Hi, Can we do the same for BMC remedy add-on? Does the BMC integration work as an ad hoc adaptive response?   ... View more

Try This... | datamodel data_model_name root_object_name search | table _time, sourcetype, root_object_name.* Example: | datamodel Network_Traffic All_Traffic search| search All_Traffic.*="unknown" | dedup sourcetype | table _time, sourcetype, All_Traffic.* ... View more

Hi @richgalloway  Thank you for answers. Firstly; if any result doesn't come back, splunk search is fail.   Secondly; if any result come back, rest doesn't running. The reason why I want to do this is that, I want this custom alert action python script to trigger when there is a new Syslog added to SplunkHF, the script would add the newly discovered Syslog paths onto the deployment_apps inputs.conf to monitor those new paths and then send the deployed app towards the splunkHF. I have added the correct information to inputs.conf, Incase any results are returned I just want to Reload the related server class.   Happy Splunking. ... View more

doc with example for timebased lookup. https://docs.splunk.com/Documentation/Splunk/8.0.6/Knowledge/Configureatime-boundedlookup ... View more

My DMA is never been %100. it's generally %99.x . Why is this happening ?  How ı find the problem ?  ... View more

To my understanding, only Adaptive Actions (AR) written to work within the 'CIM modactions' framework will appear under the 'Adaptive Responses' pane of the incident review dashboard. You could use the Add-on builder (if not using already) to create your custom AR and that could address your need to view/list your AR ... View more

there was no update this problem, But ı thiking problem is SA-Utils OR SA-Cim_validator App. Do you have one of these installed in your splunk env. The problem started when I installed one of these applications. ... View more

We really need to see more of your data but maybe this? | tstats summariesonly=true allow_old_summaries=true pres count, min(_time) AS firstTime, max(_time) AS lastTime values(Filesystem.process_name) AS process_names FROM datamodel=Endpoint.Filesystem BY "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest", "Filesystem.process_id" ... View more

it's works. Thank you for answer. ... View more

I think the logic should be tweaked at the end to negate it at the end from the lookup file or It could be done at the beginning also. Am posting to negate it at the end eventtype=wineventlog_system signature_id=7036 | rex field=Message "The (?[\w\s-]) service entered the (?\w) state" | where action="running" | inputlookup append=t previously_seen_running_windows_services | multireport [| stats earliest(eval(coalesce(_time, firstTime))) as firstTime, latest(eval(coalesce(_time, lastTime))) as lastTime by serviceName | outputlookup previously_seen_running_windows_services | where fact=fiction ] [| eventstats earliest(eval(coalesce(_time, firstTime))) as firstTime, latest(eval(coalesce(_time, lastTime))) as lastTime by serviceName | where firstTime >= relative_time(now(), "-60m@m") AND isnotnull(_time) | stats values(dest) as dest by _time, serviceName] | table _time, serviceName, dest | search NOT [| inputlookup previously_seen_running_windows_services | fields _time, serviceName, dest] ... View more

unfortunately no ... View more

Did you ever solve this problem? ... View more

I think the problem might be where the file is located, if the file is in another server it won't work. In other words, you first need to copy the file to Splunk SH server then you can upload it. Once the file is locally you can pass the path and call the function to upload the file. SCP the file to /tmp folder then: myindex = service.indexes["secdevops"] uploadme = "/tmp/scoring_output.csv" myindex.upload(uploadme); ... View more

There are 2 anomalies. It's possible, activities (e.g. browsing) from the phone, visited a number of DGA's and hence Suspicious domain names. What's interesting is the Unusual Geolocation comms. Is it possible, one of the visit to the DGA installed a malware which opens a C2C/backdoor to 197.241.* ip address? You may want to scan your device and check for any unusual apps/programme/external comms. ... View more

Also make sure you have a value in the Drill-down Name (and Drill -Down Search) in the Notable event for the correlation search. ... View more

Based on your error it looks like you still need to set the correct permissions. The streamfwd binary likely does not have execute permissions or the ownership is incorrect. There is a script included that you can run to properly set all the required permissions. See the documentation here: https://docs.splunk.com/Documentation/StreamApp/7.2.0/DeployStreamApp/InstallSplunkAppforStream#Set_Splunk_TA_stream_permissions ... View more

Do you want to exclude IP's getting into datamodel? I would suggest to have IPs (e.g. src_ip) in the datamodel and have a category, say (web_blacklist_ips) in your asset data for those IPs. You can then create searches to exclude those Ips using the category. ... View more

This suggests that useAck is the problem - You can see both events are generated at exactly the same time, but they are indexed 25 seconds apart, by different indexers. What likely happened is that the first message was received, but the indexer either did not ack the event in time (or it got lost on the network) so the forwarder resent it, resulting in the duplication. This is by design - useAck means no messages should ever get 'lost' but it can result in duplication - this is the tradeoff. ... View more

I guess you are right. It could be extansion. When ı look at the logs, I see advabi.dll this dll file manage the extansion and windows api services. Sorry for my bad english. thank you ... View more