Hello, I need to monitor some critical devices (stored in a lookup file) connected to the Crowdstrike console, in particular if they will be disconnected from it. We receive one event every 2 hours for each device from Crowdstrike device json input in Splunk, so basically if after 2 hours there is not the new event, the alert should trigger reporting the hostname. Has anyone some idea for implementing this? ... View more

Hello, I'm trying to write a Splunk search for detecting unusual behavior in emails sending, here is the spl query: | tstats summariesonly=true fillnull_value="N/D" dc(All_Email.internal_message_id) as total_emails from datamodel=Email where (All_Email.action="quarantined" OR All_Email.action="delivered") AND NOT [| `email_whitelist_generic`] by All_Email.src_user, All_Email.subject, All_Email.action | `drop_dm_object_name("All_Email")` | eventstats sum(eval(if(action="quarantined", count, 0))) as quarantined_count_peruser, sum(eval(if(action="delivered", count, 0))) as delivered_count_peruser by src_user, subject | where total_emails>50 AND quarantined_count_peruser>10 AND delivered_count_peruser>0 I want to count the number of quarantined emails and the delivered ones only and than filter them for some threshold, but it seems that the eventstats command is not working as expected. I already used this logic for authentication searches and it's working fine. Any help? ... View more

Hello, I need to monitor two different types of events for some servers, the authentication events (4624,4634,4625) for the admin users and some Event ID related to change events (5145,4663,4659) for a specific path. Baiscally I created a server class for the inputs.conf deployment, adding this: ###### OS Logs ###### [WinEventLog://Security] disabled = 0 index = windows_tmp followTail=true start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 whitelist = (EventCode=(4624|4634|4625)\X*Account Name:(\s+.*\.adm.*))|(EventCode=(4659|4663|5145)\X*Object Name:(\s+.*Test_share.*)) renderXml=false     I already tested the regex in regex101 https://regex101.com/r/LIaMnU/1 and it seems working fine, but in Splunk I'm receiving all the events as the whitelist is not applied. Am I missing something?     ... View more

Hello, I have a standalone Splunk Enterprise 9.1.3 instance with some DCs and servers connected to it using Forwarder Management console. At the moment I have 2 server classes configured, 1 for the DCs and the other one for the servers. The server class for the DCs includes only the inputs.conf file for Windows logs: [WinEventLog://Security] disabled = 0 index = myindex followTail=true start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 whitelist = 4624,4634,4625,4728,4729 renderXml=false Moreover, in the Splunk Enterprise I configured 2 transforms for splitting the logs in two separeted indexes, like this: props.conf: [WinEventLog:Security] TRANSFORMS-security = rewrite_ad_group_management, rewrite_index_adm transforms.conf: [rewrite_ad_group_management] REGEX = EventCode=(4728|4729) DEST_KEY = _MetaData:Index FORMAT = index1 [rewrite_index_adm] REGEX = Account Name:\s+.*\.adm DEST_KEY = _MetaData:Index FORMAT = index2 In particular, the goal is to forward the authentication events (4624,4634,4625) for only admin users (Account Name:\s+.*\.adm) in index2 and only EventCode 4728 and 4729 in index1, and the events that not match none transform should remain in myindex. At the moment the first transform is not working, so I'm receiving Events 4728 and 4729 in index2, am I missing something or there is a better logic to do that? I tried to combine also 4624,4634,4625 and Account Name:\s+.*\.adm with  (?ms)EventCode=(4624|4634|4625)\X*Account Name:\s+.*\.adm Thanks in advance ... View more

Hello, I have to migrate from an old Splunk standalone instance (version 6.4) to a new one. Is it possible to use in the new instance the same license currently used in the old one in production? Is there anything I need to pay attention to? Thank you in advance! ... View more

Hi, I have different mails in my logs and I need to filter them in order to distinguish real users from technical users. I noticed that real users have an email like name.surname@company.com, so I would like to extract these emails matching "anycharacter.anycharacter@any" because in some case it could be possible to have an email with numbers (ex. name.surname1@company.com). Thank you in advance! ... View more

Hi all, I need to extract some fields for authentication events from different log types, here below some example: LOG1 : AddSenaoLog%Client-6:LINUX_device(00:00:00:00:00:00/1.1.1.1) joins WLAN(WIFI) from MY-WIFI-0000-INT(00:00:00:00:00:00) LOG2 : AddSenaoLog%Client-6:(00:00:00:00:00:00) joins WLAN(WIFI-CITYLIFE) from MY-WIFI-0000-INT(00:00:00:00:00:00) LOG3 %Client-6:LINUX_device(00:00:00:00:00:00/1.1.1.1) joins WLAN(WIFI-OSPITI) from MY-WIFI-0000-INT(00:00:00:00:00:00) LOG4 %Client-6:(00:00:00:00:00:00) joins WLAN(WIFI-OSPITI) from MY-WIFI-0000-INT(00:00:00:00:00:00) As you can see in some case (LOG2 and LOG4) in the first parenthesis I have only the MAC address, in other cases (LOG1 and LOG3) I have both the IP and the MAC address, so I need to extract this two information (or only the MAC if the IP is missig as for LOG2 and LOG4) when I have "joins" in the logs. Thanks in advance! ... View more

Hi All, I have the following saved search: | tstats summariesonly=true fillnull_value="N/D" count from datamodel=Change where NOT [|`change_whitelist_generic`] nodename="All_Changes.Account_Management.Accounts_Updated" AND All_Changes.log_region=* AND All_Changes.log_country=* AND (All_Changes.command=passwd OR All_Changes.result_id IN (4723, 4724)) by All_Changes.log_region, All_Changes.log_country, index, host, All_Changes.Account_Management.src_user, All_Changes.user, _time | `drop_dm_object_name("All_Changes")` | rename Account_Management.src_user as src_user My customer asked to me to exclude results when Account_Management.src_user=user1 and All_Changes.Account_Management.src_nt_domain=All_Changes.Account_Management.dest_nt_domain. So I tried something like that but it seems not working:   | tstats summariesonly=true fillnull_value="N/D" count from datamodel=Change where NOT [| `change_whitelist_generic`] nodename="All_Changes.Account_Management.Accounts_Updated" AND All_Changes.log_region=* AND All_Changes.log_country=* AND (All_Changes.command=passwd OR All_Changes.result_id IN (4723, 4724)) by All_Changes.log_region, All_Changes.log_country, index, host, All_Changes.Account_Management.src_user, All_Changes.user, All_Changes.Account_Management.dest_nt_domain, All_Changes.Account_Management.src_nt_domain, _time | `drop_dm_object_name("All_Changes")` | search NOT (Account_Management.src_user=user1 AND Account_Management.src_nt_domain=Account_Management.dest_nt_domain) | rename Account_Management.src_user as src_user Have you any advice?   Thank you! ... View more