Hi, we have a Data Model based search that we filter based on a lookup (with match_type WILDCARD) that matches different fields | tstats count, values(Processes.dest) as dest, dc(Processes.dest) as dest_dc, min(_time) as earliest, max(_time) as latest, values(Processes.user) as user, dc(Processes.user) as user_dc from datamodel=Endpoint.Processes by Processes.process_guid Processes.parent_process_guid Processes.parent_process Processes.parent_process_path Processes.process Processes.process_path Processes.process_hash Processes.user | rex field=Processes.process_hash "MD5=(?<process_md5>[A-Z0-9]+)" | `drop_dm_object_name(Processes)` | lookup sysmon_rules parent_process parent_process_path process process_path process_md5 OUTPUT description score This works well and saves uf from having multiple searches in place, but it would be great if there was something like a match_type REGEX for lookups.  We could then combine several entries in the lookup to one single line. For example those 4 lines: score,description,parent_process_path,parent_process,process_path,process,process_md5 80,Office: Execution MSHTA,C:\Program Files (x86)\Microsoft Office\root\Office*,*,*\mshta.exe,*,* 80,Office: Execution PWSH,C:\Program Files (x86)\Microsoft Office\root\Office*,*,*\powershell.exe,*,* 80,Office: Execution WSCRIPT,C:\Program Files (x86)\Microsoft Office\root\Office*,*,*\wscript.exe,*,* 80,Office: Execution CMD,C:\Program Files (x86)\Microsoft Office\root\Office*,*,*\cmd.exe,*,* could be combined to: score,description,parent_process_path,parent_process,process_path,process,process_md5 80,Office: Execution susp child,(?i)C:\Program Files (x86)\Microsoft Office\root\Office.*,.*,(cmd.exe|wscript.exe|powershell.exe|mshta.exe),.*,.* We want to keep the possibility to match against multiple fields. Is there a trick (using inputlookup, map, ...) to optimize this?We're at a point where the lookup is getting cluttered because of small variations of processes in the endpoint data model we would like to alert on.   Hints, tips & help are appreciated. Chris ... View more

Hi, we're looking into bulding use case for hashicorp vault. We've had a brief look at their app that is mentioned here:  https://www.hashicorp.com/blog/splunk-app-for-monitoring-hashicorp-vault The app seems to offer quite some insight into operational data from vault. We're interested in use cases that could show a potential abuse of vault. Does anyone have any experience or hints  so we do not have to start from scratch? Thanks Chris ... View more

Hi, my company is deprecating basic authentication. We use the Microsoft Office 365 Reporting Add-on for Splunk which relies on basic authentication. Are there any plans on a future version for this app? Or are there other apps that can be used ( using other apis to get the same data)? This is the app we use: https://splunkbase.splunk.com/app/3720/#/details I appreciate feedback, hints on other options, Chris ... View more

Hi I noticed that our   o365 message tracing logs stopped getting indexed using  Microsoft Office 365 Reporting Add-on for Splunk v 1.2.1 This a sample error message we got:   2020-07-20 13:19:32,756 ERROR pid=6727 tid=MainThread file=base_modinput.py:log_error:309 | HTTP Request error: 400 Client Error: Bad Request for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2020-07-01T00:00:00Z'%20and%20EndDate%20eq%20datetime'2020-07-01T00:15:00Z'   I removed the ? in the "MessageTrace?$filter=StartDate"  part of the URL in this file input_module_ms_o365_message_trace.py # Currently "$orderby=Received asc" does not work when retrieving messages with Skiptoken. Just drop "Received asc" then it works. #microsoft_trace_url = "https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$orderby=Received asc&$filter=StartDate eq datetime'%sZ' and EndDate eq datetime'%sZ'" % (start_date.isoformat(), end_date.isoformat()) # cwi remove ? from filter #microsoft_trace_url = "https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate eq datetime'%sZ' and EndDate eq datetime'%sZ'" % (start_date.isoformat(), end_date.isoformat()) microsoft_trace_url = "https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?filter=StartDate eq datetime'%sZ' and EndDate eq datetime'%sZ'" % (start_date.isoformat(), end_date.isoformat()) messages = get_messages(helper, microsoft_trace_url, global_microsoft_office_365_username, global_microsoft_office_365_password)   The input is working on our installation now. ... View more