Having a bit of an issue understanding how to apply this to change the date/time format of a field from a lookup table. The issue I am having is that when sorting by "Completion Date" the dates do not sort correct because of the format. For example Jan/7/2019 will show higher than Jan/17/2019. So the idea was to convert the timestamp to include a 0 (Jan/07/2019) so it sorts properly. Any help is appreciated. It works in testing as per below, I can't get it to apply to my query: ... View more

Hello all! I am using the dashboards generated in the Palo Alto Networks App and attempting to divide the http_category (for URL filtering) to group them into specific other categories and then create a Pie Chart of the results. The results of the search add the count of each correctly, but I am unable to how this work "visually". Basically I want to flag specific "http_category" events as "Good", "Bad", and "Grey area" as an example. So that "Bad" could contain sports, shopping and games, "Good" could contain government, legal and news, etc... I am able to get correct numbers (by adding them up manually to verify) with this following search: | tstats values(log.flags) AS log.flags, count FROM datamodel=pan_firewall WHERE nodename="log.url" """" log.action="*" GROUPBY _time log.dest_name log.app:category log.http_category log.app log.action log.content_type log.vendor_action | rename log.* AS * | stats sum(eval(http_category="sports" OR http_category="shopping" OR http_category="games")) as bad, sum(eval(http_category="legal" OR http_category="government" OR http_category="news")) as good, sum(eval(http_category="music" OR http_category="religion" OR http_category="media")) as "grey area" Any suggestions on how I can resolve this or am I looking at this completely wrong? Any help with be very much appreciated. Thanks, Dean ... View more

Hello all, I am trying take the results of my search and append the results based on that search from the "OID" field. index=Somewhere sourcetype=Something source=somethingelse Action=Save CurrentState=Closed Comment!="" | table OID, CreatedDateTime, LastModifiedDateTime, Requester, TicketID, Action, Comment , Creator, CurrentState | sort -LastModifiedDateTime |eval NewOID = OID - 1 As per the example above, I want to take the resulting OID's found and subtract that result and get minus 1 of that (As per NewOID). Then, I want to take that "newOID" and append it to the current table by searching those as "OID" to display the new results. The result should be similar to the example below. To get these results I manually entered the resulting OID variables. So if the OID= 5361529, I want to subtract 1 from that and get OID=5361528 and display both results on the same table. I hope this makes sense. Is there an easy way to do this? Thanks, Dean ... View more

Hello, We have a search that will show both an Active Directory account that has been set to expire and it will also show if the account was moved to the correct Organizational Unit. EventCode=4738 Account_Expires!="-" | eval Account_Name=mvindex(Account_Name, -1) | table _time, Account_Name, Account_Expires| append [|search EventCode=5139 [|search EventCode=4738 Account_Expires!="-" | eval Account_Name=mvindex(Account_Name, -1) |eval New_DN="CN=".replace(Account_Name,"\."," ").",OU=*,OU=Users - Disabled,DC=testdomain,DC=ca" | table New_DN] |table _time, Account_Name, New_DN, Old_DN] We would like to create an alert that would notify us if there is no match between the two with approximately 7 days. For example, as per the image below, an alert would notify us that "Wally.West" has not been moved to the Disabled OU within 7 days. Any help with this would be greatly appreciated. ... View more

Hello all, I am trying to combine two different searches to correlate with one another. The first search is: EventCode=4738 Account_Expires!="-" | table _time, Account_Name, Account_Expires| eval Account_Name=mvindex(Account_Name, -1) This will provide me any AD account that had made changes to the account expiry. I use the | eval Account_Name=mvindex(Account_Name, -1) to show me the 2nd name as the first one is the person who made the change. The second one is the account was changed. Next we have an OU in AD that we move the user to called Users - Disabled. EventCode=5139 New_DN="CN=*,OU=Users - Disabled,DC=testdomain,DC=ca" | table _time, Account_Name, New_DN, Old_DN This is so I can see if a user was moved to this "Users - Disabled" OU How do I combine these by obtaining the "Account_Name" from the first search to use as an insert to search for this user that was moved(as per below)? EventCode=5139 New_DN="CN=<Insert "Account_Name" here>,OU=Users - Disabled,DC=testdomain,DC=ca" | table _time, Account_Name, New_DN, Old_DN The problem I have is that EventCode=5139 does not show the second user as EventCode=4738 does. The goal is here is to see how much time has transpired from when an "Account_Expires" was set and when the account is moved to this "Users - Disabled" OU. Is this something that is possible? After that I would want to set an alert to notify me when the "Account_Expires" field was changed and if the AD account was not moved to the "Users - Disabled" OU within about 10 days. Any suggestions would be appreciated. ... View more

When using the "Edit Incident" option and adding a "Comment" in Incident Posture, where do these comments appear? The informational tab does not display any comments nor can I find anywhere on this app where it is displayed. One would assume it would be in the "History", but nothing in there appears to be populating. ... View more

Hello, I'm using the following search string to monitor SQL Server DB Tables that are being audited by SQL Server Audit logs and then pushed to the Application Event Logs. eventtype="wineventlog_application" sourcetype="*" TaskCategory="*" SourceName="MSSQLSERVER" EventCode="33205" | eval EventCodeDescription=if(isnull(EventCodeDescription), mvindex(split(Message, "."), 0), EventCodeDescription)| rex field=_raw "statement:(?<statement>.*)\s" | rex field=_raw "database_name:(?<database_name>.*)\s" | rex field=_raw "server_instance_name:(?<server_instance_name>.*)\s" | rex field=_raw "server_principal_name:(?<server_principal_name>.*)\s" | table _time, EventCode, EventCodeDescription, server_instance_name, server_principal_name, database_name, statement | rename server_instance_name as "Server Instance", server_principal_name as "Account Used", database_name as "Database", statement as "Table Modified" This creates the following table: I'm using the following to manually create fields (In Bold) in my search for my tables from the sample event log below.: | rex field=_raw "statement:(?.*)\s" | rex field=_raw "database_name:(?.*)\s" | rex field=_raw "server_instance_name:(?.*)\s" | rex field=_raw "server_principal_name:(?.*)\s" 7/17/17 12:03:44.000 PM 07/17/2017 12:03:44 PM LogName=Application SourceName=MSSQLSERVER EventCode=33205 EventType=0 Type=Information ComputerName=Batman.Justiceleague.dc TaskCategory=None OpCode=None RecordNumber=68853580 Keywords=Audit Success, Classic Message=Audit event: event_time:2017-07-17 18:03:44.2141420 sequence_number:1 action_id:IN succeeded:true is_column_permission:false session_id:76 server_principal_id:403 database_principal_id:1 target_server_principal_id:0 target_database_principal_id:0 object_id:7671075 user_defined_event_id:0 class_type:U permission_bitmask:00000000000000000000000000000008 session_server_principal_name:Batcave server_principal_name:Batman server_principal_sid:a1f03f0aga235sga232437d411 database_principal_name:dbo target_server_principal_name: target_server_principal_sid: target_database_principal_name: server_instance_name:DCUniverse database_name:Justice_league schema_name:dbo object_name:auditinfoadm statement:insert auditinfoadm (actor, actorname, dtime, event, ipaddr) select @l_memberid, name, getutcdate(), 'LOGOUT', @l_ipaddr from member where memberid = @l_memberid additional_information: user_defined_information: I want to create some field extractions so I don't have use these commands in my search string. I have tried doing so using both the tool and by manually creating my own regex. But I think because of how short the sample event log is (as per below), the information I want at the bottom of my event log is not being searched, thus it is not creating the fields for me in the "interesting fields" column in the events tab. I have also tried using the "Filter" search bar to search for "server_principal_name" and this shows me the data, (while it will omit data it can't show) but it still does not create the extracted fields I want. Anyone have ideas on how I can get around this? ... View more