cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
gwes77
Explorer
Member since: ‎11-26-2019
‎09-20-2021
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 2
Member Since ‎11-26-2019
Activity Feed
View All

Extract description into Threat Activity Object

by in Splunk Enterprise Security
‎04-03-2020 08:19 AM
1 Karma
‎04-03-2020 08:19 AM
1 Karma
Splunk has all of those threat intel lists for file, process, registry, ip, url, etc... And each list has a description field where I put the threat campaign info related to the IOC. I am wanting to extract that description into a new Threat_Activity.description (in the Threat Intelligence Data Model) field when it finds a match in the event logs. I have tried several tactics on my own altering the various Threat Gen searches but with no success. I know I can do searches with joins for workarounds and such. I also know that if I enter that info in the upload name it will show up in the Threat collection or Threat key field. But we often get a huge threatlist with several different campaigns and I would like to upload them all at the same time. This seems like a simple ask since this field is in every built in threat lookup. How can I get it to extract into a new field at match time? ... View more

Authentication CIM tags and mapping

by in Splunk Enterprise Security
‎12-03-2019 08:40 AM
‎12-03-2019 08:40 AM
Hello all, I need help manually mapping a log source that has no supported add on. I entered in two event types with tags to ID which log is a failed login and which is a successful login. They are listed below. Search: index=index sourcetype=logsource LoginSuccessful=0 Tags: authentication, failure Search: index=index sourcetype=logsource LoginSuccessful=1 Tags: authentication, success But in the Auth DM fields, it is showing every event as Authentication.is_Failed_Authentication and every event as Authentication.is_Successful_Authentication. Can someone send me the link to the right mapping doc in Splunk or describe what I am missing here. Do I need to enter a field alias as well? Thank you ... View more

Re: How to create regex with space delimiter field

by in Splunk Enterprise Security
‎11-27-2019 06:31 AM
1 Karma
‎11-27-2019 06:31 AM
1 Karma
Would have never thought of that. Thanks for saving me time! ... View more

How to create regex with space delimiter field

by in Splunk Enterprise Security
‎11-26-2019 12:39 PM
‎11-26-2019 12:39 PM
Hello all, a regex is needed that's way above my head: I have a message field in the notable index that holds multiple space delimiter hostnames on a host down alert. I need to separate out these values for a timechart. A sample of what is in the message field for each notable is listed below. I will need to exclude everything after hosts= and everything before \ncount=144 and each hostname has space in between. I want to call the new field criticalhosts. hosts=XXXXC01 XXXXC05 XXXXM86 \ncount=144 Once that's done, I will need to do a stats count to show how many hosts went down per day over a month. I tried it with stats delim=" " but I am missing the first and last values in the field due to the extra verbiage. Thanks for the help. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎09-20-2021 05:53 PM
Karma from
View All