Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About johann2017
johann2017
Explorer
Member since:
02-21-2017
06-22-2020
Community Statistics
| Posts | 77 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 2 |
| Member Since | 02-21-2017 |
Activity Feed
- Posted Re: Password Spray Search / Alert on Splunk Search. 06-22-2020 12:23 PM
- Karma Re: Password Spray Search / Alert for diogofgm. 06-22-2020 12:22 PM
- Posted Password Spray Search / Alert on Splunk Search. 06-22-2020 09:15 AM
- Got Karma for Pass the hash detection. 06-05-2020 12:50 AM
- Got Karma for How to configure Splunk Alerts to only send one E-mail notification?. 06-05-2020 12:49 AM
- Posted Detecting Pass-the-Ticket Attacks on Archive. 04-14-2020 12:56 PM
- Posted Powershell Logging and ingesting to Splunk on Archive. 01-26-2020 02:11 PM
- Posted Re: Alert with time exclusion on Alerting. 01-23-2020 12:49 PM
- Posted Re: Strange Splunk Search Exclusion Results on Archive. 01-10-2020 08:12 AM
- Posted Re: Strange Splunk Search Exclusion Results on Archive. 01-10-2020 07:59 AM
- Posted Re: Strange Splunk Search Exclusion Results on Archive. 01-10-2020 07:33 AM
- Posted Strange Splunk Search Exclusion Results on Archive. 01-10-2020 06:46 AM
- Posted Re: Alert with time exclusion on Alerting. 01-09-2020 02:13 PM
- Posted Re: Alert with time exclusion on Alerting. 01-09-2020 02:06 PM
- Posted Re: Alert with time exclusion on Alerting. 01-09-2020 01:41 PM
- Posted Re: Splunk Alerts Report on Alerting. 01-09-2020 12:01 PM
- Posted Re: Splunk Alerts Report on Alerting. 01-09-2020 11:59 AM
- Posted Alert with time exclusion on Alerting. 01-09-2020 10:47 AM
- Posted Splunk Alerts Report on Alerting. 01-09-2020 10:05 AM
- Tagged Splunk Alerts Report on Alerting. 01-09-2020 10:05 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-22-2020
09:15 AM
Hello! I am building an alert to detect potential password spraying (it is looking for 10 or more failed logons within the last 15 minutes, where the username is correct but the password is wrong). It works well, however there is one issue. If the same user fails to login a lot then it will trigger the alert. I only want a failure to count if the usernames are different. For example, if one user fails to login 10 times it will NOT alert. If 10 different users fail to login once each then it would alert. Below is my syntax: index=*-windows-logs EventCode=4625 signature="User name is correct but the password is wrong"
Account_Name!=*$
| stats count by src_ip
| where count > 10
... View more
04-14-2020
12:56 PM
Has anyone used Splunk Enterprise to effectively detect Pass The Ticket related attacks? If so I would be curious as to how you did it. Thanks!
... View more
- Tags:
- splunk-enterprise
01-26-2020
02:11 PM
Hello! I am very interested in turning on Powershell logging in my environment and then sending those logs to Splunk. Any good recommendations for articles / URLs for me to start learning how to do this? Thx
... View more
- Tags:
- splunk-enterprise
01-10-2020
08:12 AM
If I run these two searches, the Statistics totals are 29 and 28 - only off by one (which makes sense because I excluded only one machine). Therefore that seems to add up correctly. Not sure why my original search only showed 5 systems.
index=*-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=administrator | table src_nt_host | dedup src_nt_host
index=*-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=administrator src_nt_host!=machineA | table src_nt_host | dedup src_nt_host
... View more
01-10-2020
07:59 AM
First search (no exclusions) = 450,073
Second search (with the machineA exclusion) = 79,947
... View more
01-10-2020
06:46 AM
Hello. I am creating a search to see when the Account_Name called "helpdesk" logs in via EventCode 4624 with Logon_Type=3. My goal is to see what source machines (src_nt_host) normally perform this logon behavior with that account name. After I find the source machines I will exclude them in the search so I can alert off of it.
A search going back the past 3 months below brings back five different source machines (src_nt_host).
Here is the strange part - when I exclude one of those five source machines using src_nt_host!=machineA then rerun the search, it brings back more source machines that never showed up in the original search! Any clue why this is occurring? It would be awesome if I could figure out what is going on!
index=*-windows-logs (EventCode=4624 AND Logon_Type=3) Account_Name=helpdesk | sort - _time | table _time, Account_Name, EventCode, Logon_Type, src_nt_host, dest_nt_host, signature
... View more
- Tags:
- splunk-enterprise
01-09-2020
02:13 PM
Also, how can I tell the search to only run within a specific timeframe, lets say between only 8am - 5pm?
... View more
01-09-2020
02:06 PM
One more question, how can I exclude a larger time range? It seems that this works great for excluding within the same hour, but for instance if try to exclude between 00 and 04 it does not work properly. Example below:
index=*-windows-logs EventCode=7036 Message="Service Entered A Running State" | sort - _time | eval myHour=strftime(_time, "%H") | eval myMinute=strftime(_time, "%M") | where NOT ( (myHour > 00 AND myMinute >00 ) AND (myHour <04 AND myMinute < 00) ) | table _time, ComputerName, Message
... View more
01-09-2020
11:59 AM
I like this however its not showing all fired alerts. I selected "All" for App, Owner, Severity, and Alert. I noticed that under the alert drop down there are only 10 alerts listed. I have built a lot more than 10. Permissions issue possibly?
... View more
01-09-2020
10:47 AM
I have setup an alert to run a search every 10 minutes which looks for a specific Event Code and a Message string. I want this to return results except for times between 12:30am and 1:30am. How can I do this? I tried the following below but it is not working:
index=*-windows-logs EventCode=7036 Message="Service Entered A Running State" | sort - _time | eval myHour=strftime(_time, "%H") | eval myMinute=strftime(_time, "%M") | where NOT ( (myHour > 00 AND myMinute >30 ) AND (myHour <01 AND myMinute < 30) ) | table _time, ComputerName, Message
... View more
01-09-2020
10:05 AM
I want to know which Splunk alerts have fired off in X amount of time. What are my options for doing this? Thanks!
... View more
12-20-2019
07:59 AM
@martynoconnor If I wanted to build a similar search - except this time I want to alert off a certain username trying to log on to multiple computers how would I do that? Let's say the usernames I am interested in are Administrator and Root...
... View more
12-20-2019
07:55 AM
Actually I had a typo in my index. I think your recommendation will get me going in the right direction. I am going to keep testing with it though. Thanks!!
... View more
12-19-2019
07:35 AM
Hello Marty. A couple of things I found when doing a test vulnerability scan which would mimic the type of behavior I want to alert on (a single IP scanning multiple IPs). I found the the remote systems attempting to be accessed show up under the field name "dest" and that the source ip of the scanner attempting to connect is under the field name "Source_Network_Address". I modified your sytax below - does it look right because I am getting zero results?
index=windows-logs (EventCode=4624 OR EventCode=4625) Source_Network_Address=* NOT src="10.1.2.23"
| stats dc(dest) AS dest by Source_Network_Address
| where dest > 20
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-22-2020
01:04 PM
|
