Activity Feed
- Karma Re: How to reduce notable events that correlation search has generating? for lblystone. 04-13-2023 11:58 PM
- Karma Re: How to modify Data model n/w traffic search? for woodcock. 04-13-2023 11:47 AM
- Karma Re: How to modify Data model n/w traffic search? for woodcock. 04-13-2023 11:38 AM
- Posted Re: How to modify Data model n/w traffic search? on Knowledge Management. 04-13-2023 05:51 AM
- Posted Re: How can I exclude certain IP addresses from a query based on their presence in a lookup table? on Splunk Search. 04-13-2023 05:34 AM
- Posted Re: How can I exclude certain IP addresses from a query based on their presence in a lookup table? on Splunk Search. 04-13-2023 04:59 AM
- Posted Re: How can I exclude certain IP addresses from a query based on their presence in a lookup table? on Splunk Search. 04-13-2023 04:26 AM
- Posted How can I exclude certain IP addresses from a query based on their presence in a lookup table? on Splunk Search. 04-13-2023 03:21 AM
- Posted Re: How to modify Data model n/w traffic search? on Knowledge Management. 04-12-2023 07:15 PM
- Posted How to modify my search to data model search by adding a lookup table? on Splunk Search. 04-12-2023 11:08 AM
- Tagged How to modify my search to data model search by adding a lookup table? on Splunk Search. 04-12-2023 11:08 AM
- Posted How to modify Data model n/w traffic search? on Knowledge Management. 04-12-2023 03:44 AM
- Karma Re: Request for information on CPU information app in Splunk Enterprise Security. for VatsalJagani. 04-07-2023 09:46 PM
- Karma Re: Detecting network and port scanning using spl for gcusello. 04-06-2023 04:36 AM
- Karma Re: Detecting network and port scanning using spl for gcusello. 04-06-2023 04:36 AM
- Posted Request for information on CPU information app in Splunk Enterprise Security on Splunk Search. 04-06-2023 04:32 AM
- Posted Re: Detecting network and port scanning using spl on Splunk Search. 04-05-2023 09:43 AM
- Posted Detecting network and port scanning using SPL? on Splunk Search. 04-05-2023 08:06 AM
- Posted How to reduce notable events that correlation search has generating? on Splunk Enterprise Security. 01-05-2023 10:48 AM
- Posted Re: How do I Search for IP address hitting a Host ? on Splunk Search. 12-15-2022 12:35 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-13-2023
05:51 AM
@gcusello , @ITWhisperer @woodcock , Hi, I'm trying to write a query for the IPs from that lookup table should not match src ip as well as dest ip from lookup table. ips comments 172.34.45.3 Logic Scanner 127.4.35.6 Alert Logic Scanner 123.66.78.3 ip scanner 125.55.3.4 firewall 15.56.3.2 network Here i'm looking for scanner* ips should not match with src_ip and dest_ip Thanks
... View more
04-13-2023
05:34 AM
@andrew_nelson , How to exclude ip address to cidr in lookup table?
... View more
04-13-2023
04:59 AM
@andrew_nelson , yup src_ip and the dest_ip is a scanner ! IPs from that lookup table should not match src ip as well as dest ip............ Error in 'lookup' command: Cannot find the destination field 'src_ip_comments' in the lookup table 'addresses.csv'. is the an error
... View more
04-13-2023
04:26 AM
@andrew_nelson , How would I be able to exclude src_ip and dest_ip combination? Can we use *scanner* like this ? |where !match(comments, "*scanner*") Thanks.
... View more
04-13-2023
03:21 AM
Hi, I'm looking for the search to exclude the ips present in the lookup table ips comments 142.45.2.3 scanner 123.4.45.22 network 123.66.33.4 alert scanner 123.45.7.9 cisa scanner I'm trying to exclude the ips with the name scanner in the comments section Thanks
... View more
04-12-2023
07:15 PM
@woodcock , @gcusello , @ITWhisperer Hi, Here I'm trying to exclude the IP address present in the address.csv lookup table. Lookup table looks like eg. Ips comments 132.168.1.1 IP scanner 125.136.235.0 Alert scanner 146.46.53.0. Firewall 134.56.56.3 network Here I want to exclude the ips which are named like *scanner* from comments field Thanks
... View more
04-12-2023
11:08 AM
Hi,
My task involves creating a search in datamodel i.e network_traffic, below is the base search how we could convert it to data model search | tstats summariesonly=t values(All_Traffic.src_ip) as src_ip, dc(All_Traffic.dest_port) as num_dest_port, values(All_Traffic.dest_port) as dest_port from datamodel=Network_Traffic by All_Traffic.dest_ip | where num_dest_port > 100
| search NOT [| inputlookup addresses.csv | search (comments =*scanner*) | fields IP AS ALL_Traffic.src_ip | format ] colored in red is not working as expected !!
Thanks..
... View more
- Tags:
- data model
Labels
- Labels:
-
tstats
04-12-2023
03:44 AM
Hi all,
Kindly help to modify Query on Data Model network traffic , I have built the query index=firewall sourcetype="traffic" | stats ,values(dest_port) as dest_port,values(dest_ip) as dest_ip, dc(dest_ip) as num_dest_ip, dc(dest_port) as num_dest_port by src_ip | where (num_dest_ip > 350 and num_dest_port > 800) Thanks
... View more
- Tags:
- splunk-search
Labels
- Labels:
-
data model
04-06-2023
04:32 AM
Hi there!
I was wondering if there's a specific app available in Splunk Enterprise Security that can provide CPU information. Specifically, I'm interested in getting process utilization info from an Mfg server.Request for information on CPU information app in Splunk Enterprise Security.
... View more
04-05-2023
09:43 AM
Hi @gcusello Can you make a search out of it, scanning many scr_ip and many dest_ports Thanks
... View more
04-05-2023
08:06 AM
Hi, Could anyone help me with this use case as I'm trying to figure out my alert logic scanner use case scanning many ips on many ports
... View more
Labels
- Labels:
-
stats
01-05-2023
10:48 AM
Hi,
I have created an advance threat protection incidents Correlation Search which is generating notable events how I can make it to reduce the notables which it is generating.
Thanks
... View more
Labels
- Labels:
-
correlation search
12-15-2022
12:35 AM
@gcusello Hi, My use case is in the below link https://community.splunk.com/t5/Splunk-Search/Has-anyone-implemented-whois-lookups/m-p/148090 Pls get it how to implement the same in my search thanks..
... View more
12-14-2022
12:47 PM
@gcusello No my requirement is in the output of client ip i need there actual name eg. 2.58.56.101 If i search this in Arin site those details of client ip should get in output. Pls refer to this link https://community.splunk.com/t5/Splunk-Search/Has-anyone-implemented-whois-lookups/m-p/148092#M41391 You will get idea.. Mentioned app in the above link is not working for me so we have any alternative. Thanks.
... View more
12-14-2022
09:13 AM
@gcusello Could you please look into this above scenario....
... View more
12-14-2022
01:51 AM
@gcusello In the output i need a whois on that IP like WHOIS.net url
... View more
12-13-2022
06:36 PM
Hi..
I have to find the ip address hitting fw for that i have to implement the whois lookup for the hitting ips but no use i tried with the app Whois it's not working.
Is there any way
Thanks....
... View more
Labels
- Labels:
-
lookup
12-12-2022
04:20 AM
@richgalloway @ How to implement whois lookups for ip address hitting waf .
... View more
12-08-2022
09:18 AM
Hi all,
I have created a dashboard incorporating few external domains I am receiving the error message like the dashboard is attempting to receive content from outside of splunk.the content urls are not in the dashboards trusted domains list.
Thanks..
... View more
12-06-2022
08:56 AM
Hi,
Could you help in extracting the fields from this json events.
sample json event1
{"type":"akamai_siem","format":"json","version":"1.0","attackData":{"rules":[{"data":"","action":"deny","selector":"","tag":"IPBLOCK",
sample jason event 2
{"type":"akamai_siem","format":"json","version":"1.0","attackData":{"rules":"tag":"IPBLOCK/ADAPTIVE/BURST" qualification(4) rate on category bucket(2,Page View Requests)),"tag":"IPBLOCK/ADAPTIVE/SUMMARY"
output of the new field :
IPBLOCK
BURST
SUMMARY
Thanks..
... View more
Labels
- Labels:
-
field extraction
12-06-2022
07:55 AM
Hi @gcusello @yuanliu @ITWhisperer my usecase is like the values under ipblock/adaptive should extract under new filed name including ipblock value as well in that new field name. "tag":"IPBLOCK" "tag":"IPBLOCK/ADAPTIVE/BURST" "tag":"IPBLOCK/ADAPTIVE/SUMMARY" Output: under new field name eg. ip_attack IPBLOCK BURST SUMMARY thanks.
... View more
12-06-2022
06:53 AM
@yuanliu @ITWhisperer @gcusello Hi, Could you help me out to extract these field to make it as a global. "tag":"IPBLOCK" "tag":"IPBLOCK/ADAPTIVE/BURST" "tag":"IPBLOCK/ADAPTIVE/SUMMARY" I want to extract these marked in red color in one new field name as ip_block. thanks.
... View more
