I don't think this is exactly it but it may lead you to the right path   | rest /services/datamodel/model |search eai:appName=search | table updated   The updated field shows when the model was last updated.  ... View more

Nice! Exactly what I was looking for! I did know to replace with the index. Opsec was just "Operations Security" to not reveal what we are running. 😀 ... View more

We are closer but not there yet.  ... View more

Looks closer      ... View more

I almost forgot one of the best resources to learn is https://bots.splunk.com/login. You will find rebuild detection in there that you can copy out and use. Is also has games and challenges. I believe you login for this site will work there. You will find it very useful.  https://bots.splunk.com/login ... View more

I'm very disheartened to hear about this. I run the Idaho Falls Splunk Users Group and will present next month on using Windows Event Logs to find intruders. You are welcome to join our group and attend. I will give many examples you can cut and paste into your Splunk instance. You may need to modify them slightly for your environment, but they will give you an idea of how to build additional use cases. Personally, I never re-invent the wheel. There is a lot of detection out there.  that I look for before building my own. I would start by googling "Splunk," "Threat detection," and then '"Splunk threat detection" github.' There are many people who aren't insecure people, like the people you work with who willingly share their talents. We all got where we are with the help of others. It's sad to hear you are being treated this way. Once you join the user groups, you can contact me directly. I will take time to work with you as time permits. I will also point you to resources that will help you grow in the field and use Splunk for building use cases. I'll include a couple of resources here for you. Another thing to keep in mind is that all threat hunting that finds positive activity should lead to a signature. There are tons of threat-hunting Splunk searches out there, and they can also be used as use cases. You may need to tune them (cast a narrower net) before putting them into production, but they will give you a good idea of how to build out detection.  You will find that industry leaders are always sharing their research and knowledge. Jack Crook was one of my mentors when I was new in this career. Jack and I share the same frustration of attending conferences where many share "theories" but not content. He is big on sharing content and actual Splunk searches and use cases. You can follow his blog. I have included it below. As you grow in this career, remember to not be like the others that have treated you so poorly. Remember, this is a very negative reflection on them, not you! I hope that this helps, and I hope to talk soon!  http://findingbad.blogspot.com  https://www.udemy.com/course/cybersecurity-monitoring-detection-lab/?couponCode=ST9MT22024  https://github.com/splunk/security_content/tree/develop/detections/application https://www.detectionengineering.net https://github.com/west-wind/Threat-Hunting-With-Splunk ... View more

Okay; so if you have the option of something other than once per event then it's probably configured on the back end and I'll need to work with our team that manages that and make sure they enable that option. Just to confirm, you have that option and what version are you running? Also, Thank you so much for your help!! ... View more

No, it's batch analysis, a term coined by Bamm Visscher, to only look at results that happen every few days or weekly. I don't want it to hit once for every result. The whole ask of the post is to find out how I can get a report not to send if there aren't any results. That's really what I want to do. In alerts, I only can select "once per result," which doesn't work for me because I want them in a batch (many alerts in one alert, so to speak) I don't want it to fire every time there is a hit. This is used for high false positive alerts that we only want to look at every few days. I'm not sure how to make what I'm looking for much clearer than I have in my responses. I want to either have an alert that sends one alert with consolidated alerts for 3 days worth of alerts or I want to send a report with 3 days worth of consolidated search results in place of an alert but I don't want the report to send if there are 0 results.  ... View more

Thank you; and yes, I understand that. It's just that this is my only option "once per event" and I don't know if you have different options on your Splunk instance. If you do, then it's probably that I need to get with the team that administers this and ask them to add the other options.  ... View more

Once is the only option that I have. I don't know if this is due to a backend config or what but it's my only option.  ... View more

I don't have that option. Would that happen to be in the advanced edit?  ... View more

My alerts only allow me to choose trigger once for each result.      ... View more