Activity Feed
- Posted Re: Windows universal forwarder with a static config for Sysmon logs on Getting Data In. 01-06-2022 11:28 AM
- Posted Windows universal forwarder with a static config for Sysmon logs on Getting Data In. 01-06-2022 11:09 AM
- Karma Re: Compare the values from two fields ( one is from a lookup) for ITWhisperer. 09-30-2020 01:07 AM
- Posted Re: Compare the values from two fields ( one is from a lookup) on Splunk Search. 09-29-2020 10:01 AM
- Posted Compare the values from two fields ( one is from a lookup) on Splunk Search. 09-29-2020 09:45 AM
- Posted Re: Sendemail no longer working since upgrade on Reporting. 07-17-2020 03:40 AM
- Posted Re: Sendemail no longer working since upgrade on Reporting. 07-17-2020 01:07 AM
- Posted Re: Sendemail no longer working since upgrade on Reporting. 07-15-2020 01:31 PM
- Posted Re: Sendemail no longer working since upgrade on Reporting. 07-15-2020 01:31 AM
- Posted Getting permissions error with 'sendemail' after upgrading from 7 to 8. on Reporting. 07-14-2020 03:49 AM
- Karma Re: anyone got the CB ThreatHunter app working? for alacercogitatus. 06-05-2020 12:50 AM
- Karma Re: How to write a search to only display entries added in the last 24 hours based on a time field from a lookup CSV file? for ktugwell_splunk. 06-05-2020 12:48 AM
- Karma Re: How to write a search to find hosts that perform web requests to the same site/url at an exact interval? for aweitzman. 06-05-2020 12:47 AM
- Karma Re: How to write a search to find hosts that perform web requests to the same site/url at an exact interval? for stephane_cyrill. 06-05-2020 12:47 AM
- Got Karma for How do I compare different values for fields returned using the python REST API?. 06-05-2020 12:47 AM
- Posted Re: anyone got the CB ThreatHunter app working? on All Apps and Add-ons. 11-25-2019 10:13 AM
- Posted Re: anyone got the CB ThreatHunter app working? on All Apps and Add-ons. 11-22-2019 06:16 AM
- Posted anyone got the CB ThreatHunter app working? on All Apps and Add-ons. 11-18-2019 05:43 AM
- Posted Phantom Tanium: 'Variables' in query action on All Apps and Add-ons. 07-26-2019 05:50 AM
- Tagged Phantom Tanium: 'Variables' in query action on All Apps and Add-ons. 07-26-2019 05:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-06-2022
11:28 AM
so you can include the config options with you way ?
... View more
01-06-2022
11:09 AM
I was hoping if someone can help me. We are looking into deploying Sysmon and the Universal forwarder remotely in very specific circumstances ( suspicious activity on a host or by a user etc etc ) . I am struggling on being able to get the universal forwarder setup remotely. Essentially i just need the universal forwarder to forward the sysmon event logs ( Microsoft-Windows-Sysmon/Operational ) but i need to be able to do this remotely via command line or script. I came across a Splunk article about setting up the forwarder with a static config which seemed good but looking into the config options it doesnt seem to allow you to specify what logs to collect - it gives you option of the usual Security , System , Application etc but doesnt appear to support anything else unless im mistaken? Else anyone know if its possible to include a config file/parameters within the installer?
... View more
Labels
- Labels:
-
universal forwarder
-
Windows
09-29-2020
10:01 AM
Hi @gcusello Yes i tried the below : | search "logon country" != "Country" Didn't work.
... View more
09-29-2020
09:45 AM
Hi all Trying to build a query and struggling in "comparing" two fields. Essentially this is what i am trying to do 1) I have logs from our online email service which has the usual details ( time , source ip , email address and source logon country etc ) 2) I have a lookup in Splunk with the common Active directory details ( name, title , country etc ) What i am trying to do is to get a search to show me the logons where the two Country fields dont match ex ( UserA logged on from Germany, his AD Details show the user is based in Germany therefore i dont want to know) This is what i have so far : index="email" | lookup adusers Email AS Username OUTPUT DisplayName Title Country | where "logon country" != "Country" | table Username "Source IP" "logon country" DisplayName Title Country The "Where" statement doesn't , any ideas on how to get this working ( if its possible of course) .
... View more
- Tags:
- comparison
- lookup
Labels
- Labels:
-
lookup
07-17-2020
03:40 AM
Ok this has got weird now. Rebooted and now i can send emails via the 'command line' in the gui but not the automated way. Example : index=* | head 10 | sendemail to="nick.giannoulis@xxxx.com" from="nick.giannoulis@xxxx.com" subject="test" server="imapoutgoing.xxxxxxxxx.net:587" use_tls=true This works fine. My scheduled report still does not work though. The settings i have put in at Settings | Server Settings | Emails settings are the same as above : Maihost : imapoutgoing.xxxxxxx.net:587 | Enable TLS Send email as : nick.giannoulis@xxxx.com ( copy & paste from the above just in case ) This is the error from the logs : 07-17-2020 11:30:04.296 +0100 ERROR ScriptRunner - stderr from 'C:\Program Files\Splunk\bin\Python2.exe C:\Program Files\Splunk\etc\apps\search\bin\sendemail.py "results_link=http://10.21.56.47:8000/app/search/@go?sid=scheduler__admin__search__RMD5141fe5c68308f17b_at_1594981800_1" "ssname=Joe_Report" "graceful=True" "trigger_time=1594981800" results_file="C:\Program Files\Splunk\var\run\splunk\dispatch\scheduler__admin__search__RMD5141fe5c68308f17b_at_1594981800_1\results.srs.zst" "is_stream_malert=False"': ERROR:root:(550, '5.7.60 SMTP; Client does not have permissions to send as this sender') while sending mail to: nick.giannoulis@xxxxxxxxx.com
... View more
07-17-2020
01:07 AM
Well it works in the way that it actually runs and i still get the same error : command="sendemail", (550, '5.7.60 SMTP; Client does not have permissions to send as this sender') while sending mail to: nick.giannoulis@xxxxxx.com Time to get wireshark out and see if i can spot the issue.
... View more
07-15-2020
01:31 PM
Thanks for the link , somehow doubt that is the issue since i can use pretty much the same settings to send an email using powershell/python . Oh well search continues...
... View more
07-15-2020
01:31 AM
It's a scheduled report that i am trying to send. Sadly python log did not have anything more usefull 2020-07-14 09:35:07,062 +0000 ERROR sendemail:142 - Sending email. subject="Splunk Report: xxxx", results_link="http://10.21.56.47:8000/app/search/@go?sid=scheduler__admin__search__RMD5141fe5c68308f17b_at_1594719300_8", recipients="[u'xxxxx@xxxxxx']", server="xxxxxxxxxxxxx" 2020-07-14 09:35:07,062 +0000 ERROR sendemail:475 - (550, '5.7.60 SMTP; Client does not have permissions to send as this sender') while sending mail to: xxxxxxxxxxxxxxxx 2020-07-14 09:40:02,720 +0000 INFO sendemail:1162 - sendemail pdfgen_available = 1
... View more
07-14-2020
03:49 AM
Hi all
I recently upgraded my Splunk instance to version 8.x (whatever the newest one was a week ago). I reconfigured pretty much everything as I had it before (on v7.x) and I have noticed I can no longer get my email notification to work.
I am using exactly the same settings for email as I used in version 7 but with version 8 I get these error messages :
ERROR sendemail:475 - (550, '5.7.60 SMTP; Client does not have permissions to send as this sender') while sending mail to: nick.xxxxx@xxxxxx.xxx
I have configured Splunk to use our local exchange server for sending emails and its set to send emails as my self to myself. I have the correct settings/ports for TLS and the auth part, I have verified these settings using powershell and another python script and they both work, it's just Splunk that doesn't work.
I suspect that something is being changed when the sendemail attempt happens but I cannot see anything in the logs to see exactly what is being sent.
Any ideas on how to troubleshoot?
Looked in the splunkd.log and nothing really more than the above...
... View more
11-25-2019
10:13 AM
Ok so deleted the app and installed it again to start fresh ( running a single all in one instance of splunk). So does this config sound right ? ( for Carbon Black PSC )
Hostname : xxxxxx.conferdeploy.net
Token : API Secret Key ( Does it need specific access like API or SIEM ? )
Connector ID : API ID
Does the above seem about right?
Then i'm guessing a Notification has to be set up so specific data can be pulled by the app ?
... View more
11-22-2019
06:16 AM
Hi there, that makes quite a bit more sense especially the part for the Notification API/Connector ID( think i was trying to use a different type of API ) . I will give the above a go on Monday and then update here
... View more
11-18-2019
05:43 AM
Trying to get the CB ThreatHunter app working on my dev instance of Splunk ( 7.3.2 ) with no luck . Sadly the documentation isn't that great and to a certain extent confusing.
For a start anyone know if you need to install all 3 apps ( Technology addon , input addon and the app ) , it seems to me that 2 of these 3 apps have the same config page?
Also once installed and on the config page and trying to create a new config what do the Token and Connector ID relate to ? Is it API key and ID ? If thats the case surely somewhere you have to specify an org ID as the whole Carbon Black PSC service in the cloud .
And i guess a last question , what kind of data is this app suppose to pull down , kind find any mention on what data it gathers and if you can modify it ?
... View more
07-26-2019
05:50 AM
Trying to use the "Run Query" action from the Tanium app.
The problem I am having is specifying the hostname to be searched.
For example, this should be the search that gets sent to the server :
Get Trace Executed Processes from all machines with Computer Name equals MyHostname1
Obviously, as this is part of the playbook I want the hostname to be filled in from the CEF|Artifacts field .
Does anyone know if this is possible?
Tried the below that didn't work:
Get Trace .................. equals artifact.*.cef.sourceHostName
... View more
06-24-2018
09:56 AM
Hi all
I'm having issues getting Afterglow to work on our dev Splunk instance. Currently running latest version of Splunk ( 7.1.1) on Windows and whatever version of Afterglow you download off the official website. I have installed ActivePerl and Graphviz and even added them to Windows PATH.
Here is where the software is installed :
Perl Location : C:\Perl64\
GraphViz Location :C:\Graphviz2.38\
Path entered into Afteglow Config ( App settings in Splunk)
Perl : C:\Perl64\bin
Graphviz : C:\Graphviz2.38\bin\
When performing a generic search on firewall logs its returning thousands of events however there is an error message that reads:
AfterGlow was not able to generate a graph. Please check the neato directory in the AfterGlow Setup.
Anyone have any idea how to fix this issue ?
... View more
06-20-2018
12:28 AM
It's possibly to use HTTP/REST but i have decided to try and go down the 'wrapper' route with python, thanks so much for your help.
... View more
06-19-2018
01:02 PM
Essentially i am building an inhouse splunk app for a few bits and pieces ( partially to help users and partially for me to learn more about splunk ) .
Anyway currently i have created a 'page' inside the app with just a textbox and submit button where the users enter an IP address , then the search goes through a csv and returns host details.
Essentially i wanted to replicate that but for the EDR solution , so basic 'page' with a textbox and submit button where users can enter a hostname and when they click the submit button our powershell script ( with some modification im assuming ) goes fetches the results and just displays them .
PS forgot to note that each page obviously has a event/stats panel to show results.
... View more
06-19-2018
12:14 PM
so you don't think its possible to run the powershell command directly ? ( rather than having to 'wrap' it in python?)
... View more
06-19-2018
11:58 AM
We currently have a PowerShell script that queries one of our EDR solutions and returns all data for the specified host.
Essentially format is like a powershell.exe script.ps1 -Host HostA
I was hoping it might be possible to incorporate this script into Splunk so we can do this from within Splunk unlike at the moment where we always have PowerShell window open.
Is what I want, possible? I have come across a number of articles for PowerShell/Splunk but they all seem to be set as 'data inputs' ( run the same script every few hours ) whereas my use case is slightly different.
If its possible do you have any links or can you point me in the right direction?
... View more
06-17-2018
04:51 AM
We have an index that reads in log files from disk. Each logfile is its own source under the index, I want to create a basic health dashboard that shows the source name and when the last event/log was received and in the perfect world turn red if the last log was received more than x hours ago.
I currently have this set up with a single dashboard for each source, however, I would like to try and consolidate into a single dashboard.
Any help would be amazing
... View more
06-14-2018
07:59 AM
I have been trying to create a basic lookup within Splunk where we can search an IP and get back some information.The csv i have is a list of all our various subnets alongside some other information . For example
Range Info
x.x.x.x/24 CountryA
x.x.x.0/28 CountryB
10.10.10.0/22 CountryA_PrivateLan
I have added this config to the local app's transforms file :
[network_ranges]
filename = network_ranges.csv
min_matches = 1
default_match = NONE
match_type = CIDR(Range)
If I do the below search I get 0 results
|inputlookup network_rangeswhere where Range=10.10.10.10
The only way I get any results is if I match exactly the CIDR string which obviously isn't helpful.
Any help would be greatly appreciated
PS. At the moment this is just to be used to find further information for specific IP's, no short-term plans to use this information in 'traditional' search results
... View more
06-13-2018
03:47 AM
Hi all
We have a dev instance of Splunk we are using for testing. Splunk is installed on a Windows box and the service is running under the local system account. We have been trying to get Splunk to use our HTTP proxy with no luck .Below is what we have attempted so far:
server .conf file :
http_proxy=http://http-proxy-url:80
https_proxy=https://http-proxy-url:443
Splunk-launch.conf
http_proxy=http://http-proxy-url:80
https_proxy=https://http-proxy-url:443
None of the above have worked, when trying to browse Splunkbase from within Splunk we get the below error :
Error resolving: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
And here have attached a couple of lines from Splunk log :
splunkd.log
06-13-2018 11:32:16.446 +0100 INFO ProxyConfig - Failed to initialize http_proxy from server.conf for splunkd. Please make sure that the http_proxy property is set as http_proxy=http://host:port in case HTTP proxying needs to be enabled.
06-13-2018 11:32:16.446 +0100 INFO ProxyConfig - Failed to initialize https_proxy from server.conf for splunkd. Please make sure that the https_proxy property is set as https_proxy=http://host:port in case HTTP proxying needs to be enabled.
Anyone got any ideas what we are doing wrong and how to fix ?
... View more
04-04-2017
06:27 AM
got it working by changing the script path in inputs.conf ( app specific ) to [script://$SPLUNK_HOME\etc\apps\iSIGHTPartners_ThreatScape_App\bin\fetch_indicators.py 15]
... View more
04-04-2017
04:36 AM
I think i tracked down the error in the logs which appears to be :
04-04-2017 12:33:05.524 +0100 ERROR FrameworkUtils - Incorrect path to script: .\bin\fetch_indicators.py. Script must be located inside $SPLUNK_HOME\bin\scripts.
04-04-2017 12:33:05.524 +0100 ERROR ExecProcessor - Ignoring: ".\bin\fetch_indicators.py 15"
04-04-2017 12:33:05.524 +0100 ERROR FrameworkUtils - Incorrect path to script: .\bin\fetch_iocs.py. Script must be located inside $SPLUNK_HOME\bin\scripts.
04-04-2017 12:33:05.524 +0100 ERROR ExecProcessor - Ignoring: ".\bin\fetch_iocs.py 15"
04-04-2017 12:33:05.524 +0100 ERROR FrameworkUtils - Incorrect path to script: .\bin\fetch_vulnerabilities.py. Script must be located inside $SPLUNK_HOME\bin\scripts.
04-04-2017 12:33:05.524 +0100 ERROR ExecProcessor - Ignoring: ".\bin\fetch_vulnerabilities.py 15"
Those scripts its trying to launch are located in the splunk_home\etc\apps\iSIGHTPartners_ThreatScape_App\bin
I have registered the paths using splunks envars command/batch script.
... View more
04-04-2017
01:47 AM
Worth mentioning that my Splunk Instance is running on Windows ( Dev instance ) .
... View more
04-04-2017
01:00 AM
I have installed the iSight Partners ThreatScape app in Splunk ( latest version ) however i am not getting any data for the app.
The app has been installed correctly as i can see the indexes the app has created. I have also set the correct API keys and selected all the feeds i need.
I thought it may be a proxy issue however the host is able to connect to api.isightpartners.com without an issue.
The app has now been installed for more than a day and the index remains empty. Is there any way to 'debug' an app or view app specific logs?
... View more
