Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Azeemering
Azeemering
Builder
Member since:
05-12-2016
3 weeks ago
Community Statistics
| Posts | 164 |
| Solutions | 27 |
| Karma Given | 11 |
| Karma Received | 29 |
| Member Since | 05-12-2016 |
Activity Feed
- Posted Microsoft Azure Add on for Splunk (TS-MS-AAD v 3.1.1) error:309 | _Splunk_ Unable to obtain access token on Getting Data In. 3 weeks ago
- Posted Re: Microsoft Azure Add on for Splunk Inputs config page not loading on Getting Data In. 01-07-2021 08:35 AM
- Posted Microsoft Azure Add on for Splunk Inputs config page not loading on Getting Data In. 01-07-2021 08:14 AM
- Posted Re: Microsoft 365 Defender Add-on for Splunk duplicate events on All Apps and Add-ons. 12-17-2020 05:12 AM
- Karma Re: Microsoft 365 Defender Add-on for Splunk duplicate events for kristian_kolb. 12-17-2020 12:45 AM
- Posted Re: Microsoft 365 Defender Add-on for Splunk duplicate events on All Apps and Add-ons. 12-01-2020 08:45 AM
- Posted Re: Microsoft 365 Defender Add-on for Splunk duplicate events on All Apps and Add-ons. 12-01-2020 08:36 AM
- Posted Re: Microsoft 365 Defender Add-on for Splunk duplicate events on All Apps and Add-ons. 12-01-2020 05:37 AM
- Posted Re: Microsoft 365 Defender Add-on for Splunk duplicate events on All Apps and Add-ons. 11-26-2020 05:34 AM
- Posted Re: Microsoft 365 Defender Add-on for Splunk duplicate events on All Apps and Add-ons. 11-26-2020 02:58 AM
- Got Karma for Re: Microsoft 365 Defender Add-on for Splunk giving errors. 11-26-2020 12:21 AM
- Posted Microsoft 365 Defender Add-on for Splunk duplicate events on All Apps and Add-ons. 11-26-2020 12:20 AM
- Posted Re: Microsoft 365 Defender Add-on for Splunk giving errors on All Apps and Add-ons. 11-26-2020 12:15 AM
- Got Karma for Microsoft 365 Defender Add-on for Splunk giving errors. 11-20-2020 09:15 AM
- Posted Re: WinEventLog:ForwardedEvents override on All Apps and Add-ons. 11-12-2020 02:22 AM
- Karma Re: WinEventLog:ForwardedEvents override for delink. 11-12-2020 02:21 AM
- Posted Microsoft 365 Defender Add-on for Splunk giving errors on All Apps and Add-ons. 11-10-2020 11:19 AM
- Posted Re: Microsoft Azure Add-ons for Splunk - inputs, configuration pages are not loading on All Apps and Add-ons. 11-03-2020 03:40 AM
- Posted Re: Remove the first line of CSV to index in splunk on Splunk Search. 11-02-2020 10:08 AM
- Posted Re: Can an alert be run from a specific Search Head in a clustered environment? on Splunk Search. 11-02-2020 09:55 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
3 weeks ago
Hello I am installing a fresh new install of this app to replace our old version (1.2.4) I am using the same credentials as the old working version (client id, secret and tenant) With the new app I get the error: 2021-03-30 09:17:26,598 ERROR pid=109928 tid=MainThread file=base_modinput.py:log_error:309 | _Splunk_ Unable to obtain access token
2021-03-30 09:17:26,596 DEBUG pid=109928 tid=MainThread file=connectionpool.py:_make_request:437 | https://login.microsoftonline.com:443 "POST /27776982-d882-41b2-95ac-322f28d5a2ce/oauth2/v2.0/token HTTP/1.1" 401 471
2021-03-30 09:17:26,372 DEBUG pid=109928 tid=MainThread file=connectionpool.py:_new_conn:959 | Starting new HTTPS connection (1): login.microsoftonline.com:443 When reverting to the old app it works fine and I am able to collect data. We checked all the permissions and Azure settings. What else do we need to do to get this working with the new version.
... View more
Labels
- Labels:
-
heavy forwarder
01-07-2021
08:35 AM
I just found this info: Version 3.0.0 and later of the Microsoft Azure Add-on for Splunk is compatible only with Splunk Enterprise version 8.0.0 and above. Probably the reason why it is not working on my 7.x system.
... View more
01-07-2021
08:14 AM
I am trying to upgrade to the latest version of this app but the inputs setup page is Loading forever. Microsoft Azure Add on for Splunk version 3.0.1 on a UX Heavy Forwarder. https://splunkbase.splunk.com/app/3757/ I tried a local test machine and there is was working so I added the inputs and copied the inputs.conf to my production Heavy Forwarder /local folder. Still no data coming in and the inputs page is still freezing when I try to access it.
... View more
Labels
- Labels:
-
heavy forwarder
-
inputs.conf
-
other
12-17-2020
05:12 AM
Thank you...this works indeed for me too. Very nice....well spotted! I'm not exactly sure how to word it a 100% right...but I am disappointed that Splunk let's the community fix their released apps.
... View more
12-01-2020
08:45 AM
I also added a transforms.conf with your suggested settings and I can now see the checkpoint: key state atp_lastUpdateTime_MD_ATP_Acceptatie "2020-11-25T09:00:00Z" atp_lastUpdateTime_MD_ATP_Productie "2020-11-30T09:37:04.08Z" The funny thing is it seems to ingests the last event it finds again and again until there is a new alert.
... View more
12-01-2020
08:36 AM
Hi, thanks for your quick reply! [microsoft_defender_atp_alerts://MD_ATP_Acceptatie] azure_app_account = ATP_Defender_Acceptatie index = xxx_xxxx interval = 500 location = api-eu.securitycenter.microsoft.com start_date = 2020-11-30T09:00:00Z tenant_id = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx disabled = 0 [microsoft_defender_atp_alerts://MD_ATP_Productie] azure_app_account = ATP_Defender_Productie index = xxx_xxxxx interval = 500 location = api-eu.securitycenter.microsoft.com start_date = 2020-11-30T09:00:00Z tenant_id = xxxxxxxxxxxxxxxxxxxxxx disabled = 0
... View more
12-01-2020
05:37 AM
@jconger Anybody from Splunk who can help with this? The lack of support for app like this really is not a good development.
... View more
11-26-2020
05:34 AM
We are collecting the Alerts triggered in Windows Defender ATP from securitycenter. This app was built by Splunk works, but not supported. But it should work right? Why release it otherwise? What I have noticed during troubleshooting it indexes the same alerts every time the input runs on the schedule. So when a new event comes in and the input is running again the alert is indexed a second time. Seems like there is something wrong with checkpointing or something?
... View more
11-26-2020
02:58 AM
It's the https://splunkbase.splunk.com/app/4959/ Microsoft 365 Defender Add-on for Splunk
... View more
11-26-2020
12:20 AM
Hello, I have upgraded from the old defender app to the new Microsoft 365 Defender Add-on for Splunk. I finally got it working after renewing secrets etc... but seems like there are a lot of duplicate events for each incident triggered. How can we get this too work properly? Can Splunk give proper support on this? These small input apps are vital for a proper working of our SOC en Splunk ES environment.
... View more
Labels
- Labels:
-
configuration
-
other
-
troubleshooting
-
upgrade
11-26-2020
12:15 AM
1 Karma
Hi, I got it working after renewing the secrets at the MS side.
... View more
11-12-2020
02:22 AM
Make sure you do what @delink said: Add the source too: [Set-Source-By-LogName] REGEX = (?m)LogName=(.*)?\b FORMAT = source::WinEventLog:$1 DEST_KEY = MetaData:Source
... View more
11-10-2020
11:19 AM
1 Karma
Hello, I am upgrading from the older Add-On for Windows defender to Microsoft 365 Defender Add-on for Splunk. The clientid, secret en tenant are all working fine in the old app. When I install the new Microsoft 365 Defender Add-on for Splunk and use the same credentials I get the error: 2020-11-10 19:27:40 , 873 ERROR pid=77556 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events. Traceback ( most recent call last ) : File " /opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py2/modinput_wrapper/base_modinput.py ", line 128 , in stream_events self.collect _ events ( ew ) File " /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_ atp _alerts.py ", line 76 , in collect_events input_module.collect_events ( self , ew ) File " /opt/splunk/etc/apps/TA-MS_Defender/bin/input_module_microsoft_defender_ atp _alerts.py ", line 54 , in collect_events access_token = azauth.get_access_token ( client_id , client_secret , authorization_server_url , resource , helper ) File " /opt/splunk/etc/apps/TA-MS_Defender/bin/azure/auth.py ", line 21 , in get_access_token raise e KeyError: ' access_token' These Azure apps from Splunk are giving me a headache. I have the same with the Azure Add-On from Splunk. Why is Splunk making it so hard to upgrade reasonable straight forward apps?
... View more
Labels
11-03-2020
03:40 AM
Same here for the Microsoft Azure Add-On for Splunk latest version. The inputs page is just frozen....
... View more
11-02-2020
10:08 AM
HEADER_FIELD_LINE_NUMBER=2 ?
... View more
11-02-2020
09:55 AM
What am I missing here? If you have clustered search heads you also should have configured cluster replication. For a search head cluster to function properly, its members must all use the same set of search-related configurations. https://docs.splunk.com/Documentation/Splunk/8.1.0/DistSearch/HowconfrepoworksinSHC But if you want to run a search from a specific search head you could theoretically configure all the other search heads to only run ad hoc searches. In server.conf add the following 😂 [shclustering] adhoc_searchhead = true
... View more
11-02-2020
09:37 AM
Splunk states: Prerequisites Your Splunk Enterprise deployment must be connected to the Internet. If your deployment is not connected to the Internet, disable these sources or source them in an alternate way. To set up firewall rules for these sources, you might want to use a proxy server to collect the intelligence before forwarding it to Splunk Enterprise Security and allow the IP address for the proxy server to access Splunk Enterprise Security. The IP addresses for these sources can change. So we use a proxy server and whitelist urls in it to download threat intel. I would not recommend automatic updates of the DA-ESS-ContentUpdate. I do a manual check every month to see if there is an update and download it and apply it to my search heads. If you just want to open up ports then you need to open your search head to https / port 443 to be able to communicate with the internet.
... View more
11-02-2020
08:42 AM
Hi, Not sure what you are exactly trying to achieve (or ask). But if you are trying to ingest the audit logging with the Splunk Add-on for Oracle Database I suggest you read the following: https://docs.splunk.com/Documentation/AddOns/released/Oracle/Configuremonitorinputs An example for Oracle 12c inputs: [monitor:///u01/app/oracle/admin/*/adump/*.xml]
sourcetype = oracle:audit:xml
crcSalt = <SOURCE>
[monitor:///u01/app/oracle/admin/*/adump/*.aud]
sourcetype = oracle:audit:text
crcSalt = <SOURCE>
[monitor:///u01/app/oracle/diag/rdbms/*/*/alert/log.xml*]
sourcetype = oracle:alert:xml
crcSalt = <SOURCE>
[monitor:///u01/app/oracle/diag/tnslsnr/*/listener/alert/log.xml*]
sourcetype = oracle:listener:xml
crcSalt = <SOURCE>
[monitor:///u01/app/oracle/diag/rdbms/*/*/trace/*.trc]
sourcetype = oracle:trace
crcSalt = <SOURCE>
[monitor:///u01/app/oracle/diag/rdbms/*/*/incident/incdir*/*.trc]
sourcetype = oracle:incident
crcSalt = <SOURCE
... View more
10-19-2020
09:24 AM
1 Karma
Try this in your search bar: index=yourindex sourcetype=yoursourcetype | rex "^(?:[^ \n]* ){8}(?P<Public_IP_Test>[^ ]+)" This works fine for me and extracts the second ip as the specified field
... View more
10-19-2020
08:59 AM
How many peers have you got? The startup.handoff amount of seconds is cumulative time from all involved peers. From the documentation: https://docs.splunk.com/Documentation/Splunk/6.3.1/Knowledge/ViewsearchjobpropertieswiththeJobInspector startup.handoff The time elapsed between the forking of a separate search process and the beginning of useful work of the forked search processes. In other words it is the approximate time it takes to build the search apparatus. This is cumulative across all involved peers. If this takes a long time, it could be indicative of I/O issues with .conf files or the dispatch directory.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
3 weeks ago
|
Karma from
Karma given to
