Without going into a lot of other settings that you need to apply you can run a rudimentary inputs Create a splunk app with a structure like this yoursplunkapp\bin\yourpythonscripthere.py yoursplunkapp\local\inputs.conf [script://$SPLUNK_HOME/etc/apps/yoursplunkapp/bin/yourpythonscripthere.py] interval = 30 index=foo sourcetype=faa   This will run your script every 30 seconds. You can use seconds there or a cron expression. ... View more

You are right....I normally use the Sigma searches as inspiration and use them to create and tailor a search for my own environment and specific needs. You need to look beyond the ugliness of the translation and find the detection gems in them. ... View more

Modify your audit policy to identify Scheduled Tasks actions by enabling logging “TaskOperational” within Microsoft-Windows-TaskScheduler/Operational. Apply the recommended Microsoft audit policy settings suitable to your environment. Enable and centralize the following Task Scheduler logs. Even if the tasks are ‘hidden’, these logs track key events relating to them that could lead you to discovering a well-hidden persistence mechanism Event ID 4698 within the Security.evtx log Microsoft-Windows-TaskScheduler/Operational.evtx log The threat actors in this campaign used hidden scheduled tasks to maintain access to critical assets exposed to the internet by regularly re-establishing outbound communications with C&C infrastructure. Remain vigilant and monitor uncommon behavior of your outbound communications by ensuring that monitoring and alerting for these connections from these critical Tier 0 and Tier 1 assets is in place. ... View more

I always user www.uncoder.io  but that does not work from Splunk to Sigma unfortunately. ... View more

No it's in your filesystem under  Splunk\etc\apps\speedtest\bin\ Just copy the text from https://github.com/sivel/speedtest-cli/blob/master/speedtest.py file and overwrite the  Splunk\etc\apps\speedtest\bin\ speedtest-cli.py file with it. ... View more

Do you get any errors in _internal?  index=_internal sourcetype=splunkd speedtest? Because I do. I just installed and tested the app for you. The script file  (speedtest-cli.py) is not good. The _internal shows: Splunk\etc\apps\speedtest\bin\speedtest-cli.py " -- json " ValueError: invalid literal for int () with base 10: '' and more errors with the python file. So as a test I replaced it with a new version of speedtest (from https://github.com/sivel/speedtest-cli/blob/master/speedtest.py) (copied and replaced it into  Splunk\etc\apps\speedtest\bin\speedtest-cli.py) and the app starts working.   Let me know if you need more help on this.   ... View more

I have the same issue ... View more

Then your answer is in my first reply 🙂 ... View more

Hi, You could just add the field host to the search. It will then show under Statistics. This is for the Search " Notable - Top Notable Event Sources" in Enterprise Security if that is what you mean? | `es_notable_events` | search timeDiff_type=current src!=unknown | stats sparkline(sum(count),30m) as sparkline,dc(rule_name) as correlation_search_count,dc(security_domain) as security_domain_count,sum(count) as count by src, host | sort 100 - count,correlation_search_count   ... View more

I encounter the exact same issue. What permissions do you exactly mean? ... View more

This is solved by the way with the new Canary Add-on version 2.0.2 Thinkst Canary Add-on | Splunkbase ... View more

No still not able to get it to work. ... View more

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Aboutlookupsandfieldactions ... View more

I'd say create a lookup with area codes and their respective longitudes and latitudes. Splunk can do magic, but you need to feed it some ingredients to do magic with. I found this as a possible source: https://gist.github.com/iteufel/af379872bbc3bf5261e2fd09b681ff7e ... View more

This is not the full solution, but you could eval the longitude and latitude for each result. Or use a lookup with all cities lon and lats. Basic example | makeresults | eval City = "Berlin" |eval lat="52.520008" | eval lon="13.404954" | geostats latfield=lat longfield=lon count ... View more

Can you try | rex field=file mode=sed "s/(^\s+)|(\s+$)//g" ... View more

Did you google it?  Not much to do with Splunk....but the short answer is no. The long answer is that you cannot find out exactly what model iphone this is based on your string above. except that it is an Apple IOS Mobile device (32 bit) and not a tablet. ... View more

It will follow the same principal as the previous example. For each individual file it will go through that process. So you could create a saved search with a stats count command that count the number of " Finished processing file " messages. Try and be creative and use Splunk _internal event logging to your own advantage. Another brainfart might be to send an alert when you are not seeing " Finished processing file " anymore in the _internal logging. This might also be an indicator that all files have been processed. ... View more