hi all, i still failed to decrypt the epo logs. this is my config. [tcp://6514] connection_host = ip host = DCHQ-SIMSL-01 source = 10.220.34.23:6514 sourcetype = mcafee:epo:syslog index = mcafee [SSL] serverCert=/splunk/cert/splunk-epo-remote.pem requireClientCert=false cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256   any ideas? huhh ... View more

Here's how I've partially solved this for UNIX/Linux clients. On the Indexer props.conf [syslog] ### Match events with sourcetype of syslog and invoke the SophosLogs stanza in transforms.conf ### TRANSFORMS-antivirus = SophosLogs transforms.conf [SophosLogs] ### Look in events of sourcetype syslog specified in props.conf for the string "savd [" REGEX=savd\[ ### Select _MetaData Index field ### DEST_KEY=_MetaData:Index ### Change the destination Index to antivirus from the original (unix) ### FORMAT=antivirus On the Search Head eventtypes.conf [sophos_central_events] ### Create an eventtype of sophos_central_events and match the field product_version with any value ### search=product_version=* tags.conf ### Enable malware and operations tags for eventtype sophos_central_events ### [eventtype=sophos_central_events] malware = enabled operations = enabled props.conf [syslog] ### Match events with sourcetype of syslog and invoke the SophosLogsSH stanza in transforms.conf ### REPORT-antivirus = SophosLogsSH transforms.conf [SophosLogsSH] ### Use REGEX to extract fields date, time, host, process_name, product_version ### REGEX=^(?P<date>\w+\s+\d+)\s+(?P<time>[^ ]+)\s+(?P<host>[^ ]+)\s+(?P<process_name>\w+)(?:[^ \n]* ){6}(?P<product_version>\SAV:\s\d*\.\d*\.\d*,\sEngine:\s\ d*\.\d*\.\d*,\sData:\s\d*.\d*.+) The effect of this is that we now have any events written by the savd process to /var/log/messages being routed to the antivirus Index, rather than the UNIX Index. The Malware datamodel can search the antivirus Index, correctly detects events with malware and operations tags. It then counts the number of hosts with a product_version field and populates the Enterprise Security dashboard with the version numbers. The next task is to do the same for Windows clients. Hopefully this helps someone. ... View more

I have tried the below query with maxspan=-1 maxpause=-1 but I am not getting the Hostnames. Can you please help me in getting Correct fields for matching the Logon_ID events in Splunk for 4624 and 4688. Or is there any other way for Correlating 4624 and 4688 events.  I need to verify who has logged into the machine within the session created and ran the process from his account. ... View more

Any changes made via the Web GUI or directly to the files should be as a *.conf files in the "Local" folder inside the app main folder.     ... View more

My pleasure. I'm glad I could do something to help someone today. ... View more

Thank u for your reply. I will test it out and let you know. Have a nice week ahead. ... View more

Thanks for you support, really appreciated ... View more

it's a custom app unfortunately there is no TA for that. after run what you mention get this result  id                    id2              duration 9876543    1234567    00:00:00:028   seems just apply for last part. any idea? thank ... View more

Hi @splunkerer , With your permission I'll start from the beginning, with your problem statement. You wrote that "if login attempt get failed, userid doesn't show up" and "userid is supposed to be unique, but not always".  So how do you link between the failed login events and the following successful one ? by host name or some id ? If possible can you share some sample dataset from your dev/QA environment or something similar ?   ... View more

Hi @Lukas85 , Read the full set of column and use the function coalesce ( "This function takes an arbitrary number of arguments and returns the first value that is not NULL.") | makeresults 1 | eval column2=NULL,column3=NULL, column4=11223,column5=11559 | eval result= coalesce(column2,column3,column4,column5)     ... View more

| makeresults 1 | eval _raw="Server1234.prod.outlook.com/Microsoft Exchange Hosted Organizations/MyOrg.onmicrosoft.com/Smith, Joe" | rex mode=sed "s/.*\///g" | table _raw ... View more

Hi @splunkeradmin22 , Have a look at the below macro: |`incident_review` ... View more

@richgalloway  : I think using match() and exact regex will do the trick, I am testing it. Will let you know if it handles all the cases, I will mark this as the accepted answer. Thanks! ... View more

You're welcome ! ... View more

Hi @Nurcan    You will have wrap the rules you have developed inside an Analytic Story for it to be displayed in ESCU. Go to Configure->Content Management-> Create New Content and choose Analytic Story. The mapping to Cyber Kill Chain and MITER ATTACK Framework will be derived by the annotations you created for the Correlation Search.   ... View more

HI @efika  Thank you for your response, No custom python scripts are running on the HF for inputs. ... View more

it worked! thank you! 🙂 replace it with module ... View more

You can still run the scheduling task on the splunk server itself and let it copy to the other machines so you continue to adhere to the described design. ... View more

Thank you ... View more

| rest /services/deployment/server/applications https://docs.splunk.com/Documentation/Splunk/8.2.1/RESTREF/RESTdeploy#deployment.2Fserver.2Fapplications ... View more

@DEAD_BEEF  Here is a way to re-iterate over the props.conf, basically addressing the same issue you've raised: https://www.linkedin.com/pulse/how-make-splunk-heavy-forwarder-reiterate-over-after-changing-efi/?trackingId=ppRO1LfrmMWuu8U5BCTzdA%3D%3D   ... View more