Activity Feed
- Got Karma for Extract description into Threat Activity Object. 06-10-2021 05:34 AM
- Got Karma for Re: How to create regex with space delimiter field. 06-05-2020 12:50 AM
- Posted Extract description into Threat Activity Object on Splunk Enterprise Security. 04-03-2020 08:19 AM
- Tagged Extract description into Threat Activity Object on Splunk Enterprise Security. 04-03-2020 08:19 AM
- Tagged Extract description into Threat Activity Object on Splunk Enterprise Security. 04-03-2020 08:19 AM
- Tagged Extract description into Threat Activity Object on Splunk Enterprise Security. 04-03-2020 08:19 AM
- Posted Authentication CIM tags and mapping on Splunk Enterprise Security. 12-03-2019 08:40 AM
- Tagged Authentication CIM tags and mapping on Splunk Enterprise Security. 12-03-2019 08:40 AM
- Tagged Authentication CIM tags and mapping on Splunk Enterprise Security. 12-03-2019 08:40 AM
- Tagged Authentication CIM tags and mapping on Splunk Enterprise Security. 12-03-2019 08:40 AM
- Tagged Authentication CIM tags and mapping on Splunk Enterprise Security. 12-03-2019 08:40 AM
- Posted Re: How to create regex with space delimiter field on Splunk Enterprise Security. 11-27-2019 06:31 AM
- Posted How to create regex with space delimiter field on Splunk Enterprise Security. 11-26-2019 12:39 PM
- Tagged How to create regex with space delimiter field on Splunk Enterprise Security. 11-26-2019 12:39 PM
- Tagged How to create regex with space delimiter field on Splunk Enterprise Security. 11-26-2019 12:39 PM
- Tagged How to create regex with space delimiter field on Splunk Enterprise Security. 11-26-2019 12:39 PM
- Tagged How to create regex with space delimiter field on Splunk Enterprise Security. 11-26-2019 12:39 PM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
1 | |||
0 | |||
0 |
04-03-2020
08:19 AM
1 Karma
Splunk has all of those threat intel lists for file, process, registry, ip, url, etc... And each list has a description field where I put the threat campaign info related to the IOC. I am wanting to extract that description into a new Threat_Activity.description (in the Threat Intelligence Data Model) field when it finds a match in the event logs. I have tried several tactics on my own altering the various Threat Gen searches but with no success. I know I can do searches with joins for workarounds and such. I also know that if I enter that info in the upload name it will show up in the Threat collection or Threat key field. But we often get a huge threatlist with several different campaigns and I would like to upload them all at the same time. This seems like a simple ask since this field is in every built in threat lookup. How can I get it to extract into a new field at match time?
... View more
12-03-2019
08:40 AM
Hello all,
I need help manually mapping a log source that has no supported add on. I entered in two event types with tags to ID which log is a failed login and which is a successful login. They are listed below.
Search: index=index sourcetype=logsource LoginSuccessful=0 Tags: authentication, failure
Search: index=index sourcetype=logsource LoginSuccessful=1 Tags: authentication, success
But in the Auth DM fields, it is showing every event as Authentication.is_Failed_Authentication and every event as Authentication.is_Successful_Authentication. Can someone send me the link to the right mapping doc in Splunk or describe what I am missing here. Do I need to enter a field alias as well?
Thank you
... View more
11-27-2019
06:31 AM
1 Karma
Would have never thought of that. Thanks for saving me time!
... View more
11-26-2019
12:39 PM
Hello all, a regex is needed that's way above my head:
I have a message field in the notable index that holds multiple space delimiter hostnames on a host down alert. I need to separate out these values for a timechart. A sample of what is in the message field for each notable is listed below. I will need to exclude everything after hosts= and everything before \ncount=144 and each hostname has space in between. I want to call the new field criticalhosts.
hosts=XXXXC01 XXXXC05 XXXXM86 \ncount=144
Once that's done, I will need to do a stats count to show how many hosts went down per day over a month. I tried it with stats delim=" " but I am missing the first and last values in the field due to the extra verbiage. Thanks for the help.
... View more