Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About mjuestel2
mjuestel2
Path Finder
Member since:
03-04-2020
10-02-2024
Community Statistics
| Posts | 15 |
| Solutions | 0 |
| Karma Given | 4 |
| Karma Received | 1 |
| Member Since | 03-04-2020 |
Activity Feed
- Posted Documentation for SA-AccessProtection / DA-ESS-AccessProtection on Splunk Enterprise Security. 10-02-2024 07:53 AM
- Tagged Re: Single Splunk command to generate dummy data that can be run in the search bar on Getting Data In. 01-16-2024 07:56 AM
- Tagged Re: Single Splunk command to generate dummy data that can be run in the search bar on Getting Data In. 01-16-2024 07:56 AM
- Posted Re: Single Splunk command to generate dummy data that can be run in the search bar on Getting Data In. 01-16-2024 07:54 AM
- Posted Risk Analysis Dashboard - Risk Modifiers by Annotations on Splunk Enterprise Security. 10-12-2023 12:40 PM
- Got Karma for Re: .conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas. 08-11-2023 08:09 AM
- Karma Re: Creating an EVAL for a field if it does not exist for gcusello. 08-08-2023 01:51 PM
- Karma Re: How to create an eval for a field if it does not exist? for woodcock. 08-08-2023 01:50 PM
- Posted Re: .conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas on Community Blog. 08-08-2023 01:38 PM
- Posted How to create an eval for a field if it does not exist? on Getting Data In. 04-13-2023 01:20 PM
- Posted Re: Data Models and incomplete source data on Splunk Search. 02-22-2023 08:59 AM
- Karma Re: Data Models and incomplete source data for VatsalJagani. 02-22-2023 08:02 AM
- Posted Re: Data Models and incomplete source data on Splunk Search. 02-22-2023 08:01 AM
- Posted Data Models and incomplete source data on Splunk Search. 02-22-2023 07:03 AM
- Karma Re: How to write a field aliases using the EVAL command for a firewall device. for richgalloway. 02-21-2023 02:28 PM
- Posted Security Essentials - Why is a large percentage of content appearing under Any Splunk Logs? on All Apps and Add-ons. 08-23-2022 08:28 AM
- Tagged Security Essentials - Why is a large percentage of content appearing under Any Splunk Logs? on All Apps and Add-ons. 08-23-2022 08:28 AM
- Tagged Security Essentials - Why is a large percentage of content appearing under Any Splunk Logs? on All Apps and Add-ons. 08-23-2022 08:28 AM
- Posted Re: SPL for average user events per unique user, per day over a 14 day period (exclude weekends) on Splunk Search. 03-02-2022 10:51 AM
- Posted SPL: How to calculate the average user events per unique user, per day over a 14 day period (exclude weekends)? on Splunk Search. 03-02-2022 08:45 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-02-2024
07:53 AM
Greetings, I found some useful savedsearches under SA-AccessProtection / DA-ESS-AccessProtection, which I am interested in using. However, I'd like to understand these use-cases before making them live. Are these apps and their content documented somewhere? So far, I have not had any luck. Thanks!
... View more
Labels
01-16-2024
07:54 AM
I believe the command you are looking for is scrub. I attended .Conf last year where an instructor used this command to replace "real data" with dummy information, while keeping the format of the data. This command comes in useful when wanting to anonymize the data, when passing it on to a 3rd party etc. I use it when pasting data into 3rd party websites, to work on Regex extractions. |scrub
... View more
10-12-2023
12:40 PM
Hello: I recently started playing with the Risk framework, RBA etc. Most of my Risk Analysis dashboard is working within Enterprise Security - except for three (3) sections: Risk Modifiers By Annotations Risk Score By Annotations Risk Modifiers By Threat Object For the annotations part - we do manually tag Mitre Attack tactics within our content, so not sure why these panels do not show anything. Also, does anyone know what savedsearches run in the background to populate these panels? I'd like to double check to make sure I have these enabled. Thanks!
... View more
Labels
08-08-2023
01:38 PM
1 Karma
I enjoyed taking the beta exam. Do you have an idea when roughly the final pass / fail results will be available for this cert?
... View more
04-13-2023
01:20 PM
I am in the process of normalizing data, so I can apply it to a data model. One of the fields which is having issues is called user. I have user data in some logs, while other logs have an empty user field - but do have data in a src_user field.
Tried using the coalesce command - but that does not seem to work.
EVAL-user = coalesce(user, src_user)
Is it because I am trying to reference the user field? Are there any other work arounds to create a user field when it is empty and filling data from src_user ? Remember, some logs have valid data in the user field. Others have no data.
Thanks!
... View more
Labels
- Labels:
-
data
-
field extraction
02-22-2023
08:59 AM
This is what I wanted to confirm... Again, I'm new to this whole data model thing - and was looking for best practices around some of these issues I've been coming across. Thanks for getting back with me!
... View more
02-22-2023
08:01 AM
Thanks for your reply... not sure how your response will be help me. The Windows TA is already filling-in "null" for the src field. I was wondering if that is a valid result for a data model? I'm looking at this from an investigative perspective - if a Security Analyst were to pull up the auth data model and look for failed logins, and sees events with a src of null. They would only know the dest server, user etc. - and not be able to see where these authentication events originated from. That is what I am trying to better understand... is there a way to "complete the picture"? A best practice around this?
... View more
02-22-2023
07:03 AM
Greetings, I'm finally tackling the topic of data models within my organization, and am coming across situations I am needing to solve for. 1. Windows authentication data which has a null values in the src field, due to the type of authentication taking place. I understand that field aliasing comes into play, and I tried that - however, I tried aliasing a calculated field, which does not work of course. Now, I am having to go back to see if there is another field I can alias instead. I guess my ask with this post here is to get some strategies from other Splunk users who have tackled data cleanup and data models. Are null values acceptable for certain situations? Or, must every required data model field be complete? Such as action, app, dest, src, user etc.? I appreciate some feedback regarding this topic.
... View more
Labels
- Labels:
-
other
08-23-2022
08:28 AM
I am in the process of mapping our use-cases that we have within Splunk / Enterprise Security to Mitre, and am also trying to organize them a bit.
I'm using Splunk Security Essentials 3.6 and have a question concerning Any Splunk Logs.
On the Content Introspection screen - some of my use-cases are organized into different categories such as AWS, Application Load Balance, Authentication, Anti-virus etc.
However, a large percentage of my content just appears under the Any Splunk Logs heading - how can I change this??
I even went back to the Data Inventory screen... and manually defined some of the indexes and sourcetypes to other categories, but nothing has changed.
Help!!
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
03-02-2022
10:51 AM
I'm not using Windows events - but I was able to get your query to run. Mine looks more like: index=stuff sourcetype=more:stuff InterestingField=authorized earliest=-14d&d latest=now | eval time_wday=strftime(_time,"%A") |search NOT (time_wday="saturday" OR time_wday="sunday") | stats count BY User_Name Results are: User_Name Count User1 600 User2 55 User3 4321 etc. If we use User1 where a count of 600 is returned - we can assume over the last 14 days (excluding weekends) - the user logged-on 60 times per day. I want to trigger an event if that user now exceeds 10% of his daily count. So... 66 events per day or more. My thoughts are I can show those users based on the following: | where count>=1.1*dailyAverage I'm just missing the dailyAverage part.
... View more
03-02-2022
08:45 AM
All,
I need some help on a problem I am trying to solve.
Problem: I need to calculate the average user events per unique user, per day over a 14 day period (excluding weekends).
Basically, we have users logging into a system and I want to see if a threshold of say 10% or more is reached that is outside of the norm for a particular user. The output would then list the username who is in violation of the above.
Thanks for any guidance...
... View more
- Tags:
- spl
- splunk-search
03-04-2020
12:58 PM
I believe the future is to make Phantom the single-pane of glass. We too have ES and Phantom, and are trying to best figure out how to best leverage these products.
... View more
03-04-2020
12:50 PM
I would also take a hard look at your existing playbooks, to see where they are failing. Might be time to optimize them further and follow best practices.
... View more
03-04-2020
12:47 PM
We have an unlimited user license, so I cannot comment on Q2.
However, for every user who you setup on Phantom is indeed counted- even though you are using external auth.
When you create a user, you are doing it on Phantom itself. Only difference is that this user is either marked as a local account, automation account or you are using external auth such as SAML or LDAP etc.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-02-2024
05:36 PM
|
