I edited .my answer and fixed it. Try it now. ... View more

See here (don't forget to UpVote): https://answers.splunk.com/answers/740480/how-to-compare-characters-in-two-fields-and-return.html https://answers.splunk.com/answers/567851/how-can-i-compare-mvfields-and-get-a-diff.html ... View more

Hello @wenthold , The solution is a bit more complicated that I thought 🙂 But it works perfectly fine. Thanks for the help! ... View more

It's definitely helpful! Looks like that it's definitely the case where OpsGenie and ES don't work together. I took a look at the internal logs and when the correlation searches invoke the opsgenie app, it fails: ERROR sendmodalert - Error in 'sendalert' command: Alert action "opsgenie" not found. ... View more

Hi Check with CLEAN_KEYS setting in props.conf, if it can help. Thanks ... View more

ah, i figured it out. I'm suppose to custom instead of computer. Thanks, ... View more

Gorgeous! Thanks for the help. ... View more

Yep, that's work! I tried the query with simple signature_id!=4771 condition and not Authentication.signature_id!=4771 😞 Thanks for the help! ... View more

Gorgeous ! That's exectly what we were searching for. Thanks for the help! ... View more

you mean this? https://splunkbase.splunk.com/app/4336/#/details ... View more

We will really appreciate the help. Here’s some simple logs, I just modified some private information, like customer ID or domain name. Nov 2 12:50:14 sc-1456400473-logforwardercomp-5bce225a53cefb004074a882-59fm5sn logforwarder[24] analytics,agent_data,,AgentTimelineEvent,hash,2018-11-02T12:49:45.267329700Z,2018-11-02T12:50:08.656Z,2018-11-02T12:49:45.267329700Z,60,,TrapsAgent,1111111173,6857076101111111111,coreop-f-prodb2-mnmauto123123123123-1234.prod.brz,2.0.6,70,1,6aaaaaaaaaaaa5da86ada7b4c6b01504,1,0,6.1.7601,1,123.123.123.123,wks123,abcdef.fr,,,5.0.3.38921,36-4887,0,7777777777aaaaaaaaaa157092d94eb18c2a73a0a49beeaaaaaaaaaaa30e86a2,dll,,2018-11-02T12:49:45.267329700Z,comdlg32.dll,\?\C:\Windows\SysWOW64\,485888,"{""contentVersion"":""36-4887"",""result"":""Benign"",""trusted"":""None"",""publishers"":[""Microsoft Windows""],""resultId"":0,""trustedId"":0}",0,0,16159 Nov 2 08:59:06 sc-1456400473-logforwardercomp-5bce225a53cefb004074a882-59fm5sn logforwarder[24] threat,threat,,AgentSecurityEvent,2018-11-02T08:16:15.144216600Z,2018-11-02T08:58:55.998Z,2018-11-02T08:16:15.144216600Z,60,,TrapsAgent,1111111173,6857076101111111111,coreop-f-prodb2-mnmauto123123123123-1234.prod.brz,2.0.6,70,1,6aaaaaaaaaaaa5da86ada7b4c6b01504,1,0,6.1.7601,1,123.123.123.123,wks456,abcdef.fr,0,2,5.0.3.38921,36-4887,0,a1866535ef474c2f869865f09x111111,COMPONENT_EPM_J01,ExploitModules,CYSTATUS_JIT_EXCEPTION,,reported,0,,,0,0,"[""CreateProcessA"",""2""]",0,-1,0,"[{""pid"":6952,""parentId"":2724,""exeFileIdx"":0,""userIdx"":0,""commandLine"":""\""C:\Users\user_1234\AppData\Abcdabcd\aaaaaaaaaaaaaa\firefox.exe\"" ""}]","[{""rawFullPath"":""C:\Users\user_1234\AppData\Abcdabcd\aaaaaaaaaaaaaa\firefox.exe"",""fileName"":""firefox.exe"",""sha256"":""70225F14A28007815B0410B1F41F7EA6A16B6329FD69F7EC0638A1A1A1A1A1A1"",""fileSize"":531408,""signers"":[""Mozilla Corporation""]}]","[{""userName"":""user_1234"",""userDomain"":""abcdef.fr""}]",[],Memory Corruption Exploit The log’s format is described on Paloalto website. Thanks for the help! ... View more

Create the lookup just like you mapped it in your question and then follow the docs. http://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Usefieldlookupstoaddinformationtoyourevents Particularly the section "Make the lookup automatic" In your case, like i stated before you'll have to define the 3 input fields and the 1 output field. ... View more

Hello @AlexeySh.....no worries....glad you were able to get an answer. ... View more

Great! Thanks for the help. ... View more

Probably the easiest way to solve the issue. Will try it. Thanks for the advice! ... View more

Hello @kchamplin [Splunk], Sure, here is some detection we had recently: widoobiz.com – broadcast Media mon-poeme.fr – leisure website mlsend.com – business communication safelinks.protection.outlook.com – webmail gandi.net – domain name management Fortunately, we do not have a huge volume of false positives, but still there is always some legitimate websites detected every week including a new ones so it’s kind of hard to whitelist. Regards, Alexey. ... View more

Thanks for your help @Frank! ... View more

Great! That's exactly what a was searching for. Thanks for your help! ... View more

Hello, Unfortunately, there is no solution. Or at least I didn't find one. Things looks much better with the last TA-Qualys version (1.3.2), but it's still an issue. Regards, Alex. ... View more

Hi @Lindaiyu That's what I was searching for for a weeks. You're a lifesaver 🙂 Thanks for the help. ... View more