Activity Feed
- Posted Re: Active Directory security group changes on Splunk Search. 10-13-2023 01:23 PM
- Posted Active Directory security group changes on Splunk Search. 10-13-2023 06:38 AM
- Posted blacklist regex help on Splunk Search. 08-16-2023 07:50 AM
- Posted Re: Lookup search help on Splunk Search. 04-22-2022 07:07 AM
- Posted Re: Lookup search help on Splunk Search. 04-20-2022 06:23 PM
- Posted Re: Lookup search help on Splunk Search. 04-20-2022 07:19 AM
- Posted Re: Lookup search help on Splunk Search. 04-19-2022 01:12 PM
- Posted Why is my Lookup search not returning results correctly? on Splunk Search. 04-19-2022 11:22 AM
- Posted Re: more regex help on Splunk Search. 04-07-2022 01:00 PM
- Posted Could someone provide regex help? on Splunk Search. 04-07-2022 12:40 PM
- Posted Why isn't iplocation report providing the city, country under statistics? on Splunk Search. 04-05-2022 09:14 AM
- Posted Re: How to incorporate a Lookup in search? on Splunk Search. 02-11-2022 09:53 AM
- Posted How to incorporate a Lookup in search? on Splunk Search. 02-10-2022 02:42 PM
- Posted Re: searching for repeated events from the same user on Splunk Search. 09-30-2021 08:46 AM
- Posted searching for repeated events from the same user on Splunk Search. 09-29-2021 01:47 PM
- Posted Re: search help on Splunk Search. 07-14-2021 10:00 AM
- Posted search help on Splunk Search. 07-14-2021 08:01 AM
- Posted Splunk perfmon disk io search on Splunk Search. 03-12-2021 10:24 AM
- Posted Re: a little search assistance on Splunk Search. 03-12-2021 09:51 AM
- Posted Re: a little search assistance on Splunk Search. 03-10-2021 08:29 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 |
10-13-2023
01:23 PM
That didn't work. Also, I don't think you can count by multiple fields.
... View more
10-13-2023
06:38 AM
Hello all,
I could use some help here with creating a search. Ultimately I would like to know if a user is added to a specific set of security groups what security groups if any were removed from that same user.
Here is a search for security group removal:
index=wineventlog EventCode=4729 EventCodeDescription="A member was removed from a security-enabled global group" Subject_Account_Name=srv_HiveProvSentryNe OR Subject_Account_Name=srv_HiveProvSentry source="WinEventLog:Security" sourcetype=WinEventLog
| table member, Group_Name, Subject_Account_Name, _time
Here is a search for security group added:
index=wineventlog EventCode=4728 EventCodeDescription="A member was Added to a security-enabled global group" Subject_Account_Name=srv_HiveProvSentryNe OR Subject_Account_Name=srv_HiveProvSentry source="WinEventLog:Security" sourcetype=WinEventLog
| table member, Group_Name, Subject_Account_Name, _time
additional search info:
EventCode=4728 Added EventCode=4729 Removed Group_Name - security group Subject_Account_Name - prov sentry member - user
security groups, I would like to monitor users being added to:
RDSUSers_GRSQCP01
RDSUSers_GROQCP01
RDSUSers_BRSQCP01
RDSUSers_BROQCP01
RDSUSers_VRSQCP01
RDSUSers_VROQCP01
Again I am looking to monitor if a user was added to any of the above 6 security groups were they within a few hours before and ahead of the event removed from any other groups. let me know if I can provide any additional info and as always thank you for the help.
... View more
Labels
- Labels:
-
chart
-
eval
-
transaction
08-16-2023
07:50 AM
Hello all, I am trying to blacklist an event that is tied to a specific sAMAccountName which is sAMAccountName="Alertz - ProductFeedback" . The only way I can think to achieve this is maybe with a blacklist regex statement but I am not sure and not very good with regex. Below is a sample event. Please let me know if there are any questions. 08/16/2023 09:34:07.541 dcName=RNBSAD1.rightnetworks.com admonEventType=Update Names: objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=rightnetworks,DC=com name=Alertz - ProductFeedback distinguishedName=CN=Alertz - ProductFeedback,OU=Expired Alert Groups,OU=Desk Alerts,OU=Security Groups,DC=rightnetworks,DC=com cn=Alertz - ProductFeedback Object Details: sAMAccountType=268435456 sAMAccountName=Alertz - ProductFeedback objectSid=S-1-5-21-2605281412-2030159296-1019850961-856824 objectGUID=1e0bcfbf-dc8b-43e9-855a-7004ce3d6b3b whenChanged=09:33.53 AM, Wed 08/16/2023 whenCreated=09:31.41 AM, Tue 08/01/2023 objectClass=top|group Event Details: uSNChanged=820790490 uSNCreated=813674539 instanceType=4 Additional Details: dSCorePropagationData=16010101000000.0Z groupType=-2147483646
... View more
Labels
- Labels:
-
regex
04-22-2022
07:07 AM
when I run my original search it gets no events. when I run the following search with an IP that I know to be in those index's over a period of all time it returns no events index=wineventlog OR index=fortigate src_ip=100.14.174.187
| lookup TORIP TORIP AS src_ip OUTPUT TORIP
| search TORIP=* when I run the following search it looks like its just returning any event that has a src_ip in it not just whats in the lookup file index=wineventlog OR index=fortigate [| inputlookup TORIP |rename "TORIP" as "src_ip" |return 999 "src_ip"] my hope was to run the search every 24 hrs and return all events that match an IP in the lookup file.
... View more
04-20-2022
06:23 PM
sorry when I run the search I want to look through those two index's for any event that contans at least one of the ip's in the lookup list
... View more
04-20-2022
07:19 AM
When I run a search for one of the individual ips in the lookup file it returns events.
... View more
04-19-2022
01:12 PM
the search worked but seems like its returning all IPs not just the ones in the lookup file.
... View more
04-19-2022
11:22 AM
Hello all,
I am having trouble with a search that is not returning results as it should. The search is below and I have attached an example of the lookup file. When I run a search just looking for an individual IP it does return events but is not working with the lookup file. Any help is appreciated.
index=wineventlog OR index=fortigate
| lookup TORIP TORIP AS src_ip OUTPUT TORIP
| search TORIP=*
... View more
Labels
- Labels:
-
lookup
04-07-2022
01:00 PM
sorry sent the wrong rex | rex "Client Address:(?<clientaddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
... View more
04-07-2022
12:40 PM
Hey all ,
just need a little regex help trying to pull an IP address out and its not working.
here is my rex
| rex field=_raw "Remote host:(?<Remotehost>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
here is an example event
4/7/22 3:11:32.000 PM
04/07/2022 03:11:32 PM LogName=Security EventCode=4779 EventType=0 ComputerName=BPSQCP00S080.rightnetworks.com SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=115076290 Keywords=Audit Success TaskCategory=Other Logon/Logoff Events OpCode=Info Message=A session was disconnected from a Window Station. Subject: Account Name: 705628 Account Domain: RIGHTNETWORKS Logon ID: 0x13887BFB Session: Session Name: RDP-Tcp#81 Additional Information: Client Name: DESKTOP-PIT40LB Client Address: 73.175.205.64
... View more
Labels
- Labels:
-
regex
04-05-2022
09:14 AM
hello all,
I am trying to figure out why my iplocation report isnt providing the city,country under statistics. Below is my search that is providing the IP field in the table but the other two columns are blank. Any assistance would be great here.
index=wineventlog EventCode=4624 | search src_ip="*" ComputerName="*" user="*" | eval "Source IP" = coalesce(src_ip,"") | eval clientip=src_ip | iplocation allfields=false "Source IP" | table "Source IP", city, country
... View more
Labels
- Labels:
-
Other
02-11-2022
09:53 AM
Thank you, I was able to figure out the issue. I failed to place an OUTPUT ofter defining the field so there was nothing for the search to look at. I fixed that and then added a search command to look for any of the IPs in the lookup command.
... View more
02-10-2022
02:42 PM
Hi all,
I am struggling a bit with incorporating a lookup into my searches. I have a lookup file that is a single column of IP addresses and a header of TORIP. It should be a pretty basic search index=* src_ip=* followed by the lookup. I added the lookup file and lookup definition but when I run a search it fails saying the lookup table doesnt exist.
... View more
Labels
- Labels:
-
lookup
09-30-2021
08:46 AM
yeesh glad I asked I was way overthinking this thanks for the help.
... View more
09-29-2021
01:47 PM
Hi All, I am looking to create an alert based on the following base search. index=wineventlog w19tax.exe app_name=W19TAX . I am specifically looking for the alert to only trigger when the same SID comes up multiple time for the same application. example event: 09/29/2021 04:21:08 PM LogName=Microsoft-Windows-AppLocker/EXE and DLL SourceName=Microsoft-Windows-AppLocker EventCode=8002 EventType=4 Type=Information ComputerName=BPOLCP01S12.rightnetworks.com User=NOT_TRANSLATED Sid=S-1-5-21-2605281412-2030159296-1019850961-762275 SidType=0 TaskCategory=None OpCode=Info RecordNumber=39961045 Keywords=None Message=D:\PROGRAM FILES\LACERTE\19TAX\W19TAX.EXE was allowed to run.
... View more
Labels
- Labels:
-
count
07-14-2021
10:00 AM
I changed it to target instead of computername but this did the trick.
... View more
07-14-2021
08:01 AM
Hi All, I am looking for a little help with a search today. I am looking to create an alert based on this search that only triggers when the same hostname comes up twice in a row. so far the search I have is I am unsure how to include/return two machines of the same name: index="login_pi" source="WinEventLog:LoginPI Events" SourceName="Application Threshold Exceeded" | rex field=_raw "Actual value\\\":\s+\\\"(?<actual_value>\d+)" | search actual_value>=10 | table Target,actual_value,ApplicationName,Title here is an example event: 07/14/2021 10:39:49 AM LogName=LoginPI Events EventCode=800 EventType=4 ComputerName=RNBSVSIMGT02.rightnetworks.com SourceName=Application Threshold Exceeded Type=Information RecordNumber=1786721 Keywords=Classic TaskCategory=None OpCode=Info Message={ "Description": "Measurement duration (7.561s) exceeded threshold of 5s (51.22%)", "Actual value": "7.561", "Threshold value": "5", "Measurement": "quickbooksopen_2021", "Locale": "English (United States)", "RemotingProtocol": "Rdp", "Resolution": "1920 × 1080", "ScaleFactor": "100%", "Target": "BPOQCP01S01", "TargetOS": "Microsoft Windows Server 2016 Standard 10.0.14393 (1607)", "AppExecutionId": "4ed43186-648c-4e8e-96ee-9e4b52e468cb", "AccountId": "a4a6655b-f7ac-4783-aec5-698a146eb2cf", "AccountName": "rightnetworks\\eloginpi082", "LauncherName": "RNBSVSI23", "EnvironmentName": "BPOQCP01S01", "EnvironmentId": "bc31c8f6-e8c0-4278-93c3-08d8040960f8", "ApplicationName": "QB_2021_Open", "ApplicationId": "ece9c6b9-6662-45be-970d-2708603ca13b", "Title": "Application threshold exceeded" }
... View more
03-12-2021
10:24 AM
Hello all, Looking for some help with a perfmon search. index=perfmon host=myhost01s* sourcetype="PerfmonMk:LogicalDisk" instance=_total | timechart sum(Disk_Transfers/sec) span=90s This gives me all the IO of the hosts, but it only seems accurate if I chart it to 90s span, which is how often it queries. If I change that then the sum obviously just puts all the values together. What I want to do is show longer periods of time, but still have it counting the sum of each reading (like a bucket) over time and not adding all numbers over the whole period (span) together. I want to force it to always use the time as the bucket. Any help is much appreciated.
... View more
Labels
- Labels:
-
timechart
03-10-2021
08:29 AM
sorry I forgot to mention I tried that and it only returns the number of events for the most recent day. If I remove the majority of the evals and customization adding that timechart works just fine.
... View more
03-09-2021
12:28 PM
Hello all, I need some assistance using the search below to produce a timechart of the number of events per day for the last 90 days. index=wineventlog source="WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" EventCode=25 | search Source_Network_Address="*" ComputerName="*" User="*" | eval "Source IP" = coalesce(Source_Network_Address,"") | eval clientip=Source_Network_Address | sort- _time | iplocation "Source IP" | where isnotnull(lat) | streamstats current=f global=f window=1 first(lat) as next_lat first(lon) as next_lon first(_time) as next_time first(clientip) as next_ip first(Country) as next_country first(Region) as next_region by User | strcat lat "," lon pointA | haversine originField=pointA units=mi inputFieldLat=next_lat inputFieldLon=next_lon outputField=distance_miles |strcat next_lat "," next_lon pointB |eval time_dif=(((next_time - _time)/60)/60), distance_miles=round(distance_miles, 2), time_dif=round(time_dif, 2)
... View more
- Tags:
- search
Labels
- Labels:
-
timechart
02-18-2021
04:49 AM
looks like it was an issue with my search. I was able to add the regex provided as a field extraction and that provided what I was looking for.
... View more
02-17-2021
09:33 AM
Hey All, I am trying to pull the username from the following event which is everything after the Rightnetworks\ in the event. Also to complicate things It could be a name or a set of numbers or a name with numbers in it. Any help is apperciated. here are some example events: 02/17/2021 11:45:19 AM LogName=Microsoft-Windows-TerminalServices-LocalSessionManager/Operational SourceName=Microsoft-Windows-TerminalServices-LocalSessionManager EventCode=25 EventType=4 Type=Information ComputerName=BPSQCP03S11.rightnetworks.com User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=None OpCode=Info RecordNumber=1079076 Keywords=None Message=Remote Desktop Services: Session reconnection succeeded: User: RIGHTNETWORKS\465714 Session ID: 350 Source Network Address: 184.97.224.236 02/17/2021 11:45:18 AM LogName=Microsoft-Windows-TerminalServices-LocalSessionManager/Operational SourceName=Microsoft-Windows-TerminalServices-LocalSessionManager EventCode=25 EventType=4 Type=Information ComputerName=RNVSASP217.rightnetworks.com User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 TaskCategory=None OpCode=Info RecordNumber=1064633 Keywords=None Message=Remote Desktop Services: Session reconnection succeeded: User: RIGHTNETWORKS\veronicagutierrez Session ID: 342 Source Network Address: 216.67.212.82
... View more
Labels
- Labels:
-
regex