ------------------------------------------- I like your stats count(*) as count by sourcetype technique . That would certainly allow me to summarize by sourcetype without needing to do them one at a time. Feels like it should be workable, but I don't know how to use the results (would have done the next bit in a table, but the markdown is failing me in the most frustrating way) With it I can get a table with a row for each sourcetype where I'd wind up with fields for all sourcetypes where some would be the same as the total, some less than the total, and some zero (because they are part of a different sourcetype. Given I don't know the field names, I don't know how I'd determine pctCoverage by sourcetype So how would I go from that to fields with 100% coverage by sourcetype? traffic_logs: src_ip, dest_ip dns: src_ip,request_type dhcp: src_ip,dest_ip,mac,lease or even fields by coverage? sourcetype, field, pctCov traffic, src_ip, 100 traffic, dest_ip, 100 etc
... View more
12-05-2022
07:06 AM
I don't really want to debate the value of the CIM. I think it's great, but not enough me or my SOC on it's own. CIM is great for quickly finding data. And actually you reminded me that I should include the CIM and it's fields in my data model. Those records are just as pivotable as the other sources. That said, access to underlying logs is still critical for the integrity checking portion that I mentioned. An altered log format or an updated TA can often result in data that doesn't get included in the data model or may not be included in a search of the logs assuming that data would exist. For example if src_ip didn't get parsed out of a network traffic source type (Firwall logs, flow logs), the higher level datamodel search would simply not find that record and the SOC analyst might be none the wiser. The integrity checking is what will clue me into a problem with the source Also CIM data models often do not contain enough information to fully understand an alert. I find that they are great for alerting, but we often have to drill down to the sources. For example the Authentication datamodel does not account for why authentication failed. A locked account or expired password are going to result in lots of authentication failures. CIM does not automatically account for all newly onboarded sources. An automated data dictionary does. In my experience robust IR will still require that we work with the logs
... View more
12-02-2022
03:34 PM
I've been wanting to build some integrity checking and other functionality based on knowing the fields in a sourcetype for a while now.
At my company we've built a data dictionary of indexes and sourcetype of interest to the SOC. They can search the dictionary to help them remember the important data sources. I'd like to augment/use this info in a couple of new ways:
1) give them a field list for all of these sourcetypes so they could search for which sourcetypes have a relevant field (like src_ip)
2) I'd like to note the fields that appear in 100% of records for a sourcetype and then every day find out if is missing any of those fields. This would quickly clue me into data issues related to the event sent, parsing, or knowledge objects.
I know how to get a list of fields for 1 sourcetype and store that info. And I know how to compare a sourcetype to a past set of fields to a current set.
My challenge now is how do I get the list of fields for the 100 sourcetypes of interest so far my best idea is to create 100 jobs to handle each sourcetype. Something like
```1-get the sourcetypes of interest and pull back data for them``` [| inputlookup dataDictionary.csv where imf_critical=true | eval yesterday=relative_time(now(),"-1d@d") | where evalTS>yesterday | dedup sourcetype | sort sourcetype | head 5 | tail 1 | table sourcetype] earliest=-2d@d latest=-1@d ```2-get samples for all indexes in which the sourcetype appears``` | dedup 10 index sourcetype | fieldsummary ```3-determine field coverage so we can pick the hallmark fields``` | eventstats max(count) as maxCount | eval pctCov=round(count/maxCount,2)*100 | table field pctCov ```4-add back in the sourcetype name``` | append [| inputlookup dataDictionary.csv where imf_critical=true | eval yesterday=relative_time(now(),"-1d@d") | where evalTS>yesterday | dedup sourcetype | sort sourcetype | head 5 | tail 1 | table sourcetype] | eventstats first(sourcetype) as sourcetype | eval evalTS=now() | table sourcetype evalTS field pctCov ```5-collect the fields to a summary index daily``` | collect index=soc_summary marker="sumType=dataInfo, sumSubtype=stFields"
If I ran 100 jobs like this, the number after head would increment to give me the next sourcetype.
But I feel like there has to be a better way to do fieldsummary on a lot of sourcetypes.
Any ideas?
... View more
- Tags:
- fieldsummary
Labels
- Labels:
-
using Splunk Enterprise
05-31-2022
06:59 AM
One problem that I have with alerting from Splunk is that when I alert by email, total width of the table can exceed what the recipient can handle lookin at. I'd like to start transposing my result table to address this. That is, I'd like to go from sending alerted results like this time field1 field2 field 3 5/31/2022 value1 value2 really long value 3, so long that it creates a formatting problem. Oh noes! What will I do? To something more like this: Time: 5/31/2022 field1: value1 field2: values2 field3: really long value 3, so long that it creates a formatting problem. Oh noes! What will I do? I know that I could create a field name called "alert fields" and manually create the fields, but is there a simple way to do this in Splunk
... View more
Labels
- Labels:
-
email
04-25-2022
08:02 PM
I guess that works. Funny because my rex has an error. I didn't mean to look for "not v" I'd been trying to say not vertical space [^\v]* but it does still work to do what you suggested. Thanks!
... View more
04-25-2022
06:33 PM
I don't know why I'm finding it so hard, but I want to put the accessess from Windows Event 5145 into a multivalued field and I just can't seem to figure it out. By default, Splunk just assigns the first value. So I've been trying to work with this | rex "Accesses:[\s]+(?<AccessList>[^v]*)[\v]+Access Check Results:" 04/25/2022 01:23:16 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5145
EventType=0
Type=Information
ComputerName=test.act.root
TaskCategory=Detailed File Share
OpCode=Info
RecordNumber=984613134
Keywords=Audit Success
Message=A network share object was checked to see whether client can be granted desired access.
Subject:
Security ID: S-1-5-99-99999999-999999999-999999999-99999
Account Name: XXXX
Account Domain: act
Logon ID: 0x999999
Network Information:
Object Type: File
Source Address: 10.1.1.100
Source Port: 60000
Share Information:
Share Name: \\fileshare\file.xxx
Share Path: \??\O:\Shared\fileshare\file.xxx
Relative Target Name: target\share
Access Request Information:
Access Mask: 0x100081
Accesses: SYNCHRONIZE
ReadData (or ListDirectory)
ReadAttributes
Access Check Results:
... View more
10-25-2021
07:08 AM
I'm on 8.2.2 as well. If the problem is really just _internal, I'm not super concerned. But it really makes me uncomfortable that there might be errors with other indexes.
... View more
10-22-2021
02:20 PM
My teammate and I have been trying to summarize our environment to automatically build a data dictionary. Our last feature was to add a lastSeen time to use as a rudimentary data integrity check. Recently this has stopped working on the _internal index. As in tstats max time on _internal is a week ago, even though a straight SPL search on index=_internal returns results for today or any other arbitrary slice of time I query over the last week. This suggests to me that the tsidx is messed up for _internal. But to make matters more confusing, yesterday I was able to submit the same query and get a correct max(_time) for index=_internal. Does anyone have an idea of what is going on with this behavior? Better yet, what I need to do to fix it? If it matters, this is a clustered search head environment and we also have quite a few indexers usual results | tstats count max(_time) as lastSeen where index=_* earliest=-20d@d latest=@m by index
| convert ctime(lastSeen) index count lastSeen _audit 999999999 10/22/2021 15:39:59 _internal 9999999 10/14/2021 20:09:35 _introspection 999999999 10/22/2021 15:39:59 _telemetry 999 10/22/2021 12:05:05
... View more
Labels
- Labels:
-
other
-
using Splunk Enterprise
05-18-2021
03:22 PM
We've been trying to set up the CIM datamodels in our environment. One that seems particularly useful is Network_Resolution (DNS). Network Resolution has just one dataset for DNS and the events look like they intend to capture request and response data answer dest message_type query query_type reply code src of these some are clearly related to the request and some are clearly related to an answer. Is the idea that the datamodel should be populated with just query data (no answer) for message type=query? and just response data (no query/query type) for message_type=response? Or is there some effort that should be made to correlate the request and responses? so that each record contains everything where possible? We did set up Splunk Stream to handle DNS. Splunk stream tries to pair up request and response but seems to miss some pairings: I find that about 30% of DNS events from Splunk Stream have both request and response, ~40% have only query, and ~30% have only response so it would be possible to add 30% of DNS events to Network Resolution with both query and response, but then the rest would have to be just query or just response events -- missing the other fields. Or I could just split out the query and response from the joint records. Does anyone who uses Network Resolution (especially in ES) have a recommendation on how to do this?
... View more
Labels
- Labels:
-
other
05-14-2021
11:29 AM
This is actually not very easy to do with the default Windows DNS logging. Firstly, to populate the Network Resolution, one would need to correlate request and response records. But beyond that, Microsoft logs DNS at a debug level and logs are multiple lines long and very difficult to parse. Splunk does do the aggregation and parsing in the Stream app, but even that does not handle the datamodel mapping. A shame really, because it is not really clear how the Network Resolution model is supposed to be used with a number of DNS return types.
... View more
11-16-2020
08:13 AM
Thanks, I tried looking for min and max delays and found no negative numbers. and then I had a recent example. Expected two events on 11/10 early afternoon (12:30 and 14:25). Late afternoon I searched and I only found one of them. Considering possible time zone issues, I tried searching several hours into the future (until midnight, so 7.5 hours past when I expected the second event): still only found one. After I failed to find the second event, I created an alert for the missing event. The alert never triggered. I ran another search 11/11 early afternoon and still only found the one event I ran another search on 11/13 and I found the missing event. It had a indextime of 11/10, within 25 minutes of when the email system said the record was created
... View more
11-10-2020
03:43 PM
Lately my teammates have been searching for email logs and not finding them until several hours or even a day later.
I checked for latency issues by comparing log record times to _indextime but never found latency more than 20 minutes
index=proofpoint source=proofpoint_message_log
| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")
| eval delay=_indextime-_time | timechart span=1m max(delay)
so ingestion seems to have happened within 20 minutes of all records. But my teammates cannot find some of the logs until hours later.
Has anyone here seen this sort of thing? In the past I've only seen this as the result of delayed ingestion. What else could cause it?
We did recently move to SmartStore. Is it possible that this is adding additional delay in Splunk determining which buckets to search?
... View more
Labels
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-24-2023
05:01 PM
|
Karma given to
