Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About cyberfan
cyberfan
Explorer
Member since:
08-02-2020
10-06-2020
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 08-02-2020 |
Activity Feed
- Posted Re: search for net-logon with less false positive on Splunk Search. 10-05-2020 02:00 AM
- Got Karma for benefits of using search command. 10-04-2020 08:00 AM
- Posted benefits of using search command on Splunk Search. 10-04-2020 07:44 AM
- Posted web event start time, splunk record time and endtime in http stream data on Splunk Search. 10-04-2020 02:45 AM
- Posted first packet recorded of the reconnaissance on Splunk Search. 10-02-2020 08:31 AM
- Posted identify scanner and malicious domain on Splunk Search. 10-02-2020 02:32 AM
- Posted Re: multiple event code search on Splunk Search. 09-30-2020 08:45 PM
- Tagged Re: multiple event code search on Splunk Search. 09-30-2020 08:45 PM
- Posted multiple event code search on Splunk Search. 09-30-2020 06:18 AM
- Posted Re: search for net-logon with less false positive on Splunk Search. 09-22-2020 02:06 AM
- Tagged Re: search for net-logon with less false positive on Splunk Search. 09-22-2020 02:06 AM
- Posted search for net-logon with less false positive on Splunk Search. 09-21-2020 11:44 PM
- Tagged search for net-logon with less false positive on Splunk Search. 09-21-2020 11:44 PM
- Posted search for script launched on Splunk Search. 08-02-2020 01:15 AM
- Posted search events from txt on Splunk Search. 08-02-2020 01:11 AM
- Tagged search events from txt on Splunk Search. 08-02-2020 01:11 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-05-2020
02:00 AM
Hi, we patch the AD server Aug.11 monthly rollup, we test the exploit, the exploit is not successful , but no 5827-5831 event is generated, do I need to setup windows server, so these event code will be generated
... View more
10-04-2020
07:44 AM
1 Karma
Hi, any one knows the benefits of search command? search src="10.9.165.*" and src_ip="10.9.165.*" , any difference?
... View more
Labels
- Labels:
-
fields
10-04-2020
02:45 AM
Given free sample http stream data download from splunk website. I got two questions with start time, record time and endtime. (1). is "_time" the recorded time by splunk index? how to output as "H:MM:SS" format. and "HH:MM:SS" format respectfully? example, 18:27.36.257, HH:MM:SS will be 18:27:36, H:MM:SS will be 6:27:36 (2), say, user enter hacker.com/a.js in chrome at 18:27:36, at 18:27:50, a.js start loading, 18:28:59, a.js finished execution, would splunk index capture start time, record time, endtime? what are the fields? thanks
... View more
Labels
- Labels:
-
field extraction
-
fields
10-02-2020
08:31 AM
any idea to write the query to capture the first packet recorded of the reconnaissance from the vulnerability scanner
... View more
Labels
- Labels:
-
eval
10-02-2020
02:32 AM
For example, My ip is 202.101.53.4, I want to identify what are the domains sent me the most number of packets (most frequently), what will be the query look like? I want to know the domain who sent me the most number of traffics, what would be the query look like? I want to know the vulnerability scanner the malicious domain is using for reconaissance, which filed I can get info from splunk?
... View more
Labels
- Labels:
-
stats
09-30-2020
08:45 PM
Hi Ri, Thanks, but the OR condition does not mean the chain of events happen at short time interval, say less than 0.05 seconds, right? also I want sam account="abc" in event 4741 and sid="xyz" in event 4743, do you suggest " (event id=4741 and sam="abc") or (event id=4743 and sid="xyz") then count>2?
... View more
- Tags:
- hi
09-30-2020
06:18 AM
we want to detect the multiple events together, for example, we want to find out those events which have event 4741 and event 4743 happen together. scenario 1: at certain time (2020.3.20 18:00:00) both 4741 and 4743 happen together Scenario2: the interval between 4741 and 4743 is short (less than 2 second) how to define SPL for these two scenarios, do we need correlation search?
... View more
Labels
- Labels:
-
join
09-22-2020
02:06 AM
Hi, thanks, but we did not incorporate windows Event into splunk, how to detect ?
... View more
- Tags:
- r
09-21-2020
11:44 PM
we want to check any zero-logon exploit in the environment, is there splunk search available? how to detect malicious rpc connection? thanks
... View more
- Tags:
- cve20201472
Labels
- Labels:
-
fields
08-02-2020
01:15 AM
there are some malware enabled by word Macro and run VB script to communicate to outside. I want to find out what are the hosts open word document, VB script is executed (I don't know the word file name), any search can help? thanks
... View more
Labels
- Labels:
-
subsearch
08-02-2020
01:11 AM
I have one txt file, only one column, the txt file has around 60 SHA-256 hashes. these hashes are from malicious files. I want to search the system any hosts associated with these hashes, what would be the search string I need to pass to splunk? thanks
... View more
- Tags:
- hash
Labels
- Labels:
-
lookup
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-06-2020
12:16 PM
|
