About tkerr1357

tkerr1357 · ‎10-13-2023

That didn't work. Also, I don't think you can count by multiple fields.

tkerr1357 · ‎10-13-2023

Hello all, I could use some help here with creating a search. Ultimately I would like to know if a user is added to a specific set of security groups what security groups if any were removed from that same user. Here is a search for security group removal: index=wineventlog EventCode=4729 EventCodeDescription="A member was removed from a security-enabled global group" Subject_Account_Name=srv_HiveProvSentryNe OR Subject_Account_Name=srv_HiveProvSentry source="WinEventLog:Security" sourcetype=WinEventLog | table member, Group_Name, Subject_Account_Name, _time Here is a search for security group added: index=wineventlog EventCode=4728 EventCodeDescription="A member was Added to a security-enabled global group" Subject_Account_Name=srv_HiveProvSentryNe OR Subject_Account_Name=srv_HiveProvSentry source="WinEventLog:Security" sourcetype=WinEventLog | table member, Group_Name, Subject_Account_Name, _time additional search info: EventCode=4728 Added EventCode=4729 Removed Group_Name - security group Subject_Account_Name - prov sentry member - user security groups, I would like to monitor users being added to: RDSUSers_GRSQCP01 RDSUSers_GROQCP01 RDSUSers_BRSQCP01 RDSUSers_BROQCP01 RDSUSers_VRSQCP01 RDSUSers_VROQCP01 Again I am looking to monitor if a user was added to any of the above 6 security groups were they within a few hours before and ahead of the event removed from any other groups. let me know if I can provide any additional info and as always thank you for the help.

tkerr1357 · ‎08-16-2023

Hello all, I am trying to blacklist an event that is tied to a specific sAMAccountName which is sAMAccountName="Alertz - ProductFeedback" . The only way I can think to achieve this is maybe with a blacklist regex statement but I am not sure and not very good with regex. Below is a sample event. Please let me know if there are any questions. 08/16/2023 09:34:07.541 dcName=RNBSAD1.rightnetworks.com admonEventType=Update Names: objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=rightnetworks,DC=com name=Alertz - ProductFeedback distinguishedName=CN=Alertz - ProductFeedback,OU=Expired Alert Groups,OU=Desk Alerts,OU=Security Groups,DC=rightnetworks,DC=com cn=Alertz - ProductFeedback Object Details: sAMAccountType=268435456 sAMAccountName=Alertz - ProductFeedback objectSid=S-1-5-21-2605281412-2030159296-1019850961-856824 objectGUID=1e0bcfbf-dc8b-43e9-855a-7004ce3d6b3b whenChanged=09:33.53 AM, Wed 08/16/2023 whenCreated=09:31.41 AM, Tue 08/01/2023 objectClass=top|group Event Details: uSNChanged=820790490 uSNCreated=813674539 instanceType=4 Additional Details: dSCorePropagationData=16010101000000.0Z groupType=-2147483646

tkerr1357 · ‎04-22-2022

when I run my original search it gets no events. when I run the following search with an IP that I know to be in those index's over a period of all time it returns no events index=wineventlog OR index=fortigate src_ip=100.14.174.187 | lookup TORIP TORIP AS src_ip OUTPUT TORIP | search TORIP=* when I run the following search it looks like its just returning any event that has a src_ip in it not just whats in the lookup file index=wineventlog OR index=fortigate [| inputlookup TORIP |rename "TORIP" as "src_ip" |return 999 "src_ip"] my hope was to run the search every 24 hrs and return all events that match an IP in the lookup file.

tkerr1357 · ‎04-20-2022

sorry when I run the search I want to look through those two index's for any event that contans at least one of the ip's in the lookup list

tkerr1357 · ‎04-20-2022

When I run a search for one of the individual ips in the lookup file it returns events.

tkerr1357 · ‎04-19-2022

the search worked but seems like its returning all IPs not just the ones in the lookup file.

tkerr1357 · ‎04-19-2022

Hello all, I am having trouble with a search that is not returning results as it should. The search is below and I have attached an example of the lookup file. When I run a search just looking for an individual IP it does return events but is not working with the lookup file. Any help is appreciated. index=wineventlog OR index=fortigate | lookup TORIP TORIP AS src_ip OUTPUT TORIP | search TORIP=*

tkerr1357 · ‎04-07-2022

sorry sent the wrong rex | rex "Client Address:(?<clientaddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

tkerr1357 · ‎04-07-2022

Hey all , just need a little regex help trying to pull an IP address out and its not working. here is my rex | rex field=_raw "Remote host:(?<Remotehost>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" here is an example event 4/7/22 3:11:32.000 PM 04/07/2022 03:11:32 PM LogName=Security EventCode=4779 EventType=0 ComputerName=BPSQCP00S080.rightnetworks.com SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=115076290 Keywords=Audit Success TaskCategory=Other Logon/Logoff Events OpCode=Info Message=A session was disconnected from a Window Station. Subject: Account Name: 705628 Account Domain: RIGHTNETWORKS Logon ID: 0x13887BFB Session: Session Name: RDP-Tcp#81 Additional Information: Client Name: DESKTOP-PIT40LB Client Address: 73.175.205.64

tkerr1357 · ‎04-05-2022

hello all, I am trying to figure out why my iplocation report isnt providing the city,country under statistics. Below is my search that is providing the IP field in the table but the other two columns are blank. Any assistance would be great here. index=wineventlog EventCode=4624 | search src_ip="*" ComputerName="*" user="*" | eval "Source IP" = coalesce(src_ip,"") | eval clientip=src_ip | iplocation allfields=false "Source IP" | table "Source IP", city, country

tkerr1357 · ‎02-11-2022

Thank you, I was able to figure out the issue. I failed to place an OUTPUT ofter defining the field so there was nothing for the search to look at. I fixed that and then added a search command to look for any of the IPs in the lookup command.

tkerr1357 · ‎02-10-2022

Hi all, I am struggling a bit with incorporating a lookup into my searches. I have a lookup file that is a single column of IP addresses and a header of TORIP. It should be a pretty basic search index=* src_ip=* followed by the lookup. I added the lookup file and lookup definition but when I run a search it fails saying the lookup table doesnt exist.

tkerr1357 · ‎09-30-2021

yeesh glad I asked I was way overthinking this thanks for the help.

tkerr1357 · ‎09-29-2021

Hi All, I am looking to create an alert based on the following base search. index=wineventlog w19tax.exe app_name=W19TAX . I am specifically looking for the alert to only trigger when the same SID comes up multiple time for the same application. example event: 09/29/2021 04:21:08 PM LogName=Microsoft-Windows-AppLocker/EXE and DLL SourceName=Microsoft-Windows-AppLocker EventCode=8002 EventType=4 Type=Information ComputerName=BPOLCP01S12.rightnetworks.com User=NOT_TRANSLATED Sid=S-1-5-21-2605281412-2030159296-1019850961-762275 SidType=0 TaskCategory=None OpCode=Info RecordNumber=39961045 Keywords=None Message=D:\PROGRAM FILES\LACERTE\19TAX\W19TAX.EXE was allowed to run.

tkerr1357 · ‎07-14-2021

I changed it to target instead of computername but this did the trick.

tkerr1357 · ‎07-14-2021

Hi All, I am looking for a little help with a search today. I am looking to create an alert based on this search that only triggers when the same hostname comes up twice in a row. so far the search I have is I am unsure how to include/return two machines of the same name: index="login_pi" source="WinEventLog:LoginPI Events" SourceName="Application Threshold Exceeded" | rex field=_raw "Actual value\\\":\s+\\\"(?<actual_value>\d+)" | search actual_value>=10 | table Target,actual_value,ApplicationName,Title here is an example event: 07/14/2021 10:39:49 AM LogName=LoginPI Events EventCode=800 EventType=4 ComputerName=RNBSVSIMGT02.rightnetworks.com SourceName=Application Threshold Exceeded Type=Information RecordNumber=1786721 Keywords=Classic TaskCategory=None OpCode=Info Message={ "Description": "Measurement duration (7.561s) exceeded threshold of 5s (51.22%)", "Actual value": "7.561", "Threshold value": "5", "Measurement": "quickbooksopen_2021", "Locale": "English (United States)", "RemotingProtocol": "Rdp", "Resolution": "1920 × 1080", "ScaleFactor": "100%", "Target": "BPOQCP01S01", "TargetOS": "Microsoft Windows Server 2016 Standard 10.0.14393 (1607)", "AppExecutionId": "4ed43186-648c-4e8e-96ee-9e4b52e468cb", "AccountId": "a4a6655b-f7ac-4783-aec5-698a146eb2cf", "AccountName": "rightnetworks\\eloginpi082", "LauncherName": "RNBSVSI23", "EnvironmentName": "BPOQCP01S01", "EnvironmentId": "bc31c8f6-e8c0-4278-93c3-08d8040960f8", "ApplicationName": "QB_2021_Open", "ApplicationId": "ece9c6b9-6662-45be-970d-2708603ca13b", "Title": "Application threshold exceeded" }

tkerr1357 · ‎03-12-2021

Hello all, Looking for some help with a perfmon search. index=perfmon host=myhost01s* sourcetype="PerfmonMk:LogicalDisk" instance=_total | timechart sum(Disk_Transfers/sec) span=90s This gives me all the IO of the hosts, but it only seems accurate if I chart it to 90s span, which is how often it queries. If I change that then the sum obviously just puts all the values together. What I want to do is show longer periods of time, but still have it counting the sum of each reading (like a bucket) over time and not adding all numbers over the whole period (span) together. I want to force it to always use the time as the bucket. Any help is much appreciated.

tkerr1357 · ‎03-12-2021

I was able to resolve this but had to completely alter my search

tkerr1357 · ‎03-10-2021

sorry I forgot to mention I tried that and it only returns the number of events for the most recent day. If I remove the majority of the evals and customization adding that timechart works just fine.

tkerr1357 · ‎03-09-2021

Hello all, I need some assistance using the search below to produce a timechart of the number of events per day for the last 90 days. index=wineventlog source="WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" EventCode=25 | search Source_Network_Address="*" ComputerName="*" User="*" | eval "Source IP" = coalesce(Source_Network_Address,"") | eval clientip=Source_Network_Address | sort- _time | iplocation "Source IP" | where isnotnull(lat) | streamstats current=f global=f window=1 first(lat) as next_lat first(lon) as next_lon first(_time) as next_time first(clientip) as next_ip first(Country) as next_country first(Region) as next_region by User | strcat lat "," lon pointA | haversine originField=pointA units=mi inputFieldLat=next_lat inputFieldLon=next_lon outputField=distance_miles |strcat next_lat "," next_lon pointB |eval time_dif=(((next_time - _time)/60)/60), distance_miles=round(distance_miles, 2), time_dif=round(time_dif, 2)

tkerr1357 · ‎02-18-2021

looks like it was an issue with my search. I was able to add the regex provided as a field extraction and that provided what I was looking for.

tkerr1357 · ‎02-17-2021

no such luck with this one.

tkerr1357 · ‎02-17-2021

Hey All, I am trying to pull the username from the following event which is everything after the Rightnetworks\ in the event. Also to complicate things It could be a name or a set of numbers or a name with numbers in it. Any help is apperciated. here are some example events: 02/17/2021 11:45:19 AM LogName=Microsoft-Windows-TerminalServices-LocalSessionManager/Operational SourceName=Microsoft-Windows-TerminalServices-LocalSessionManager EventCode=25 EventType=4 Type=Information ComputerName=BPSQCP03S11.rightnetworks.com User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=None OpCode=Info RecordNumber=1079076 Keywords=None Message=Remote Desktop Services: Session reconnection succeeded: User: RIGHTNETWORKS\465714 Session ID: 350 Source Network Address: 184.97.224.236 02/17/2021 11:45:18 AM LogName=Microsoft-Windows-TerminalServices-LocalSessionManager/Operational SourceName=Microsoft-Windows-TerminalServices-LocalSessionManager EventCode=25 EventType=4 Type=Information ComputerName=RNVSASP217.rightnetworks.com User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=None OpCode=Info RecordNumber=1064633 Keywords=None Message=Remote Desktop Services: Session reconnection succeeded: User: RIGHTNETWORKS\veronicagutierrez Session ID: 342 Source Network Address: 216.67.212.82

tkerr1357 · ‎02-05-2021

both of those worked thank you !!!

Posts	37
Solutions	2
Karma Given	1
Karma Received	0
Member Since	‎01-08-2020

Online Status	Offline
Date Last Visited	‎10-13-2023 04:48 PM

Active Directory security group changes

blacklist regex help

Why is my Lookup search not returning results corr...

Could someone provide regex help?

Why isn't iplocation report providing the city, co...

How to incorporate a Lookup in search?

searching for repeated events from the same user

search help

Splunk perfmon disk io search

a little search assistance

Re: Active Directory security group changes

Active Directory security group changes

blacklist regex help

Re: Lookup search help

Re: Lookup search help

Re: Lookup search help

Re: Lookup search help

Why is my Lookup search not returning results corr...

Re: more regex help

Could someone provide regex help?

Why isn't iplocation report providing the city, co...

Re: How to incorporate a Lookup in search?

How to incorporate a Lookup in search?

Re: searching for repeated events from the same us...

searching for repeated events from the same user

Re: search help

search help

Splunk perfmon disk io search

Re: a little search assistance

Re: a little search assistance

a little search assistance

Re: more regex help :/

Re: more regex help :/

more regex help :/

Re: Regex help