I need your help to understand and to solve an issue we discovered with Splunk. This issue seems to be a limitation or a bug of Splunk Enterprise : We work with microsoft sysmon data, and sometimes we have events with the value of a command executed in prompt. Splunk reports the exact value of the command executed in the raw event :
And the value extracted by Splunk for the field CommandLine is the following :
However, when I want to display the CommandLine field in a table or a stats table, then I get that. See the last row of the table for our CommandLine example :
Splunk replaces my quotes by HTML encoded charactersin the table. However, the strange thing is not that Splunk replaces everytime special characters by HTML character, Splunk only replaces the special character by HTML characters for some commands executed. Just check the examples below to understand the issue :
Depending on whether we use some texts that Splunk seems to do not like or not, Splunk will encode my special characters in the table or not. The texts in the command executed, that generates the Splunk HTML encoding in table or stats are the followings :
Otherwise, if I put another text, in the command like "blablascript:" or "script:" I do not have the issue. Could someone please help us to understand from where this issue may come ? Is it a Splunk limitation/bug or just something that we need to configure somewhere ?
Great Thanks to you by advance.
... View more
Hello @jconger , According to this blog post from Microsoft Office from june 30th : https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-oauth-2-0-client-credentials-flow-support-for-pop-and/ba-p/3562963 It should be possible from now to retrieve Email data from Exchange Online through Oauth by using an Application permission instead of an user permission.
... View more
I relaunch this really important discussion about Microsoft Office 365 Reporting Add-on for Splunk that must upgrade to Modern Authentication, as Microsoft company has announced that Basic Authentication will be deprecated. Indeed in the last post of Microsoft on that topic Published on Feb 04 2021 : https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-september-2021-update/ba-p/2772210 They announced : "Today, we are announcing that, effective October 1, 2022, we will begin to permanently disable Basic Auth in all tenants, regardless of usage, with the exception of SMTP Auth." So, within few months this Add-On will be out of service because It only uses Basic Authentication to connect and to retrieve Message Trace logs from MS Exchange Online. I agree we have the Splunk Add-on for Microsoft Office 365 that retrieve some useful audit data, but unfortunately It cannot collect Message Trace data as the Microsoft Office 365 Reporting Add-on does. We already have 2 Splunk Ideas on that subjet : https://ideas.splunk.com/ideas/APPSID-I-70 https://ideas.splunk.com/ideas/APPSID-I-27 Those evolution are planned, but they should be on going because the evolution to Modern Authentication is today necessary. I am asking to Splunk corporation and to the developers of these Add-Ons, what is the situation on that subject ? Do you have a solution to provide to Splunk customers that would like to continue to get Mesage Trace logs for security monitoring ? @abalogh_splunk @jconger @lukenetto
... View more