Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About btiggemann
btiggemann
Path Finder
Member since:
11-08-2011
06-05-2020
Community Statistics
| Posts | 37 |
| Solutions | 1 |
| Karma Given | 14 |
| Karma Received | 7 |
| Member Since | 11-08-2011 |
Activity Feed
- Got Karma for Re: How to create a search that will trigger an alert when the count is zero?. 03-29-2022 09:06 PM
- Karma Re: Is it possible to get accounting data with Splunk Add-on for CP OPSEC LEA? for mnatkin_splunk. 06-05-2020 12:48 AM
- Karma Re: Is it possible to get accounting data with Splunk Add-on for CP OPSEC LEA? for mnatkin_splunk. 06-05-2020 12:48 AM
- Karma Re: Why is the timestamp not recognized for one particular event from our Microsoft TMG Proxy Logs? for tom_frotscher. 06-05-2020 12:47 AM
- Karma Re: Is there any problem with running Splunk for Enterprise Security on Windows? for tkiss. 06-05-2020 12:47 AM
- Karma Re: Is there any problem with running Splunk for Enterprise Security on Windows? for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: Compare if an event in different sourcetypes has the same values for a combination of fields for lguinn2. 06-05-2020 12:47 AM
- Karma How do I remove "missing" forwarders from Splunk Deployment Monitor 4.3.1? for Cagey. 06-05-2020 12:47 AM
- Karma Re: Why am I getting "Splunk Enterprise setup wizard ended prematurely..." trying to upgrade to Splunk 6.2 on Windows 7 64 bit? for jdastmalchi_spl. 06-05-2020 12:47 AM
- Karma Re: How to create tickets to an external ticketing system for incidents from Incident Review of Splunk Enterprise Security for smoir_splunk. 06-05-2020 12:47 AM
- Got Karma for Re: Splunk Add-on for Check Point OPSEC LEA: Why is the same data indexed multiple times?. 06-05-2020 12:47 AM
- Got Karma for Compare if an event in different sourcetypes has the same values for a combination of fields. 06-05-2020 12:47 AM
- Got Karma for How is the index=threat_activity filled up with data in splunk Enterprise Security (ES)? How can I add an additional field to it?. 06-05-2020 12:47 AM
- Got Karma for Is the collection script for the Splunk Add-on for Check Point OPSEC LEA just pulling the log files or is it pulling events over an API directly?. 06-05-2020 12:47 AM
- Got Karma for Re: Is the collection script for the Splunk Add-on for Check Point OPSEC LEA just pulling the log files or is it pulling events over an API directly?. 06-05-2020 12:47 AM
- Got Karma for Re: Is the collection script for the Splunk Add-on for Check Point OPSEC LEA just pulling the log files or is it pulling events over an API directly?. 06-05-2020 12:47 AM
- Karma Re: Indexing Kaspersky Logs for jeandez. 06-05-2020 12:46 AM
- Karma Re: Perfmon on Exchange App is not working: What does "unable to add counter" mean? for ahall_splunk. 06-05-2020 12:46 AM
- Karma Re: Perfmon on Exchange App is not working: What does "unable to add counter" mean? for ahall_splunk. 06-05-2020 12:46 AM
- Karma Re: Is there a search command for Splunk that will find the oldest event in the index for a host faster than letting a full query run? for gkanapathy. 06-05-2020 12:45 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
09-04-2018
02:20 PM
Does anyone has an information about if a newer version of DB Connect will Support Windows2016?
If yes, when will it be released?
We have tried to use DB Connect 3.1.3 on Windows 2016, it will not work at all.
... View more
05-04-2017
01:51 PM
1 Karma
Ah yes,
that's what I have tried to tell you.
Just a short explanation of the inputs:
Audit = only everything audit related. Like admin user logon logoff, policy changes etc.
Firewall events = Everything that a firewall rule can log, for example eventlog for each rule, every time a session is opened
I am not sure, if this input also includes vpn events.
Smart defense = everything IPS related
Non-Audit = This includes every input that is NOT audit. So if you enable this input, this will collect Firewall Events and Smart Defense events.
That's why you get the duplicates.
To solve your problem please try to:
1. just enable Audit and Non-Audit and you will get every event only once
It is also possible to disable Non-Audit and keep Smart Defeinse and Firewall events enabled.
I am not sure if something is missing then.
... View more
05-04-2017
09:49 AM
Hi,
we have updated to the most recent version of TA opsec and everything works fine now.
What kind of imports are you using? Be sure to just use non_audit and audit to catch all events. If you use the input vpn and non_audit you will index all vpn events twice
... View more
03-06-2017
10:14 AM
Hi Splunkerz,
we get this request quite often.
Some hosting companies or service provider are running a multi-tenant Microsoft Active Directory.
They are using the same DC's for multiple companies with in the same Active Directory.
For example they have two DC's that are used by Company A and Company B in one global domain called serviceprovider.local .
There are two subdomains like companyb.serviceprovider.local and so on.
But all the administration and operation is done by a service provider.
Now the service provider will offer those two companies some reports with Splunk.
Maybe they should be able to their own search head instance to do this by themselves.
Is there a way to separate the WinEventLog:Security information in an special index per customer?
I am totally aware about the routing and filtering function in Splunk.
If I have a clear filter criteria like the subdomain this will be possible. But this is not the case.
What about WMI? I know this is not best practice but can I separate the logs there?
Does anybody solved this problem already?
... View more
01-23-2017
02:48 PM
Hi,
I am now looking for the same thing like you did a long time ago.
I want to find out which hosts have been added to Splunk in 2016, just to do a documentation of our data onboarding process.
My idea was something like this:
| metadata type=sourcetypes |convert ctime(firstTime) AS input_time |convert ctime(lastTime) AS last_event_time |where firstTime>1451606400 AND firstTime<1483228800
Is the metadata affected by the retention policy of an index?
For example retention time is set to 180days so firstTime will not be older than 180d max?
I checked this, some sourcetypes have events that are older than 2015. But the oldest/earliest event of sourcetype=opsec is just 10 days ago but we did the data input at the beginning of 2016.
Are there some reasons why |metadata would not work always?
... View more
01-20-2017
10:08 AM
Hi, thanks for taking the time to give a detailed answer.
We will now use a different approach using powershell with the AD module to get this information out of AD.
... View more
01-20-2017
10:00 AM
2 Karma
I have done some research at this topic...
What the OPSEC TA will do:
It will run a script that may is referencing to the internal log files stored at the disk or it will pull everything with the special 'fw log' command.
But that doesn't matter at all. Because the information that is stored in the log files are csv based and compared to the OPSEC TA data, most of the fields in the log files are missing.
Here is an example:
The log file on the Check Point management server is CSV based, there is no overhead from writing key value pairs in the event. Writing key=value in each event will increase the log volume.
Lots of information are missing in the log file, as you can see, the data from the OPSEC TA script is enricht with some additional fields. Thats the second point that causes more log volume.
At the end these two things are the reason why there is such a big difference between the size of log files on the disk of the CP Smart Center and those generated via TA OPSEC.
It will definitely be helpful if TA OPSEC will provide a delimiter based event structure just to save some volume.
But at the other hand I have heard that Check Point will offer Syslog funtionality in the future and the whole OPSEC thing will be obsolete.
If you are good at coding, you can change the TA OPSEC script to generate a shorter delimiter based format as well.
... View more
01-20-2017
09:11 AM
Hi KR,
I can write down what I have found out in my research.
You can have a look in a few minutes.
best regards
Benjamin
... View more
01-05-2017
10:17 AM
Hi Splunkers,
I am struggling a little bit with the documentation of the Active Directory Monitoring input of Splunk Add-on for Microsoft Windows.
http://docs.splunk.com/Documentation/Splunk/6.5.1/Data/MonitorActiveDirectory
admon generates an event if there was a change on an AD object like for example a user. This is what the docs says:
When an AD object changes, Splunk
generates an update event.
But what does that mean exactly? Is the update event only generated, if there was a change of a group membership of a user or if somebody has changed his phone number? Or is an event generated even if the user just logs in to a system?
If you look to the sample log, there is a field called last logon, in my idea, if the last logon is changed, there will be a new event from admon. Am I right?
2/1/10
3:17:18.009 PM
02/01/2010 15:17:18.0099
dcName=stuff.splunk.com
admonEventType=Update
Names:
objectCategory=CN=Computer,CN=Schema,CN=Configuration
name=stuff2
displayName=stuff2
distinguishedName=CN=stuff2,CN=Computers
Object Details:
sAMAccountType=805306369
sAMAccountName=stuff2
logonCount=4216
accountExpires=9223372036854775807
objectSid=S-1-5-21-3436176729-1841096389-3700143990-1190
primaryGroupID=515
pwdLastSet=06:30:13 pm, Sat 11/27/2010
lastLogon=06:19:43 am, Sun 11/28/2010
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=4096
objectGUID=blah
whenChanged=01:02.11 am, Thu 01/28/2010
whenCreated=05:29.50 pm, Tue 11/25/2008
objectClass=top|person|organizationalPerson|user|computer
Event Details:
uSNChanged=2921916
uSNCreated=1679623
instanceType=4
Additional Details:
isCriticalSystemObject=FALSE
servicePrincipalName=TERMSRV/stuff2|TERMSRV blah
dNSHostName=stuff2.splunk.com
operatingSystemServicePack=Service Pack 2
operatingSystemVersion=6.0 (6002)
operatingSystem=Windows Vista? Ultimate
localPolicyFlags=0
... View more
11-25-2016
03:17 AM
Hi Splunkers,
if you have removed or you have uninstalled existing forwarder instances you can remove them from the "missing forwarders" list in the DMC / MC using the "Rebuild Forwarder Assets" button.
http://docs.splunk.com/Documentation/Splunk/6.5.0/DMC/Configureforwardermonitoring#Rebuild_the_forwarder_asset_table
To remove all their data you can use the |delete command or you can clean the entire index like described in the documentation.
... View more
11-21-2016
12:32 PM
Hi Josefa,
the number of results means, the number of events your search / alert will generate.
In your example above the search will trigger if you have more than 50 rows in your table with host and count.
It will not trigger if you have a value of count greater 50.
If this is what you want you can do the following:
Create a new search:
index=test user=root dhost=* | stats> count by dhost | where count > 50
and if you create the alert set the number of results to "greater than 0"
The search will trigger only if there is at least one host with a count > 50.
... View more
11-21-2016
12:23 PM
Hi mnatkin,
thanks a lot. With your help, we have solved the problem.
We have changed the connection to non_audit and we have updated the Checkpoint TA.
I found out, that we where have used an older version of it. Version 4.1.0 is working better.
Unfortunately the switch from 3.1 ot 4.1 was very time consuming because the configuration file naming and maybe the syntax of the config files was changed. So we had to reconfigure the whole app and we have added some filter to props.conf to filter out all encrypt and decrypt events as well.
But that's not a big deal.
best regards
Benjamin
... View more
11-15-2016
02:28 PM
Hi @mnatkin,
this helps of course a lot. Thanks, for this details again.
We have deactivated the non_audit data_type because we are not interested in the VPN logs.
But now I will change that and filter it out later on.
I will ask our customer if he is able to verify the accounting filter in his Smart Center.
I will give you feedback, as soon we have tested it.
regards
Benjamin
... View more
11-14-2016
02:22 PM
1 Karma
You can use something like that:
sourcetype="Linux:Service" |stats count by field1 field2 field3 |where count<=0
Then you set the alert condition to "if number of result is more than 0" and an alarm is triggered.
You can extend this if you use something like this:
sourcetype="Linux:Service" |stats count by field1 field2 field3| eval event_alert=case(count >= 1, "OK", count <= 0, "ALERT")
| search event_alert="ALERT"
... View more
11-14-2016
01:40 PM
Hi mnatkin,
thanks for your detailed answer. This is exactly what we are looking for. We have verified the LEA document and then we tried the following on a Check Point environment on version R77.30:
We have switched the track option on a security policy rule from LOG to ACCOUNT.
Then we have generated a communication that hits this rule.
After that we have verified, that the session was ended correctly. (I believe the accounting event is only generated if the session is closed.
At last we have looked at Splunk to verify if there is a event containing the bytes and packets field you have shown above.
The result: We have only seen one event per session without accounting information.
Now I have some additional questions:
Can you tell us the source that you have used to get your accounting values? You know there are different config entities... non_audit, audit, ips and so on....
What version of CP is running at your site?
Could it be, that accounting needs to be licensed additionaly?
Thanks in advance for your great help, we had the same topic at several customers. Hopefully we can fix it now.
best regards
Benjamin
... View more
07-27-2016
08:35 AM
Yes, that's it. I already fixed it last year.
... View more
07-22-2016
01:49 AM
Hi Splunkers,
we are looking for accounting data in the Check Point traffic log (sourcetype=opsec). For example send and received bytes per session.
Currently we don't see this information:
sourcetype=opsec
loc=12029517|time=22Jul2016 7:37:33|action=accept|orig=8.8.8.8|i/f_dir=inbound|i/f_name=eth2-07|has_accounting=0|uuid=<5791b11d,0000000d,82ec14ac,c0000003>|product=VPN-1 & FireWall-1|inzone=Internal|outzone=Internal|rule=1378|rule_uid={C56C9FDC-A90F-4527-870A-E8F851CFDDDE}|service_id=domain-udp|src=1.1.1.1|s_port=64101|dst=11.22.33.216|service=53|proto=udp|user=Jimmy, Carter (pc12)(+)|src_user_name=Jimmy,Carter(pc12)(+)|snid=67e4d890|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={821C6959-613E-C347-9268-4C2729ACFCFF};mgmt=dummy;date=1469115508;policy_name=010_dummy]|origin_sic_name=CN=gateway1,O=dummy..w25isr
Is the TA able to pull this information, if enabled at the Smart Center?
Does anybody know what to do one Check Point site?
Thanks in advance.
... View more
12-18-2015
08:08 AM
1 Karma
Hi Splunkers,
We have a customer that is collecting Check Point fw, ips, and vpn logs via Opsec. Check Point version is R77.
At the moment, Splunk is indexing about 30 gigabyte per day. If we look at the log directory at Check Point smartcenter, we only see something about 3 gigabytes (rotating every 2GB) for the specific day, but Splunk has indexed 30 gigabytes.
I found out that Check Point logs are written in binary, but are they also saved in a compressed way?
Does anybody know how the OPSEC script from Splunk is pulling the logs? Is it just reading the files or is there an APIcall directly to the smart center? How can we check why we have this gab between the logs files on the system and the indexed log volume?
Thanks in advance
... View more
12-14-2015
08:14 AM
Hi Splunkers, we have the same problem. Is there a workaround now? Is there a release date for the new version?
We are running in big license problems....
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
Karma given to
