Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About st1
st1
Path Finder
Member since:
07-08-2020
10-29-2024
Community Statistics
| Posts | 15 |
| Solutions | 0 |
| Karma Given | 12 |
| Karma Received | 0 |
| Member Since | 07-08-2020 |
Activity Feed
- Karma Re: Detecting successful login after multiple failed logins in a transaction for gcusello. 08-28-2024 11:54 AM
- Karma Re: Detecting successful login after multiple failed logins in a transaction for yuanliu. 08-28-2024 11:54 AM
- Tagged Detecting successful login after multiple failed logins in a transaction on Splunk Search. 08-27-2024 12:39 PM
- Tagged Detecting successful login after multiple failed logins in a transaction on Splunk Search. 08-27-2024 12:39 PM
- Tagged Detecting successful login after multiple failed logins in a transaction on Splunk Search. 08-27-2024 12:39 PM
- Posted Detecting successful login after multiple failed logins in a transaction on Splunk Search. 08-27-2024 12:38 PM
- Karma Re: Show/filter only events that existed 24 hours ago for yuanliu. 10-11-2023 05:23 AM
- Posted Re: Show/filter only events that existed 24 hours ago on Splunk Search. 10-06-2023 09:21 AM
- Tagged Re: Show/filter only events that existed 24 hours ago on Splunk Search. 10-06-2023 09:21 AM
- Posted Show/filter only events that existed 24 hours ago on Splunk Search. 10-06-2023 07:11 AM
- Karma Re: How do I fix this error: Incorrect path to script - Script must be located inside $SPLUNK_HOME\bin\scripts? for PickleRick. 05-30-2023 11:17 AM
- Posted Re: How do I fix this error: Incorrect path to script - Script must be located inside $SPLUNK_HOME\bin\scripts? on Monitoring Splunk. 05-30-2023 08:29 AM
- Karma Re: How do I fix this error: Incorrect path to script - Script must be located inside $SPLUNK_HOME\bin\scripts? for isoutamo. 05-30-2023 08:27 AM
- Posted Re: How do I fix this error: Incorrect path to script - Script must be located inside $SPLUNK_HOME\bin\scripts? on Monitoring Splunk. 05-30-2023 07:35 AM
- Karma Re: How do I fix this error: Incorrect path to script - Script must be located inside $SPLUNK_HOME\bin\scripts? for richgalloway. 05-30-2023 07:35 AM
- Posted How do I fix this error: Incorrect path to script - Script must be located inside $SPLUNK_HOME\bin\scripts? on Monitoring Splunk. 05-25-2023 10:37 AM
- Karma Re: How to generate one notable for multiple events? for yeahnah. 03-28-2023 08:08 AM
- Posted How to generate one notable for multiple events? on Splunk Enterprise. 03-27-2023 08:31 AM
- Tagged How to generate one notable for multiple events? on Splunk Enterprise. 03-27-2023 08:31 AM
- Karma Re: Enterprise Security Incident Review duplicate notables/alerts for richgalloway. 02-14-2023 06:57 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-27-2024
12:38 PM
I'm not very good with SPL. I currently have Linux application logs that show the IP address, user name, and if the user failed or had a successful login. I'm interested in finding a successful login after one or more failed login attempts. I currently have the following search. The transaction command is necessary where it is or otherwise, all the events are split up into separate events of varying line counts. index=honeypot sourcetype=honeypotLogs | transaction sessionID | search "SSH2_MSG_USERAUTH_FAILURE" OR "SSH2_MSG_USERAUTH_SUCCESS" Below is an example event. For clarity, I replaced details/omitted details from the logs below. [02] Tue 27Aug24 15:20:57 - (143323) Connected to 1.2.3.4
...
...
[30] Tue 27Aug24 15:20:57 - (143323) SSH2_MSG_USERAUTH_REQUEST: user: bob
[31] Tue 27Aug24 15:20:57 - (143323) SSH2_MSG_USERAUTH_FAILURE
...
[30] Tue 27Aug24 15:20:57 - (143323) SSH2_MSG_USERAUTH_REQUEST: user: bob
[02] Tue 27Aug24 15:20:57 - (143323) User "bob" logged in
[31] Tue 27Aug24 15:20:57 - (143323) SSH2_MSG_USERAUTH_SUCCESS: successful login Any tips on getting my search to find events like this? Currently I only have field extractions for the IP (1.2.3.4), user (bob), and sessionID (143323). I can possibly create a field extraction for the SSH2 messages but I don't know if that will help or not. Thanks!
... View more
Labels
- Labels:
-
transaction
10-06-2023
09:21 AM
Hi @gcusello What I'm looking to do is find any duplicate occurrence of a RogueApMacAddress (any particular value that repeats more than once) within 24 hours. Including the command you provided wouldn't help with that. But I hope you understood what I'm trying to do. Let me know if not!
... View more
- Tags:
- hi
10-06-2023
07:11 AM
I have the following search index=cisco sourcetype=cisco:wlc snmpTrapOID_0="CISCO-LWAPP-AP-MIB::ciscoLwappApRogueDetected" |rename cLApName_0 as "HQ AP" |dedup "HQ AP" |stats list(*) as * by "_time" |table _time, "HQ AP", RogueApMacAddress Example results: _time HQ AP RogueAPMacAddress 2023-10-05 12:56:41 flr1-ap-5198-AP05 6e:e8:e9:cd:40:10 2023-10-06 04:09:29 flr1-ap-51c4 da:55:b8:8:db:b8 2023-10-06 08:42:14 flr1-ap-514E_AP07 84:fd:d1:fa:a7:3f 2023-10-06 08:53:12 flr1-ap-518C-B92 0:25:0:ff:94:73 2023-10-06 09:20:22 flr2-ap-51CA 28:24:ff:fd:a6:c0 2023-10-06 09:30:58 flr1-ap-51C2 flr2-ap-463C-AP02 32:b:61:48:a3:c3 2023-10-07 04:09:29 flr1-ap-444x-B11 da:55:b8:8:db:b8 2023-10-07 08:53:12 flr1-ap-69x4 0:25:0:ff:94:73 The search is showing access points in our office that have detected unauthorized access points. I have my search to look at the last 24 hours. I only want to filter for RogueApMacAddresses that have been present/detected for over 24 hours. In this example, both the red and blue events have been there for over the last 24 hours. How can I alert on just those events and disregard the rest? Thanks for any help
... View more
05-30-2023
08:29 AM
Thanks for the detailed response. It's very helpful. So, for my clarification, I create two new deployments apps: rectify_hostname_nix and rectify_hostname_win. Everything stays the same in these apps except for the input.conf file? For the nix app, I would keep "disabled = False" and for the windows app, I would do "disabled = True"? I think I'm not sure if I have the right solution for Windows
... View more
05-30-2023
07:35 AM
I found the file path on my deployment server at /opt/splunk/etc/deployment-apps/rectify_hostname/default/inputs.conf [script://./bin/rectify_hostname.sh] disabled = False index = _internal interval = -1 [script://.\bin\rectify_hostname_wrapper.cmd] disabled = False index = _internal interval = -1 /opt/splunk/etc/deployment-apps/rectify_hostname/bin/rectify_hostname.sh has this: #!/bin/bash # chmod a+x <this file> before deployment # script fetches the hostname from the environment # converts it to lowercase and truncates any FQDN # inserts it into etc/system/local server.conf and inputs.conf if necessary # restarts splunk # tested on RHEL7 and Solaris11 # set localization from international (cuz old Gnu on Solaris) LC_ALL="C" if [ "$SPLUNK_HOME" = "" ]; then SPLUNK_HOME="/opt/splunkforwarder" fi ... /opt/splunk/etc/deployment-apps/rectify_hostname/bin/rectify_hostname_wrapper.cmd REM store path of this bin folder set "BINPATH=%~dp0" REM set "SPLUNK_HOME=C:\Program Files\SplunkUniversalForwarder" %SystemRoot%\system32\WindowsPowerShell\v1.0\Powershell -ExecutionPolicy ByPass -File "%BINPATH%rectify_hostname.ps1" -splunkHome "%SPLUNK_HOME%" /opt/splunk/etc/deployment-apps/rectify_hostname/bin/rectify_hostname.ps1 # for Powershell 2 compatibilityparam( [string]$splunkHome = $env:SPLUNK_HOME ) if ( -not ($splunkHome) ) { $splunkHome = "$env:ProgramFiles\SplunkUniversalForwarder" } ... I'm not sure where to correct the file path. Would it be changing the line in inputs.conf from [script://./bin/rectify_hostname.sh] to [script://./bin/scripts/rectify_hostname.sh]?
... View more
05-25-2023
10:37 AM
The splunkd.log on a Windows host shows the following errors:
05-22-2023 15:31:34.452 -0400 ERROR FrameworkUtils [15508 ExecProcessor] - Incorrect path to script: \.\bin\rectify_hostname.sh. Script must be located inside $SPLUNK_HOME\bin\scripts. 05-22-2023 15:31:34.452 -0400 ERROR ExecProcessor [15508 ExecProcessor] - Ignoring: "\.\bin\rectify_hostname.sh"
How am I able to fix this? I cannot find the "\.\bin\rectify_hostname.sh" path on the host.
... View more
Labels
- Labels:
-
splunkd
03-27-2023
08:31 AM
This is the correlation search I currently have
index=honeypot sourcetype=cowrie
| table _time, username, src_ip, eventid, message
| where eventid!="cowrie.log.closed"
| where src_ip!="10.11.13.29"
Example events:
_time
username
src_ip
eventid
message
2023-03-22 14:25:43
10.12.8.180
hny.command.input
CMD: exit
2023-03-22 14:25:41
root
10.12.8.180
hny.login.success
login attempt [root/admin] succeeded
2023-03-22 14:25:38
10.12.8.180
hny.session.connect
New connection: 10.12.8.180:2303 (10.11.131.199:2222) [session: 520a4f7b0870]
2023-03-22 14:25:00
10.12.8.180
hny.command.input
CMD:
2023-03-22 14:25:00
10.12.8.180
hny.command.input
CMD:
The correlation search runs every hour and, for the example events shown above, the search is putting out 5 of the same notables (one for each event). How can I have only one notable for each hour? I tried using stats and counting by src_ip but that only returns the fields that have a username.
... View more
- Tags:
- Enterprise Security
Labels
02-13-2023
08:01 AM
@richgalloway any suggestions?
... View more
02-09-2023
11:32 AM
@richgalloway wrote: If the query will run every hour then it should look only for new logins in the last hour. the query will run every hour but I want it to look over all of time (or even 90 days is fine). So, I made the previous change you suggested (below) where I set Earliest = -61m and Latest = -1m and logged into AWS again. After the next hour, the alert triggered on me logging in. This isn't correct because I'm no longer an "unusual" user since I had already logged in the yesterday. This is why I need to search over a long period of time. But even when I manually search over past 90 days, I'm still showing up. userIdentity.arn eventName earliest latest maxlatest jim ConsoleLogin 2023-02-08 07:57:11 2023-02-09 13:23:09 2023-02-09 13:23:09 I'm not sure how to modify my original search or either the time range it looks over so that only users who have never performed a certain action before (i.e. unusual) would show up.
... View more
02-09-2023
09:12 AM
I thought I had to search from the beginning of time because, as I understand, finding an unusual user means a user that was never seen before. And because I logged in to AWS for the first time, the alert triggered. But I'll try your suggestion and let you know. Thanks.
... View more
02-09-2023
05:48 AM
I have duplicate notables/alerts coming in for a specific correlation search I created. I'm sure the problem is within the time ranges of the correlation search but I cannot figure out what it is.
I have this AWS Instance Modified By Usual User search that I got from Security Essentials.
This is my search
index=aws sourcetype=aws:cloudtrail eventName=ConsoleLogin OR eventName=CreateImage OR eventName=AssociateAddress OR eventName=AttachInternetGateway OR eventName=AttachVolume OR eventName=StartInstances OR eventName=StopInstances OR eventName=UpdateService OR eventName=UpdateLoginProfile | stats earliest(_time) as earliest latest(_time) as latest by userIdentity.arn, eventName | eventstats max(latest) as maxlatest | where earliest > relative_time(maxlatest, "-1d@d") | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(earliest) | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(latest) | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(maxlatest)
This is the time range in the search:
Yesterday I logged in to our AWS account for the first time and the alert fired - which is good. But the alert kept firing every hour afterwards. From my understanding the alert should fire once and be over with.
8am, original alert:
userIdentity.arn
eventName
earliest
latest
maxlatest
jim
ConsoleLogin
2023-02-08 07:57:11
2023-02-08 07:57:11
2023-02-08 07:57:11
At 9am:
userIdentity.arn
eventName
earliest
latest
maxlatest
bob
ConsoleLogin
2023-02-08 08:29:22
2023-02-08 08:29:22
2023-02-08 08:57:55
jim
ConsoleLogin
2023-02-08 07:57:11
2023-02-08 07:57:11
2023-02-08 08:57:55
At 10am:
userIdentity.arn
eventName
earliest
latest
maxlatest
bob
ConsoleLogin
2023-02-08 08:29:22
2023-02-08 08:29:22
2023-02-08 09:51:21
jim
ConsoleLogin
2023-02-08 07:57:11
2023-02-08 09:20:11
2023-02-08 09:51:21
At 11am:
userIdentity.arn
eventName
earliest
latest
maxlatest
bob
ConsoleLogin
2023-02-08 08:29:22
2023-02-08 08:29:22
2023-02-08 10:15:26
jim
ConsoleLogin
2023-02-08 07:57:11
2023-02-08 09:20:11
2023-02-08 10:15:26
At 12pm:
userIdentity.arn
eventName
earliest
latest
maxlatest
bob
ConsoleLogin
2023-02-08 08:29:22
2023-02-08 08:29:22
2023-02-08 11:15:54
jim
ConsoleLogin
2023-02-08 07:57:11
2023-02-08 09:20:11
2023-02-08 11:15:54
And what I didn't mention is that, apart from alert repeating itself each hour, there are two alerts created every time due to, I'm assuming, having two users.
How can I fix this to alert only once and to also report only once for both users? thanks for any assistance.
... View more
Labels
12-23-2022
05:40 AM
Streamstats seems to be the step in the right direction but I'm still having some issues. The command you gave is calculating the time diff for each time the EventCode changes from 4729 to 4728 or vice versa. I'm only interested in the diff between each pair. Specifically the difference between 4729 to 4728 and I want the time diff to reset on event 4728. This is what I've tried: | streamstats range(_time) as diff by MemberSid window=2 global=f reset_after="("EventCode=4728")" I used window=2 because I only want the time diff between each pair of 4728 and 4729 events. I don't really know what global=f or t is doing. They both show the same results. I did reset_after because I want the time diff to reset after a 4728 event is noticed. Then the time diff should start get counted again again on a 4729 until a 4728 event. But the command is not capturing the below events. _time MemberSid AD_Group EventCode 2022-12-16 08:30:24 wendy Executives 4728 2022-12-15 11:53:19 sara Executives 4728 2022-12-15 11:41:21 sara Executives 4729 2022-12-15 10:28:20 wendy Executives 4729 2022-12-14 15:05:58 max Executives 4728 2022-12-14 10:05:13 daniel Executives 4729 2022-12-14 08:15:46 max Executives 4729 Wendy and Max were added back over an hour later. And Daniel was never added back at all. But the command I'm using isn't picking those up. Any tips?
... View more
12-22-2022
10:00 AM
We currently have an report every morning that shows which users have been removed from a particular AD group from the previous day.
The report sometimes shows too many events. I want to modify it such that if a user has been removed from an AD group and added back in within one hour, then it would be ignored.
Here are examples below. EventCode 4729 is a user getting removed and 4728 is a user getting added.
_time
MemberSid
AD_Group
EventCode
2022-12-21 14:48:22
bob
Executives
4728
2022-12-21 12:48:22
bob
Executives
4729
This would show up in the morning report that bob was removed from the Executives group at 12:48 since its been over an hour since they were added back in.
_time
MemberSid
AD_Group
EventCode
2022-12-21 14:38:22
janice
Executives
4728
2022-12-21 13:00:22
bob
Executives
4728
2022-12-21 12:55:22
dylan
Executives
4729
2022-12-21 12:50:22
janice
Executives
4729
2022-12-21 12:48:22
bob
Executives
4729
Janice and Dylan would show up in the morning report in this case since its been over an hour that Janice was added back in and Dylan was never added back at all.
I'm not good with SPL and am having trouble with what command(s) to use so that I can achieve the above. Below is the search I currently have. The comment indicates what I'm trying to do.
index=oswinsec sourcetype="XmlWinEventLog" EventCode IN (4728,4729) Group_Name="Executives" | rename Group_Name as AD_Group | table _time, MemberSid, AD_Group, EventCode | sort by MemberSid ``` WHERE for a user, if there is eventcode 4729 and no eventcode 4728 following or eventcode 4728 over a hour later, then keep those events/results. In other words, ignore users with eventcode 4729 and eventcode 4728 within a hour apart.```
... View more
Labels
- Labels:
-
table
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-29-2024
04:19 PM
|
Karma given to
