Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About desmondpigott
desmondpigott
Explorer
Member since:
02-18-2015
06-05-2020
Community Statistics
| Posts | 5 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 02-18-2015 |
Activity Feed
- Got Karma for Re: How to detect a new host used by a user?. 06-05-2020 12:48 AM
- Posted Re: Add-on for JIRA: Is it possible to avoid storing password information in clear text in config.ini? on All Apps and Add-ons. 10-31-2016 10:38 AM
- Posted Re: Add-on for JIRA: Is it possible to avoid storing password information in clear text in config.ini? on All Apps and Add-ons. 10-29-2016 02:08 PM
- Posted Add-on for JIRA: Is it possible to avoid storing password information in clear text in config.ini? on All Apps and Add-ons. 10-21-2016 01:47 PM
- Tagged Add-on for JIRA: Is it possible to avoid storing password information in clear text in config.ini? on All Apps and Add-ons. 10-21-2016 01:47 PM
- Tagged Add-on for JIRA: Is it possible to avoid storing password information in clear text in config.ini? on All Apps and Add-ons. 10-21-2016 01:47 PM
- Tagged Add-on for JIRA: Is it possible to avoid storing password information in clear text in config.ini? on All Apps and Add-ons. 10-21-2016 01:47 PM
- Tagged Add-on for JIRA: Is it possible to avoid storing password information in clear text in config.ini? on All Apps and Add-ons. 10-21-2016 01:47 PM
- Posted Re: How to detect a new host used by a user? on Splunk Search. 10-21-2016 11:18 AM
- Posted How to detect a new host used by a user? on Splunk Search. 09-30-2016 11:41 AM
- Tagged How to detect a new host used by a user? on Splunk Search. 09-30-2016 11:41 AM
- Tagged How to detect a new host used by a user? on Splunk Search. 09-30-2016 11:41 AM
- Tagged How to detect a new host used by a user? on Splunk Search. 09-30-2016 11:41 AM
- Tagged How to detect a new host used by a user? on Splunk Search. 09-30-2016 11:41 AM
Topics I've Started
10-31-2016
10:38 AM
Sorry Flynt, I never received anything, and I can't see any way to email you via Splunk> answers. Am I overlooking something.
... View more
10-29-2016
02:08 PM
Thanks Flynt, and yes I'd be interested in trying out the unpublished version with encryption. How can we make the arrangement?
... View more
10-21-2016
01:47 PM
We got the Add-on for JIRA for Splunk Enterprise working ( https://splunkbase.splunk.com/app/1438/ ) however it requires us to authenticate using credentials that are stored in clear text in C:\Program Files\Splunk\etc\apps\jira\local\config.ini, according to the instructions.
Is there some way to avoid that, and have the Splunk end user SSO against it instead? We require this for 2 reasons:
1. For obvious security reasons, we don't want to store the password in plain text on the file system.
2. The account used in config.ini will not necessarily have access to all the JIRA projects anyway, and as a result not return all stories/issues that we're querying for. Each user will be querying for issues in JIRA projects that other users may not have access to. We could use a JIRA admin account, but then refer to point #1 above.
Bonus question: Is there a way to query multiple JIRA instances? We have a few instances that we'd like to reach into at the same time.
... View more
10-21-2016
11:18 AM
1 Karma
Thank you Somesoni2. (And btw, congratulations on the Splunk 2016-17 MVP award!)
I managed to get a proof of concept working for this by scheduling the two lookups as described above, with some additional settings described below.
For the sake of other readers it was important to also do the following:
The second scheduled job using the second (shorter) query above, should be scheduled to run Earliest: -5m@m, Latest: now, Basic search very 5 minutes. Do not make it real time, I created a flood of email for a single event by doing that.
The notification email uses the $RESULT.userName$@yourdomain.com as the recipient of the email message. This will pull out the username from the lookup and use it to send the email directly to each user. (Replace with your own field as it appropriate).
Configure the email alert to fire for each result.
The email alert should use suppression (throttle) with the asterisk "*", for 15 minutes, to prevent multiple alerts being sent if someone quickly logs on/off/on a new computer within a span of < 5 minutes. This will ensure that if the user does this they will only receive a single email for that host. The suppression time of 15 minutes will also give the first scheduled search job a chance to update the CSV file, and avoid sending a duplicate email for the same host 5 minutes later.
I did figure out how to use the Backfill python script (not that hard), but it requires you to have a separate index available to use when you run it. It was very slow to run the backfill but it did finish eventually, and you can actually disable the index when you're done as you don't need it to run this solution, you only need it for back filling. If you don't care about back filling then you don't need the extra temporary index and no need to run the backfill python script, just schedule your search jobs, and let it start building the CSV over time. You can always disable/enable the email alerts when you're ready to notify end users.
... View more
09-30-2016
11:41 AM
Summary: We want to trigger an alert/email when a user logs on to a new system for the first time.
Event ID 4624 is collected from domain controllers. This event basically contains what we need (host, username, logontype). In our case we only care about logontype="7" (interactive logon) for now.
As new events arrive, how can I compare the username + hostname + logontype, to previously indexed events, in order to detect new username + hostname combinations?
Something like: Every 15 minutes, fetch all the 4624 events that arrived, extract the hostname & username, then search all previous results for $username$ $hostname$ logontype="7". If there are no results, it must be a new system, then trigger an alert to $username$@domain.com.
Another possible solution: As matching events arrive (EventID="4624" logontype="7"), extract the username and hostname, and then query all previous data for a match using all 4 attributes, if null, then it must be a new system, so trigger an alert.
According to bullet #4 in this doc: http://docs.splunk.com/Documentation/ES/4.2.0/User/Applicationprotocolsblacklist#Search-driven_lookups it may be possible to detect new hosts. But that seems overkill and expensive. There must be a native way to do this in Splunk core. Are search-driven lookup's available without Enterprise Security?
Open to other ideas about how to achieve this.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
