On Splunk ES I’m having an issue with the rule “Windows SQL Server xp_cmdshell Config Change” (https://research.splunk.com/endpoint/5eb76fe2-a869-4865-8c4c-8cff424b18b1/). After enabling it, I can no longer disable or delete the rule. I created a custom rule equivalent to that one with the search: index=wineventlog EventCode=15457 "*xp_cmdshell*" and it encounters the same issue. Even when I manually run the search index=wineventlog EventCode=15457 "*xp_cmdshell*", Splunk reports an error. I’m not sure what the underlying issue is. I’m wondering if anyone has encountered this problem before. Please help me disable or delete this rule, and let me know what the root cause of the issue might be.     ... View more

Hi all, I’m having an issue with parsing Palo Alto Firewall logs in Splunk. Here is the current situation: - I configured the Palo Alto firewall logs to be sent to the Splunk HF via UDP port 514. - I installed the Splunk Add-on for Palo Alto Networks on the deployment server and pushed the TA to the HF, indexers, and search head. - However, the Palo Alto logs in Splunk are still not being parsed. I currently don’t have a clear direction for troubleshooting. I would appreciate any advice or experience the community can share. @palo alto ... View more