Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About Araton71
Araton71
Loves-to-Learn
Member since:
06-06-2023
2 weeks ago
Community Statistics
| Posts | 6 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 06-06-2023 |
Activity Feed
- Posted SOLVED: KEYCLOAK SAML issue on Security. 2 weeks ago
- Posted KEYCLOAK SAML issue on Security. 2 weeks ago
- Tagged KEYCLOAK SAML issue on Security. 2 weeks ago
- Posted Re: Blacklisting specific events on Universal Forwarder on Getting Data In. 08-30-2024 03:17 AM
- Posted Re: Error while adding new license : failed to parse license because on Installation. 07-11-2023 12:14 AM
- Posted Re: Analytic Story: Domain Account Discovery With Net App on Splunk Enterprise Security. 06-07-2023 01:01 AM
- Posted Analytic Story: Domain Account Discovery With Net App? on Splunk Enterprise Security. 06-06-2023 06:20 AM
- Tagged Analytic Story: Domain Account Discovery With Net App? on Splunk Enterprise Security. 06-06-2023 06:20 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
2 weeks ago
On UI SAML Configuration ALIAS check must be tick and in role alias filed it needs to add same value setted in keycloak and in authentication.conf [authenticationResponseAttrMap_SAML] role = groups
... View more
2 weeks ago
I've configured my splunk enterprise to get saml login with keycloak. [authentication] authSettings = saml authType = SAML [saml] blacklistedAutoMappedRoles = admin,power caCertFile = /opt/splunk/etc/auth/cacert.pem cacheSAMLUserInfotoDisk = false clientCert = /opt/splunk/etc/auth/server.pem enableAutoMappedRoles = true entityId = https://homesoc.tester.local excludedAutoMappedRoles = admin,power fqdn = https://itpghomesoc03 idpCertExpirationCheckInterval = 86400s idpCertExpirationWarningDays = 90 idpCertPath = idpCert.pem idpSLOUrl = https://www.tester.net/realms/tester/protocol/saml idpSSOUrl = https://www.tester.net/realms/tester/protocol/saml inboundDigestMethod = SHA1;SHA256;SHA384;SHA512 inboundSignatureAlgorithm = RSA-SHA1;RSA-SHA256;RSA-SHA384;RSA-SHA512 issuerId = https://www.tester.net/realms/tester lockRoleToFullDN = true redirectPort = 8000 replicateCertificates = true saml_negative_cache_timeout = 3600 scimEnabled = false signAuthnRequest = false signatureAlgorithm = RSA-SHA256 signatureRawPubKey = false signedAssertion = true sloBinding = HTTP-POST sslPassword = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ssoBinding = HTTP-REDIRECT [roleMap_SAML] admin = splunk-admin but I have following error when try to login Saml response does not contain group information. In splunkd.log 05-20-2026 09:24:47.181 +0200 ERROR Saml [2814333 webui] - No value found in SamlResponse for match key=saml:AttributeStatement/saml:Attribute attrName=role err=No nodes found for xpath=saml:AttributeStatement/saml:Attribute What is missing ?
... View more
- Tags:
- keycloak
Labels
- Labels:
-
SAML
08-30-2024
03:17 AM
I used
[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
blacklist1 = EventCode="4688" Message="New Process Name: (?i)(?:[C-F]:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)"
start_from = oldest
but it stops all 4688, like not process other information
... View more
07-11-2023
12:14 AM
I've the same error When we generated NFR , it's impossible to modify expiration date, and now we can't generate a new one Already opened a support case
... View more
06-07-2023
01:01 AM
Datamodel Endpoint has data inside, but it seems that only from security logs not from sysmon. How can implement?
... View more
06-06-2023
06:20 AM
I'm a newbe and I try to configure Security Essential to search "net user /DOMAIN" discovery on my AD server.
I've installed an UniversalForwarder into AD with sysmon and configured input.conf with following entries
[WinEventLog://Security] checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest
[WinEventLog://Microsoft-Windows-Sysmon/Operational] checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest
If I run a simple search using index=* "net.exe" AND " user*" AND "*/do*"
I get result from source WinEventLog:Microsoft-Windows-Sysmon/Operational
while If I use Analytic Story: Domain Account Discovery With Net App that use datamodel Endpoint, no events returned. It seems that event in data model are only from source WinEventLog:Security
What I miss ?
... View more
- Tags:
- Security Essential
Labels
- Labels:
-
troubleshooting
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
2 weeks ago
|
