Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About hrithiktej
hrithiktej
Communicator
Member since:
07-06-2017
06-17-2020
Community Statistics
| Posts | 78 |
| Solutions | 3 |
| Karma Given | 1 |
| Karma Received | 17 |
| Member Since | 07-06-2017 |
Activity Feed
- Got Karma for Why isn't whitelisting for universal forwarder working in Splunk v6.6.3?. 10-31-2020 04:53 PM
- Got Karma for Re: Why isn't whitelisting for universal forwarder working in Splunk v6.6.3?. 10-31-2020 04:53 PM
- Got Karma for Re: Props.conf timezone settings for Eastern? And do I need to reboot any peers?. 10-19-2020 04:59 AM
- Got Karma for Re: Props.conf timezone settings for Eastern? And do I need to reboot any peers?. 10-19-2020 04:59 AM
- Got Karma for Re: Props.conf timezone settings for Eastern? And do I need to reboot any peers?. 10-19-2020 04:59 AM
- Got Karma for Re: Props.conf timezone settings for Eastern? And do I need to reboot any peers?. 10-19-2020 04:59 AM
- Got Karma for Re: Props.conf timezone settings for Eastern? And do I need to reboot any peers?. 10-19-2020 04:59 AM
- Got Karma for Re: Props.conf timezone settings for Eastern? And do I need to reboot any peers?. 10-19-2020 04:59 AM
- Got Karma for Re: Props.conf timezone settings for Eastern? And do I need to reboot any peers?. 10-19-2020 04:59 AM
- Got Karma for Props.conf timezone settings for Eastern? And do I need to reboot any peers?. 10-19-2020 04:58 AM
- Posted Re: please help My splunk services wont start and giving this error when i lookup the log file on Splunk Enterprise. 06-17-2020 09:28 AM
- Posted please help My splunk services wont start and giving this error when i lookup the log file on Splunk Enterprise. 06-17-2020 08:22 AM
- Got Karma for Splunk Vs Microsoft Azure sentinel. 06-05-2020 12:50 AM
- Karma Re: Props.conf timezone settings for Eastern? And do I need to reboot any peers? for mwdbhyat. 06-05-2020 12:49 AM
- Got Karma for Is there something wrong with my server roles?. 06-05-2020 12:49 AM
- Got Karma for Questions on best practices for a new Splunk environment. 06-05-2020 12:49 AM
- Got Karma for Questions on best practices for a new Splunk environment. 06-05-2020 12:49 AM
- Got Karma for Re: Questions on best practices for a new Splunk environment. 06-05-2020 12:49 AM
- Got Karma for Re: Questions on best practices for a new Splunk environment. 06-05-2020 12:49 AM
- Posted Re: Why does the AMP for endpoints API require the "write" access? on All Apps and Add-ons. 01-21-2020 12:58 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-17-2020
09:28 AM
Yes but i get the following [root@dc1-splunk02 bin]# ./btprobe -d /opt/splunk/bin/splunkd: error while loading shared libraries: libjemalloc.so.2: cannot open shared object file: No such file or directory
... View more
06-17-2020
08:22 AM
My splunk services wont start 06-17-2020 11:13:37.100 -0400 ERROR BTreeCP - open failed to restore checkpoint in btree='/opt/splunk/var/lib/splunk/fishbucket/splunk_private_db', it may be corrupted -- run `SPLUNK_HOME/bin/btprobe -d '/opt/splunk/var/lib/splunk/fishbucket' -r` to attempt to repair This splunk is enterprise security plus heavy forwarder and has version 7.x on it. All my other servers are on 8.x. Due to lot of dependencies on python 2.7 we did not upgrade this one but it worked fine for many months.
... View more
Labels
01-21-2020
12:58 AM
cool thanks for the update
... View more
07-03-2019
07:47 AM
1 Karma
In Splunk when i ingest Security events log of AD from 70 domain controllers for just 4 whitelisted events and dropping static text by regex in config file and the count is 500gb avg. everyday.
In Azure sentinel when we ingest the same data i mean like ingest these 4 events by Azure sentinel connector from our domain controllers the amount/size of logs is just 10gb.
i am surprised and want to know what is the difference in terms of logs ingestion or processing that there is so huge difference in terms of size.
... View more
04-25-2019
05:48 AM
Thanks for the reply folks i will try this out, i will create a notepad file with some content rename it as setup.exe and try to pass it through source fire and see if the detection occurs, if it does and the detection is just because of the name than in my opinion it is not a so cool investigation correlation search in splunk.
... View more
04-24-2019
05:47 AM
I have these events on Splunk ES security posture dashboard and need help in understand how the detection for this one particular investigation works
below is the example of this event we are investigating
04/22/2019 06:35:00 -0400, search_name="Threat - File Name Matches - Threat Gen", search_now=1555929300.000, info_min_time=1555840800.000, info_max_time=1555929300.000, info_search_time=1555929301.836, dest="::", file_name="Setup.exe", orig_sourcetype="cisco:sourcefire", src="10.143.24.83|10.143.6.14", threat_collection=file_intel, threat_collection_key="mandiant:package-190593d6-1861-4cfe-b212-c016fce1e240:mandiant:observable-dedc26f8-efce-45e0-80c5-b1ed8a00cd89", threat_key="mandiant:package-190593d6-1861-4cfe-b212-c016fce1e240|Appendix_G_IOCs_No_OpenIOC.xml", threat_match_field=file_name, threat_match_value="Setup.exe"
Threat detection reference https://jar-download.com/artifacts/org.mitre/stix/1.2.0.2/source-code/schemas/v1.2.0/samples/APT1/Appendix_G_IOCs_No_OpenIOC.xml
Using the file name i could trace down to one of the users who was trying to download snoopwpf which is "a app that allows you to spy/browse the visual tree of a running application (without the need for a debugger) ... and change properties ... amongst other things."
how does this investigation of Splunk ES work is it solely based on file name or more?
... View more
04-16-2019
03:50 AM
I was unable to get it to work with read only access and then i explained my AMP admin and they got me both access and from last 4 months we are pulling data into Splunk and can say that it is safe to have read and write both. But i agree ideally it should work with read only access.
I have not tested whether it requires read write initially or whether throughout
... View more
03-26-2019
09:11 AM
Nope i manually clean up after every 30 days. You can setup a cron job for 30 days cleanup. Because in umbrella bucket we have set the log retention for 30 days, so if clean up anything it downloads complete 30 days of log folders again, so once anything gets older than 30 days i delete them.
... View more
03-15-2019
08:01 AM
Yes below are the examples of files getting downloaded, and i am downloading it to my syslog server and then from there the splunk UF reads and forwards to my splunk indexer
-rw-r--r--. 1 root root 628 Mar 15 14:50 2019-03-15-14-40-2593.csv.gz
-rw-r--r--. 1 root root 683 Mar 15 14:50 2019-03-15-14-40-32fa.csv.gz
-rw-r--r--. 1 root root 844 Mar 15 14:50 2019-03-15-14-40-7f7d.csv.gz
-rw-r--r--. 1 root root 930 Mar 15 14:50 2019-03-15-14-40-b3ab.csv.gz
-rw-r--r--. 1 root root 798 Mar 15 14:50 2019-03-15-14-40-dcd8.csv.gz
... View more
01-18-2019
01:58 AM
@ David rose
TRY THIS workaround it works
The work around mentioned in this article
https://support.umbrella.com/hc/en-us/articles/360001388406-Configuring-Splunk-with-a-Cisco-managed-S3-Bucket
and now i have it all working
I am downloading logs onto my syslog servers with a cron job to run after every 10mins and from there i have the splunk reading them.
If u need help with cron job let me know
... View more
12-14-2018
03:44 AM
Why does the AMP for endpoints API require the "write" access? I am afraid of the APP making changes to the events in AMP console. Will it delete or resolve the alerts if i give the WRITE access to the APP?
... View more
10-17-2018
12:27 PM
We are using McAfee DATABASE ACTIVITY MONITOR solution and have integerated it with Splunk and do not get much fields even in verbose mode search on Splunk search head ,hence looking for some addon that can help in field extraction.
I hav tried installing few McAfee addons but they all seem to be for Mcafee ePO or Antivirus & IPS but none for McAfee DAM.
... View more
- Tags:
- splunk-enterprise
10-17-2018
11:07 AM
Umbrella suport replied to me the same that due to permission issues it is not possible to ingest the logs using this app. So i followed the work around mentioned in this article
https://support.umbrella.com/hc/en-us/articles/360001388406-Configuring-Splunk-with-a-Cisco-managed-S3-Bucket
and now i have it all working
his article covers the basics of getting Splunk up and running so it is able to consume the logs from your Cisco-managed S3 bucket. You will:
1) Set up your Cisco-managed S3 bucket in your dashboard.
2) Create a cron job to retrieve files from the bucket and store them locally on your server.
3) Configure Splunk to read from a local directory.
... View more
10-12-2018
01:26 PM
Hi BonMot,
Thanks for your post but i tried exactly this and it is still not working? Anything else you can suggest?
... View more
08-28-2018
08:39 AM
Our security events count is in millions and we observed that we have more then 600 service accounts in our environment and they contribute millions of events for a/c log on events and hence we want to drop these events for service accounts.
Is there a regex available to drop service account events from active directory to be used on the universal forwarder?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-17-2020
12:13 PM
|
