Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About st1
st1
Explorer
Member since:
07-08-2020
Thursday
Community Statistics
| Posts | 12 |
| Solutions | 0 |
| Karma Given | 9 |
| Karma Received | 0 |
| Member Since | 07-08-2020 |
Activity Feed
- Posted Re: How do I fix this error: Incorrect path to script - Script must be located inside $SPLUNK_HOME\bin\scripts? on Monitoring Splunk. Wednesday
- Karma Re: How do I fix this error: Incorrect path to script - Script must be located inside $SPLUNK_HOME\bin\scripts? for PickleRick. Tuesday
- Posted Re: How do I fix this error: Incorrect path to script - Script must be located inside $SPLUNK_HOME\bin\scripts? on Monitoring Splunk. Tuesday
- Karma Re: How do I fix this error: Incorrect path to script - Script must be located inside $SPLUNK_HOME\bin\scripts? for isoutamo. Tuesday
- Posted Re: How do I fix this error: Incorrect path to script - Script must be located inside $SPLUNK_HOME\bin\scripts? on Monitoring Splunk. Tuesday
- Karma Re: How do I fix this error: Incorrect path to script - Script must be located inside $SPLUNK_HOME\bin\scripts? for richgalloway. Tuesday
- Posted How do I fix this error: Incorrect path to script - Script must be located inside $SPLUNK_HOME\bin\scripts? on Monitoring Splunk. a week ago
- Karma Re: How to generate one notable for multiple events? for yeahnah. 03-28-2023 08:08 AM
- Posted How to generate one notable for multiple events? on Splunk Enterprise. 03-27-2023 08:31 AM
- Tagged How to generate one notable for multiple events? on Splunk Enterprise. 03-27-2023 08:31 AM
- Karma Re: Enterprise Security Incident Review duplicate notables/alerts for richgalloway. 02-14-2023 06:57 AM
- Karma Re: Enterprise Security Incident Review duplicate notables/alerts for richgalloway. 02-14-2023 06:57 AM
- Karma Re: Enterprise Security Incident Review duplicate notables/alerts for richgalloway. 02-14-2023 06:57 AM
- Posted Re: Enterprise Security Incident Review duplicate notables/alerts on Splunk Enterprise Security. 02-13-2023 08:01 AM
- Posted Re: Enterprise Security Incident Review duplicate notables/alerts on Splunk Enterprise Security. 02-09-2023 11:32 AM
- Posted Re: Enterprise Security Incident Review duplicate notables/alerts on Splunk Enterprise Security. 02-09-2023 09:12 AM
- Posted Why are there duplicate notables/alerts in Enterprise Security Incident Review? on Splunk Enterprise Security. 02-09-2023 05:48 AM
- Karma Re: Ignoring alerts when user has been removed and added back into AD group within an hour for richgalloway. 12-28-2022 08:34 AM
- Posted Re: Ignoring alerts when user has been removed and added back into AD group within an hour on Splunk Search. 12-23-2022 05:40 AM
- Posted Ignoring alerts when user has been removed and added back into AD group within an hour? on Splunk Search. 12-22-2022 10:00 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
Wednesday
So I have tried what you said a try and created two deployment apps. "rectify_hostname" and "rectify_hostname_nix". This is what I have in rectify_hostname rectify_hostname_nix: I'm still getting error messages from Windows hosts though. Possibly the Linux hosts have the same issue but I haven't see anything so far. 05-31-2023 12:36:11.703 -0400 ERROR FrameworkUtils [8632 ExecProcessor] - Incorrect path to script: \.\bin\rectify_hostname.sh. Script must be located inside $SPLUNK_HOME\bin\scripts. source = C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log
... View more
Tuesday
Thanks for the detailed response. It's very helpful. So, for my clarification, I create two new deployments apps: rectify_hostname_nix and rectify_hostname_win. Everything stays the same in these apps except for the input.conf file? For the nix app, I would keep "disabled = False" and for the windows app, I would do "disabled = True"? I think I'm not sure if I have the right solution for Windows
... View more
Tuesday
I found the file path on my deployment server at /opt/splunk/etc/deployment-apps/rectify_hostname/default/inputs.conf [script://./bin/rectify_hostname.sh] disabled = False index = _internal interval = -1 [script://.\bin\rectify_hostname_wrapper.cmd] disabled = False index = _internal interval = -1 /opt/splunk/etc/deployment-apps/rectify_hostname/bin/rectify_hostname.sh has this: #!/bin/bash # chmod a+x <this file> before deployment # script fetches the hostname from the environment # converts it to lowercase and truncates any FQDN # inserts it into etc/system/local server.conf and inputs.conf if necessary # restarts splunk # tested on RHEL7 and Solaris11 # set localization from international (cuz old Gnu on Solaris) LC_ALL="C" if [ "$SPLUNK_HOME" = "" ]; then SPLUNK_HOME="/opt/splunkforwarder" fi ... /opt/splunk/etc/deployment-apps/rectify_hostname/bin/rectify_hostname_wrapper.cmd REM store path of this bin folder set "BINPATH=%~dp0" REM set "SPLUNK_HOME=C:\Program Files\SplunkUniversalForwarder" %SystemRoot%\system32\WindowsPowerShell\v1.0\Powershell -ExecutionPolicy ByPass -File "%BINPATH%rectify_hostname.ps1" -splunkHome "%SPLUNK_HOME%" /opt/splunk/etc/deployment-apps/rectify_hostname/bin/rectify_hostname.ps1 # for Powershell 2 compatibilityparam( [string]$splunkHome = $env:SPLUNK_HOME ) if ( -not ($splunkHome) ) { $splunkHome = "$env:ProgramFiles\SplunkUniversalForwarder" } ... I'm not sure where to correct the file path. Would it be changing the line in inputs.conf from [script://./bin/rectify_hostname.sh] to [script://./bin/scripts/rectify_hostname.sh]?
... View more
a week ago
The splunkd.log on a Windows host shows the following errors:
05-22-2023 15:31:34.452 -0400 ERROR FrameworkUtils [15508 ExecProcessor] - Incorrect path to script: \.\bin\rectify_hostname.sh. Script must be located inside $SPLUNK_HOME\bin\scripts. 05-22-2023 15:31:34.452 -0400 ERROR ExecProcessor [15508 ExecProcessor] - Ignoring: "\.\bin\rectify_hostname.sh"
How am I able to fix this? I cannot find the "\.\bin\rectify_hostname.sh" path on the host.
... View more
Labels
- Labels:
-
splunkd
03-27-2023
08:31 AM
This is the correlation search I currently have
index=honeypot sourcetype=cowrie
| table _time, username, src_ip, eventid, message
| where eventid!="cowrie.log.closed"
| where src_ip!="10.11.13.29"
Example events:
_time
username
src_ip
eventid
message
2023-03-22 14:25:43
10.12.8.180
hny.command.input
CMD: exit
2023-03-22 14:25:41
root
10.12.8.180
hny.login.success
login attempt [root/admin] succeeded
2023-03-22 14:25:38
10.12.8.180
hny.session.connect
New connection: 10.12.8.180:2303 (10.11.131.199:2222) [session: 520a4f7b0870]
2023-03-22 14:25:00
10.12.8.180
hny.command.input
CMD:
2023-03-22 14:25:00
10.12.8.180
hny.command.input
CMD:
The correlation search runs every hour and, for the example events shown above, the search is putting out 5 of the same notables (one for each event). How can I have only one notable for each hour? I tried using stats and counting by src_ip but that only returns the fields that have a username.
... View more
- Tags:
- Enterprise Security
Labels
02-13-2023
08:01 AM
@richgalloway any suggestions?
... View more
02-09-2023
11:32 AM
@richgalloway wrote: If the query will run every hour then it should look only for new logins in the last hour. the query will run every hour but I want it to look over all of time (or even 90 days is fine). So, I made the previous change you suggested (below) where I set Earliest = -61m and Latest = -1m and logged into AWS again. After the next hour, the alert triggered on me logging in. This isn't correct because I'm no longer an "unusual" user since I had already logged in the yesterday. This is why I need to search over a long period of time. But even when I manually search over past 90 days, I'm still showing up. userIdentity.arn eventName earliest latest maxlatest jim ConsoleLogin 2023-02-08 07:57:11 2023-02-09 13:23:09 2023-02-09 13:23:09 I'm not sure how to modify my original search or either the time range it looks over so that only users who have never performed a certain action before (i.e. unusual) would show up.
... View more
02-09-2023
09:12 AM
I thought I had to search from the beginning of time because, as I understand, finding an unusual user means a user that was never seen before. And because I logged in to AWS for the first time, the alert triggered. But I'll try your suggestion and let you know. Thanks.
... View more
02-09-2023
05:48 AM
I have duplicate notables/alerts coming in for a specific correlation search I created. I'm sure the problem is within the time ranges of the correlation search but I cannot figure out what it is.
I have this AWS Instance Modified By Usual User search that I got from Security Essentials.
This is my search
index=aws sourcetype=aws:cloudtrail eventName=ConsoleLogin OR eventName=CreateImage OR eventName=AssociateAddress OR eventName=AttachInternetGateway OR eventName=AttachVolume OR eventName=StartInstances OR eventName=StopInstances OR eventName=UpdateService OR eventName=UpdateLoginProfile | stats earliest(_time) as earliest latest(_time) as latest by userIdentity.arn, eventName | eventstats max(latest) as maxlatest | where earliest > relative_time(maxlatest, "-1d@d") | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(earliest) | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(latest) | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(maxlatest)
This is the time range in the search:
Yesterday I logged in to our AWS account for the first time and the alert fired - which is good. But the alert kept firing every hour afterwards. From my understanding the alert should fire once and be over with.
8am, original alert:
userIdentity.arn
eventName
earliest
latest
maxlatest
jim
ConsoleLogin
2023-02-08 07:57:11
2023-02-08 07:57:11
2023-02-08 07:57:11
At 9am:
userIdentity.arn
eventName
earliest
latest
maxlatest
bob
ConsoleLogin
2023-02-08 08:29:22
2023-02-08 08:29:22
2023-02-08 08:57:55
jim
ConsoleLogin
2023-02-08 07:57:11
2023-02-08 07:57:11
2023-02-08 08:57:55
At 10am:
userIdentity.arn
eventName
earliest
latest
maxlatest
bob
ConsoleLogin
2023-02-08 08:29:22
2023-02-08 08:29:22
2023-02-08 09:51:21
jim
ConsoleLogin
2023-02-08 07:57:11
2023-02-08 09:20:11
2023-02-08 09:51:21
At 11am:
userIdentity.arn
eventName
earliest
latest
maxlatest
bob
ConsoleLogin
2023-02-08 08:29:22
2023-02-08 08:29:22
2023-02-08 10:15:26
jim
ConsoleLogin
2023-02-08 07:57:11
2023-02-08 09:20:11
2023-02-08 10:15:26
At 12pm:
userIdentity.arn
eventName
earliest
latest
maxlatest
bob
ConsoleLogin
2023-02-08 08:29:22
2023-02-08 08:29:22
2023-02-08 11:15:54
jim
ConsoleLogin
2023-02-08 07:57:11
2023-02-08 09:20:11
2023-02-08 11:15:54
And what I didn't mention is that, apart from alert repeating itself each hour, there are two alerts created every time due to, I'm assuming, having two users.
How can I fix this to alert only once and to also report only once for both users? thanks for any assistance.
... View more
Labels
12-23-2022
05:40 AM
Streamstats seems to be the step in the right direction but I'm still having some issues. The command you gave is calculating the time diff for each time the EventCode changes from 4729 to 4728 or vice versa. I'm only interested in the diff between each pair. Specifically the difference between 4729 to 4728 and I want the time diff to reset on event 4728. This is what I've tried: | streamstats range(_time) as diff by MemberSid window=2 global=f reset_after="("EventCode=4728")" I used window=2 because I only want the time diff between each pair of 4728 and 4729 events. I don't really know what global=f or t is doing. They both show the same results. I did reset_after because I want the time diff to reset after a 4728 event is noticed. Then the time diff should start get counted again again on a 4729 until a 4728 event. But the command is not capturing the below events. _time MemberSid AD_Group EventCode 2022-12-16 08:30:24 wendy Executives 4728 2022-12-15 11:53:19 sara Executives 4728 2022-12-15 11:41:21 sara Executives 4729 2022-12-15 10:28:20 wendy Executives 4729 2022-12-14 15:05:58 max Executives 4728 2022-12-14 10:05:13 daniel Executives 4729 2022-12-14 08:15:46 max Executives 4729 Wendy and Max were added back over an hour later. And Daniel was never added back at all. But the command I'm using isn't picking those up. Any tips?
... View more
12-22-2022
10:00 AM
We currently have an report every morning that shows which users have been removed from a particular AD group from the previous day.
The report sometimes shows too many events. I want to modify it such that if a user has been removed from an AD group and added back in within one hour, then it would be ignored.
Here are examples below. EventCode 4729 is a user getting removed and 4728 is a user getting added.
_time
MemberSid
AD_Group
EventCode
2022-12-21 14:48:22
bob
Executives
4728
2022-12-21 12:48:22
bob
Executives
4729
This would show up in the morning report that bob was removed from the Executives group at 12:48 since its been over an hour since they were added back in.
_time
MemberSid
AD_Group
EventCode
2022-12-21 14:38:22
janice
Executives
4728
2022-12-21 13:00:22
bob
Executives
4728
2022-12-21 12:55:22
dylan
Executives
4729
2022-12-21 12:50:22
janice
Executives
4729
2022-12-21 12:48:22
bob
Executives
4729
Janice and Dylan would show up in the morning report in this case since its been over an hour that Janice was added back in and Dylan was never added back at all.
I'm not good with SPL and am having trouble with what command(s) to use so that I can achieve the above. Below is the search I currently have. The comment indicates what I'm trying to do.
index=oswinsec sourcetype="XmlWinEventLog" EventCode IN (4728,4729) Group_Name="Executives" | rename Group_Name as AD_Group | table _time, MemberSid, AD_Group, EventCode | sort by MemberSid ``` WHERE for a user, if there is eventcode 4729 and no eventcode 4728 following or eventcode 4728 over a hour later, then keep those events/results. In other words, ignore users with eventcode 4729 and eventcode 4728 within a hour apart.```
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Thursday
|
