Activity Feed
- Posted Re: Is it possible to make it mandatory to assign Owner to Notable Events in ES? on Splunk Enterprise Security. 11-28-2024 07:40 AM
- Karma Re: Is it possible to make it mandatory to assign Owner to Notable Events in ES? for meetmshah. 11-28-2024 07:39 AM
- Posted Is it possible to make it mandatory to assign Owner to Notable Events in ES? on Splunk Enterprise Security. 11-12-2024 03:58 AM
- Tagged Is it possible to make it mandatory to assign Owner to Notable Events in ES? on Splunk Enterprise Security. 11-12-2024 03:58 AM
- Tagged Is it possible to make it mandatory to assign Owner to Notable Events in ES? on Splunk Enterprise Security. 11-12-2024 03:58 AM
- Tagged Is it possible to make it mandatory to assign Owner to Notable Events in ES? on Splunk Enterprise Security. 11-12-2024 03:58 AM
- Karma Re: Is it possible to make it mandatory to assign Dispositions to Notable Events in ES? for meetmshah. 11-12-2024 01:16 AM
- Karma Re: How to get the Audit for Lookup files modification using the Lookup File Editor App? for LukeMurphey. 03-25-2024 05:30 AM
- Karma How to use proxy server to relay the traffic for the onprem federated search head to a Splunk Cloud instance? for season88481. 02-12-2024 05:23 AM
- Karma Having issues with Splunk Add-on for Sysmon: CIM Mapping for OliverE. 11-04-2022 03:48 AM
- Posted Splunk issue to display some special characters in the stats table? on Splunk Enterprise. 09-22-2022 03:41 AM
- Tagged Splunk issue to display some special characters in the stats table? on Splunk Enterprise. 09-22-2022 03:41 AM
- Tagged Splunk issue to display some special characters in the stats table? on Splunk Enterprise. 09-22-2022 03:41 AM
- Tagged Splunk issue to display some special characters in the stats table? on Splunk Enterprise. 09-22-2022 03:41 AM
- Tagged Splunk issue to display some special characters in the stats table? on Splunk Enterprise. 09-22-2022 03:41 AM
- Tagged Splunk issue to display some special characters in the stats table? on Splunk Enterprise. 09-22-2022 03:41 AM
- Karma Re: Microsoft Office 365 Reporting Add-on for Splunk is affected by stop supporting and retire Basic Authentication for for jconger. 08-01-2022 11:49 PM
- Karma Re: Microsoft Office 365 Reporting Add-on for Splunk is affected by stop supporting and retire Basic Authentication for for jconger. 07-25-2022 11:54 PM
- Posted Re: Microsoft Office 365 Reporting Add-on for Splunk is affected by stop supporting and retire Basic Authentication for on All Apps and Add-ons. 07-25-2022 06:27 AM
- Posted Re: Microsoft Office 365 Reporting Add-on for Splunk is affected by stop supporting and retire Basic Authentication for on All Apps and Add-ons. 06-30-2022 08:36 AM
Topics I've Started
11-28-2024
07:40 AM
Thank you very much for your answer !
... View more
11-12-2024
03:58 AM
Hello, In Splunk Enterprise security we would like to make it mandatory to define a Notable owner to be able to close a notable. We would like to avoid to have closed notables without assignee/owner. Is there a way in Splunk Enterprise Security to make the owner required to close a notable ? Than you very much in advance. Happy Splunking. Raphael
... View more
Labels
- Labels:
-
incident review
-
notable event
09-22-2022
03:41 AM
Hello Splunkers,
I need your help to understand and to solve an issue we discovered with Splunk. This issue seems to be a limitation or a bug of Splunk Enterprise : We work with microsoft sysmon data, and sometimes we have events with the value of a command executed in prompt. Splunk reports the exact value of the command executed in the raw event :
And the value extracted by Splunk for the field CommandLine is the following :
However, when I want to display the CommandLine field in a table or a stats table, then I get that. See the last row of the table for our CommandLine example :
Splunk replaces my quotes by HTML encoded charactersin the table. However, the strange thing is not that Splunk replaces everytime special characters by HTML character, Splunk only replaces the special character by HTML characters for some commands executed. Just check the examples below to understand the issue :
Depending on whether we use some texts that Splunk seems to do not like or not, Splunk will encode my special characters in the table or not. The texts in the command executed, that generates the Splunk HTML encoding in table or stats are the followings :
<script>
or
vbsscript:
or
javascript:
Otherwise, if I put another text, in the command like "blablascript:" or "script:" I do not have the issue. Could someone please help us to understand from where this issue may come ? Is it a Splunk limitation/bug or just something that we need to configure somewhere ?
Great Thanks to you by advance.
... View more
Labels
07-25-2022
06:27 AM
Hello @jconger , According to this blog post from Microsoft Office from june 30th : https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-oauth-2-0-client-credentials-flow-support-for-pop-and/ba-p/3562963 It should be possible from now to retrieve Email data from Exchange Online through Oauth by using an Application permission instead of an user permission.
... View more
06-30-2022
08:36 AM
Have you received feedbacks from Microsoft on OAuth support ? Thank you.
... View more
01-21-2022
07:50 AM
I relaunch this really important discussion about Microsoft Office 365 Reporting Add-on for Splunk that must upgrade to Modern Authentication, as Microsoft company has announced that Basic Authentication will be deprecated. Indeed in the last post of Microsoft on that topic Published on Feb 04 2021 : https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-september-2021-update/ba-p/2772210 They announced : "Today, we are announcing that, effective October 1, 2022, we will begin to permanently disable Basic Auth in all tenants, regardless of usage, with the exception of SMTP Auth." So, within few months this Add-On will be out of service because It only uses Basic Authentication to connect and to retrieve Message Trace logs from MS Exchange Online. I agree we have the Splunk Add-on for Microsoft Office 365 that retrieve some useful audit data, but unfortunately It cannot collect Message Trace data as the Microsoft Office 365 Reporting Add-on does. We already have 2 Splunk Ideas on that subjet : https://ideas.splunk.com/ideas/APPSID-I-70 https://ideas.splunk.com/ideas/APPSID-I-27 Those evolution are planned, but they should be on going because the evolution to Modern Authentication is today necessary. I am asking to Splunk corporation and to the developers of these Add-Ons, what is the situation on that subject ? Do you have a solution to provide to Splunk customers that would like to continue to get Mesage Trace logs for security monitoring ? @abalogh_splunk @jconger @Anonymous
... View more
01-18-2022
05:11 AM
1 Karma
Me too, I got the same issue. I believe the point is discussed here : https://github.com/NDietrich/CyberChef-for-Splunk/issues/12
... View more