×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
corti77
Contributor
Member since: ‎05-11-2021
‎02-18-2026
Community Statistics
Posts 108
Solutions 4
Karma Given 25
Karma Received 11
Member Since ‎05-11-2021
Activity Feed
Topics I've Started
View All

Re: how to search a exact match inside a multivalu...

by in Splunk Search
‎02-18-2026 06:54 AM
‎02-18-2026 06:54 AM
Thanks a lot. it works perfectly! ... View more

how to search a exact match inside a multivalue fi...

by in Splunk Search
‎02-18-2026 03:19 AM
‎02-18-2026 03:19 AM
Hi,  I am trying to search exact matches inside a multivalue field using the mvfind command. Unfortunately, it uses regex and if the search term is contained in a value, that it is counted. an example below. | eval _selCPE = trim(replace("cpe:/a:7-zip:7-zip,.net_core,anaconda3", "\"", "")) | eval _selCPE_mv = if(len(_selCPE)=0, null(), split(_selCPE, ",")) | where isnull(_selCPE_mv) OR mvfind(_selCPE_mv, cpe) >= 0 the cpe value "7-zip" matches and I would like to avoid that. I need to get only exact value matches. how could i achieve that? I guess I should not use mvfind... thanks   ... View more
Labels

Re: CITRIX onboard via SC4S - no events in splunk

by in Getting Data In
‎07-07-2025 07:43 AM
‎07-07-2025 07:43 AM
I just found the events in Splunk, they ended up in a different index (osnix). Any idea why the SC4S parser was not triggered? the tags indicate that SC4S correctly identify CITRIX as the logs source. thanks   ... View more

Re: CITRIX onboard via SC4S - no events in splunk

by in Getting Data In
‎07-07-2025 07:25 AM
‎07-07-2025 07:25 AM
Hi, litle update. Splunk upgrafed to 9.3.3 , SC4S upgraded to version 3.37 and Splunk Citrix add-on upgraded to 8.2.3. the issue remains, I see the CITRIX syslog packet reaching SC4S but nothing is forwarded to Splunk.   ... View more

Re: Slack Channel

by in Knowledge Management
‎05-12-2025 03:26 AM
‎05-12-2025 03:26 AM
Thanks a lot @ITWhisperer , but it seems like my account was deactivated. could you help me out to restore it? thanks     ... View more

Re: Slack Channel

by in Knowledge Management
‎05-12-2025 03:04 AM
‎05-12-2025 03:04 AM
Hi @isoutamo  is the slack channel still alive? the link you provided is not working anymore   thanks!   ... View more

Re: CITRIX onboard via SC4S - no events in splunk

by in Getting Data In
‎05-12-2025 02:12 AM
‎05-12-2025 02:12 AM
for your reference, below the syslog event received in SC4S that does not seem to trigger the parser  /etc/syslog-ng/conf.d/conflib/almost-syslog/app-almost-syslog-citrix_netscaler.conf tcpdump -n -vvv -i eth0 host 10.143.6.21 -s 0 dropped privs to tcpdump tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 11:06:40.745046 IP (tos 0x0, ttl 255, id 21289, offset 0, flags [none], proto UDP (17), length 289) 10.X.Y.Z.23350 > 192.X.Y.Z.syslog: [udp sum ok] SYSLOG, length: 261 Facility local0 (16), Severity info (6) Msg: 12/05/2025:11:06:40 host_nameXXXXX 0-PPE-1 : default TCP CONN_TERMINATE 465400 0 : Source 192.X.Y.Z:636 - Destination 10.X.Y.z:53621 - Start Time 12/05/2025:11:06:40 - End Time 12/05/2025:11:06:40 - Total_bytes_send 0 - Total_bytes_recv 1 \0x0a   any idea about how to see why it does not match? should I create some specific parser to force this trigger? thanks  ... View more

Re: CITRIX onboard via SC4S - no events in splunk

by in Getting Data In
‎05-08-2025 06:21 AM
‎05-08-2025 06:21 AM
I found some fixes added in version 3.35.1 related to Citrix.  https://github.com/splunk/splunk-connect-for-syslog/releases?page=1 So I decided to update to the latest version 3.36.0. Unfortunately, the issue remains. 😕 ... View more

CITRIX onboard via SC4S - no events in splunk

by in Getting Data In
‎05-08-2025 04:15 AM
‎05-08-2025 04:15 AM
Hi, I am running splunk standalone 8.4.1 with Citrix add-on installed 8.2.3.  Also, I have SC4S running version 3.31.0. I configured Citrix to send syslog events to SC4S, and running a tcpdump in SC4S, I see those events arriving. According to the documentation, nothing else must be done at SC4S level. https://splunk.github.io/splunk-connect-for-syslog/3.31.0/sources/vendor/Citrix/netscaler/ Unfortunately, I don't see any Citrix event in splunk. I searched in index "netfw" and also filtered by sorcetype (sourcetype="citrix*" and index=*), in both cases, no events are in there. Other events, from our firewall, are reaching splunk without any issue via the same SC4S server. So I discarded network issues. Any idea about what could be happening? any SC4S logs that I could check? thanks a lot. ... View more
Labels

Re: NetApp onboarding - audit folder/files deletio...

by in All Apps and Add-ons
‎11-27-2024 07:59 AM
‎11-27-2024 07:59 AM
Thanks for your reply @gcusello , my question was more on how to build the solution.  I found some information about configuring netapp https://storageexorcist.wordpress.com/2020/06/03/ontap-native-nas-auditing-smb-and-nfs/ So maybe it is a matter of configuring it like that and sending those logs via syslog to splunk? ... View more

NetApp onboarding - audit folder/files deletion

by in All Apps and Add-ons
‎11-27-2024 05:36 AM
‎11-27-2024 05:36 AM
Hi, I wonder the easiest way to monitor the deletion of files/folders in a CIFS netapp using splunk. I saw an Add-on available, could someone share any experience with this use case? I have a SC4S in place so I thought to configure syslog in NetApp to be sent to SC4S and start digging into the logs. Is there any App I could leverage to ease the pain? many thanks   ... View more
Labels

Re: Splunk Security Essentials - macro 'summarieso...

by in Splunk Enterprise Security
‎09-02-2024 08:58 AM
‎09-02-2024 08:58 AM
hi again @richgalloway , the model is accelerated and contains data.  and I use the latest version of the Microsoft add-on 8.9.0 which is CIM compliant. any other idea? many thanks   ... View more

Re: Splunk Security Essentials - macro 'summarieso...

by in Splunk Enterprise Security
‎09-02-2024 02:34 AM
‎09-02-2024 02:34 AM
Hi @richgalloway , you were right. The datamodel "Endpoint" was not properly configured, whitelisted indexers were empty. I added the index wineventlog but it still appears in red. But whenever I click on the "open search" link next to the red icon, that query does get data. any idea of what might be happening here? Also, I created the macro "summaryonly_config" as you suggested but new errors appeared related to the other two missing macros "oldsummaries_config" and "fillnull_config". I also created these macros with a true value in both cases. that seems to solve the issue with the search, no more errors are shown. thanks   ... View more

Splunk Security Essentials - macro 'summariesonly_...

by in Splunk Enterprise Security
‎08-30-2024 03:40 AM
‎08-30-2024 03:40 AM
Hi, I am testing the Security Essentials App 3.8.0 in Splunk 9.0.8, and I found the same issue while trying to activate the following contents: Unknown Process Using The Kerberos Protocol Windows Steal or Forge Kerberos Tickets Klist ServicePrincipalNames Discovery with SetSPN Rubeus Command Line Parameters Mimikatz PassTheTicket CommandLine Parameters In all cases above, I get two errors:  "Must have data in data model Endpoint.Processes" is in red even though I have installed several Add-ons suggested as compatible such as Splunk Add-on for Microsoft Windows 8.9.0 Palo Alto Networks Add-on for Splunk 8.1.1 Error in 'SearchParser': The search specifies a macro 'summariesonly_config' that cannot be found.  I searched that missing macro and indeed it does not exist. Should I create it manually? With which value? Do you have any idea how to fix those two errors? Many thanks ... View more

Body always empty - Sysmon events are always in XM...

by in Security
‎06-25-2024 08:44 AM
‎06-25-2024 08:44 AM
Hi, I am runnig Splunk 9.0.9 with Splunk Add-on for Sysmon 4.0.1 and Sysmon Security Monitoring App for Splunk 4.0.13. I configured the alerts to be sent by email and I am receiving many of them (false positives thanks god). At this point I have two issues: - The field "Body" is always empty.   Reviewing the macros included in the app, they seem to be created for the non-XML sysmon events. I changed the inputs.conf from the TA-Windows-Sysmon addon without success. The events continue flowing in in XML format.     [WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = false renderXml = 0 source = WinEventLog:Microsoft-Windows-Sysmon/Operational     Did anyone face the same issue? how did you solve it? - I also would like to add an exception list of processes to reduce the amount of alerts, whitelisting some well known windows executables or tools. have anyone done that? could you tell me the approach you took? thanks a lot. I am checking other alternatives like Cyences https://splunkbase.splunk.com/app/5351. any opinion? ... View more

Re: Splunk Add-on for Sysmon - Could not load look...

by in Getting Data In
‎06-17-2024 01:31 AM
‎06-17-2024 01:31 AM
You were so right @deepakc ! Thanks a lot. I had duplicate eventcode lookups created by Microsoft Windows Defender Add-on for Splunk  and Splunk_TA_microsoft_sysmon   I just removed Defender Add-on which is not officially supported. I need to find some other with support that I guess will not generate this type of conflict. Do you have any suggestion for this ? 😉       ... View more

Splunk Add-on for Sysmon - Could not load lookup=L...

by in Getting Data In
‎06-12-2024 05:46 AM
‎06-12-2024 05:46 AM
Hi, Following the official instructions https://apps.splunk.com/apps/id/Splunk_TA_microsoft_sysmon ,  Splunk Add-on for Sysmon 4.0.0 I just deployed the addon for sysmon in my indexer, search head and deployment servers so I started to collect sysmon logs. I am running Sysmon 15.14 on the endpoints. The logs started to flow into splunk but when I do searches on the index I constantly receive the following error: [indexer.mydomain.es, mysearchhead.mydomain.es] Could not load lookup=LOOKUP-eventcode I read the information in the https://docs.splunk.com/Documentation/AddOns/released/MSSysmon/Lookups but I couldnt find the root cause. The csv are in the path indicated in the documentation. 😕 Any suggestion? many thanks       ... View more
Labels

Re: Splunk web down

by in Installation
‎05-14-2024 05:54 AM
‎05-14-2024 05:54 AM
Thanks for your reply. At the end, the solution was about to just disable the splunk light forwarder via CLI. ./splunk disable app SplunkLightForwarder after this change I restarted splunk service and it worked fine back again.    ... View more

Splunk web down

by in Installation
‎05-06-2024 08:01 AM
‎05-06-2024 08:01 AM
Hi, recently we had an issue with the LUN drive where data is stored and after fixing it, a new problem came up. splunk services starts normally but the web access does not work anymore. the output of the splunk start command is the following     \bin>splunk.exe start Splunk> Map. Reduce. Recycle. Checking prerequisites... Checking mgmt port [8089]: open Checking configuration... Done. Checking critical directories... Done Checking indexes... (skipping validation of index paths because not running as LocalSystem) Validated: _configtracker _introspection _metrics _metrics_rollup _thefishbucket anomaly_detection autek azure cim_modactions cisco citrix email eusc_apps firedalerts ftp hyper-v infraops itsi_grouped_alerts itsi_im_meta itsi_im_metrics itsi_import_objects itsi_notable_archive itsi_notable_audit itsi_summary itsi_summary_metrics itsi_tracked_alerts kubernetes metrics_sc4s msad msexchange netauth netfw netops netproxy os osnix pan_logs perfmon rancher_k8sca rancher_k8scc rancher_k8scs rancherprod sample snmptrapd sns symantec sysmon test thor windefender windows wineventlog winevents Done Bypassing local license checks since this instance is configured with a remote license master. Checking filesystem compatibility... Done Checking conf files for problems... Bad regex value: '(::)?...', of param: props.conf / [(::)?...]; why: this regex is likely to apply to all data and may break summary indexing, among other Splunk features. One or more regexes in your configuration are not valid. For details, please see btool.log or directly above. Done Checking default conf files for edits... Validating installed files against hashes from 'C:\Program Files\Splunk\splunk-9.0.8-4fb5067d40d2-windows-64-manifest' All installed files intact. Done All preliminary checks passed. Starting splunk server daemon (splunkd)... Splunkd: Starting (pid 38432) Done     extract of btool.log      05-06-2024 11:07:35.039 WARN ConfMetrics - single_action=BASE_INITIALIZE took wallclock_ms=1014 05-06-2024 11:17:25.445 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1] in inputs.conf 05-06-2024 11:17:25.445 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1] in inputs.conf 05-06-2024 13:00:58.310 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1] in inputs.conf 05-06-2024 13:00:58.310 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1] in inputs.conf 05-06-2024 13:00:58.373 WARN btool-support - Bad regex value: '(::)?...', of param: props.conf / [(::)?...]; why: this regex is likely to apply to all data and may break summary indexing, among other Splunk features. 05-06-2024 13:19:36.176 WARN ConfMetrics - single_action=BASE_INITIALIZE took wallclock_ms=1234 05-06-2024 14:44:42.912 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1] in inputs.conf 05-06-2024 14:44:42.912 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1] in inputs.conf 05-06-2024 14:44:42.975 WARN btool-support - Bad regex value: '(::)?...', of param: props.conf / [(::)?...]; why: this regex is likely to apply to all data and may break summary indexing, among other Splunk features. 05-06-2024 14:44:51.022 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1] in inputs.conf 05-06-2024 14:44:51.022 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1] in inputs.conf 05-06-2024 14:44:51.084 WARN btool-support - Bad regex value: '(::)?...', of param: props.conf / [(::)?...]; why: this regex is likely to apply to all data and may break summary indexing, among other Splunk features. 05-06-2024 16:36:21.051 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1] in inputs.conf 05-06-2024 16:36:21.051 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1] in inputs.conf 05-06-2024 16:36:21.114 WARN btool-support - Bad regex value: '(::)?...', of param: props.conf / [(::)?...]; why: this regex is likely to apply to all data and may break summary indexing, among other Splunk features. 05-06-2024 16:36:29.661 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1] in inputs.conf 05-06-2024 16:36:29.661 WARN IConfCache - Stanza has an expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-ClientAccess\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1], ignoring alternate expansion [script://C:\Program Files\Splunk\etc\apps\TA-Exchange-Mailbox\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1] in inputs.conf 05-06-2024 16:36:29.723 WARN btool-support - Bad regex value: '(::)?...', of param: props.conf / [(::)?...]; why: this regex is likely to apply to all data and may break summary indexing, among other Splunk features.       I already checked the /etc/system/local/web.conf and everything seems fine.     [settings] enableSplunkWebSSL = 1 httpport = 443     system/default/web.conf     [default] [settings] # enable/disable the appserver startwebserver = 1 # First party apps: splunk_dashboard_app_name = splunk-dashboard-studio # enable/disable splunk dashboard app feature enable_splunk_dashboard_app_feature = true # port number tag is missing or 0 the server will NOT start an http listener # this is the port used for both SSL and non-SSL (we only have 1 port now). httpport = 8000 # this determines whether to start SplunkWeb in http or https. enableSplunkWebSSL = false # location of splunkd; don't include http[s]:// in this anymore. mgmtHostPort = 127.0.0.1:8089 # list of ports to start python application servers on (although usually # one port is enough) # # In the past a special value of "0" could be passed here to disable # the modern UI appserver infrastructure, but that is no longer supported. appServerPorts = 8065     any suggestion? many thanks. jose ... View more
Labels

Re: Failed to start KV store

by in Knowledge Management
‎05-06-2024 12:20 AM
‎05-06-2024 12:20 AM
just voted, thanks a lot   ... View more

Failed to start KV store

by in Knowledge Management
‎04-30-2024 04:33 PM
‎04-30-2024 04:33 PM
Hi, I run splunk 9.0.8 and after an issue with our storage (LUN full). I had to full scan the disk and successfully repaired the filesystem. splunk starts now but there is a persistent error with the KV store. the status is the following: show kvstore-status This member: backupRestoreStatus : Ready disabled : 0 guid : E59FAAA8-D66A-498E-8DDF-0F5C29866F95 port : 8191 standalone : 1 status : failed storageEngine : wiredTiger Any suggestion on how could get an operational status? many thanks. Jose ... View more
Labels

Re: How to detect missing logs from any host domai...

by in Alerting
‎04-04-2024 06:54 AM
‎04-04-2024 06:54 AM
Thanks a lot @gcusello ! I just created a search to create that CSV used in your query. | ldapsearch domain=default search="(objectClass=computer)" | table name | rename name as host | outputlookup append=false monitored_hosts.csv and I run your query using the monitored_hosts.csv. It works flawless! thanks once again.   ... View more

How to detect missing logs from any host domain jo...

by in Alerting
‎04-04-2024 05:53 AM
‎04-04-2024 05:53 AM
Hi, By chance, I discovered that a power user with admin rights disabled sysmon agent and splunk forwarder on his computer to gain some extra CPU for his daily tasks. To react quicker to this type of "issue" in the future, I would like to have some alerts in splunk informing me whenever any host, initially domain joined workstations and servers, might have stopped reporting events. Did someone implement something like this already? any good article to follow? I plan to create a lookup table using ldapsearch and then, an alert detecting which hosts from that table are not present in a basic listing host search on sysmon index for example. Any other better or simpler approach?   many thanks ... View more
Labels

403 accessing Defender Endpoint logs (evidence and...

by in All Apps and Add-ons
‎12-18-2023 01:40 AM
1 Karma
‎12-18-2023 01:40 AM
1 Karma
Hi, Running Splunk 9.0.7 and addon Splunk_TA_MS_Security version 2.1.1. I followed the instructions from the addon https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Configure and reviewed from Microsoft article  https://learn.microsoft.com/en-us/microsoft-365/security/defender/api-hello-world?view=o365-worldwide Basically I created an App Registration in our Azure tenant, add the following permissions and created a secret   with all this, I followed the Microsot article and run the powershell scripts to test the connection and the token I obtain only gets a single permission.     could someone tell me what I am doing wrong? I expected to get all the permissions assigned to the application and I think that is why I get the 403 error in the splunkd.log. 12-17-2023 13:14:32.037 +0100 ERROR ExecProcessor [19404 ExecProcessor] - message from ""C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_MS_Security\bin\microsoft_defender_endpoint_atp_alerts.py"" 403 Client Error: Forbidden for url: https://api-eu.securitycenter.microsoft.com/api/alerts?$expand=evidence&$filter=lastUpdateTime+gt+2023-11-17T12:14:31Z 12-17-2023 13:17:38.251 +0100 ERROR ExecProcessor [19404 ExecProcessor] - message from ""C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_MS_Security\bin\microsoft_365_defender_endpoint_incidents.py"" 403 Client Error: Forbidden for url: https://api.security.microsoft.com/api/incidents?$filter=lastUpdateTime+gt+2023-11-17T12:17:31Z   thanks   ... View more

Sysmon Add-on - lookup eventcode not processed cor...

by in All Apps and Add-ons
‎11-20-2023 04:16 AM
‎11-20-2023 04:16 AM
hi, I have splunk 9.0.6 and sysmon add-on 3.1.0.  The lookup table called "microsoft_sysmon_eventcode.csv" correctly appears in Splunk Lookup Table Files list.   But, in the automatic lookup, the Lookup-eventcode is wrongly assigned to "eventcode" lookup instead of "sysmon_eventcode".   Searching for this "eventcode" lookup, it belongs to the app Defender.   Surprisingly, when I tried to fix this bug using the UI, the sysmon_eventcode lookup table did not appear in the dropdown list. I only see "sysmon-record_type-lookup".   Do you have any idea what might be happening? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎02-18-2026 01:01 AM
Karma from
Karma given to