Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About vrajshekar
vrajshekar
Path Finder
Member since:
05-26-2020
06-02-2021
Community Statistics
| Posts | 14 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 05-26-2020 |
Activity Feed
- Posted Re: Indexing and parsing Azure AD logs on Getting Data In. 06-01-2021 09:17 PM
- Posted Indexing and parsing Azure AD logs on Getting Data In. 05-31-2021 06:32 AM
- Posted Extract fields from different security devices to a unified field format on All Apps and Add-ons. 06-11-2020 09:11 AM
- Posted Re: Demisto Add-on for Splunk: Search gets replaced with the value of the array and fails to run. on All Apps and Add-ons. 06-03-2020 09:34 AM
- Posted Re: Demisto Add-on for Splunk: Search gets replaced with the value of the array and fails to run. on All Apps and Add-ons. 06-03-2020 05:04 AM
- Posted Re: Demisto Add-on for Splunk: Search gets replaced with the value of the array and fails to run. on All Apps and Add-ons. 06-02-2020 11:18 PM
- Posted Re: Demisto Add-on for Splunk: Search gets replaced with the value of the array and fails to run. on All Apps and Add-ons. 06-02-2020 11:14 PM
- Posted Re: Demisto Add-on for Splunk: Search gets replaced with the value of the array and fails to run. on All Apps and Add-ons. 06-02-2020 09:10 AM
- Posted Re: Splunk DB Connect & McAfee ePO integration: How to remove duplicate entries from a search on SQL DB? on All Apps and Add-ons. 06-02-2020 09:00 AM
- Posted Demisto Add-on for Splunk: Search gets replaced with the value of the array and fails to run. on All Apps and Add-ons. 06-02-2020 08:51 AM
- Tagged Demisto Add-on for Splunk: Search gets replaced with the value of the array and fails to run. on All Apps and Add-ons. 06-02-2020 08:51 AM
- Tagged Demisto Add-on for Splunk: Search gets replaced with the value of the array and fails to run. on All Apps and Add-ons. 06-02-2020 08:51 AM
- Tagged Demisto Add-on for Splunk: Search gets replaced with the value of the array and fails to run. on All Apps and Add-ons. 06-02-2020 08:51 AM
- Tagged Demisto Add-on for Splunk: Search gets replaced with the value of the array and fails to run. on All Apps and Add-ons. 06-02-2020 08:51 AM
- Posted Re: Splunk DB Connect & McAfee ePO integration: How to remove duplicate entries from a search on SQL DB? on All Apps and Add-ons. 05-31-2020 09:14 PM
- Posted Re: Splunk DB Connect & McAfee ePO integration: How to remove duplicate entries from a search on SQL DB? on All Apps and Add-ons. 05-29-2020 09:22 AM
- Posted Re: Splunk DB Connect & McAfee ePO integration: How to remove duplicate entries from a search on SQL DB? on All Apps and Add-ons. 05-29-2020 06:49 AM
- Posted Splunk DB Connect & McAfee ePO integration: How to remove duplicate entries from a search on SQL DB? on All Apps and Add-ons. 05-29-2020 04:04 AM
- Tagged Splunk DB Connect & McAfee ePO integration: How to remove duplicate entries from a search on SQL DB? on All Apps and Add-ons. 05-29-2020 04:04 AM
- Tagged Splunk DB Connect & McAfee ePO integration: How to remove duplicate entries from a search on SQL DB? on All Apps and Add-ons. 05-29-2020 04:04 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-01-2021
09:17 PM
HI @venkatasri No additional fields being add from Syslog. Can I configure the inputs.conf to use sourcetype from 'Splunk Add-on for Microsoft Office 365', is this possible? If not, please let me know if you have any suggestions.
... View more
05-31-2021
06:32 AM
I am new to splunk, we are currently trying to configure Splunk to parse AzureAD logs being received from a Syslog server. I have installed multiple apps/add-ons, but none of them are helping me parse the logs. I have configured inputs.conf, and when I set the sourcetype from Add-on, it doesn't work. How can I achieve this. please help
... View more
Labels
06-11-2020
09:11 AM
I am currently planning to forwards logs from multiple security devices to Splunk Enterprise. I would like to know if its possible to extract fields from different log sources in a unified field format. For Eg: I forward logs from Firewall, Proxy and Endpoint Security products. Since different vendors would be following different naming conventions in their logs. Is it possible to standardize this when parsing and indexing. From all these device logs, i want certain important fields.
... View more
Labels
- Labels:
-
administration
-
development
06-03-2020
09:34 AM
@kamlesh_vaghela
Sample data below, hope this helps
DBotAvgScore array, this is available in the context data.
DBotAvgScore:[] 9 items
0:{} 2 items
Indicator:204.79.197.200
Score:3
1:{} 2 items
Indicator:13.107.18.254
Score:2
2:{} 2 items
Indicator:117.18.237.29
Score:3
3:{} 2 items
Indicator:13.107.21.200
Score:3
4:{} 2 items
Indicator:104.16.133.229
Score:2
5:{} 2 items
Indicator:35.241.8.149
Score:2
6:{} 2 items
Indicator:52.88.91.154
Score:2
7:{} 2 items
Indicator:104.17.211.204
Score:2
8:{} 2 items
Indicator:209.197.3.15
Score:3
... View more
06-03-2020
05:04 AM
i am unable to share the sample data here for some reason.
... View more
06-02-2020
11:18 PM
Below is DBotAvgScore array, that is present in the context data
DBotAvgScore:[] 9 items
0:{} 2 items
Indicator:204.79.197.200
Score:3
1:{} 2 items
Indicator:13.107.18.254
Score:2
2:{} 2 items
Indicator:117.18.237.29
Score:3
3:{} 2 items
Indicator:13.107.21.200
Score:3
4:{} 2 items
Indicator:104.16.133.229
Score:2
5:{} 2 items
Indicator:35.241.8.149
Score:2
6:{} 2 items
Indicator:52.88.91.154
Score:2
7:{} 2 items
Indicator:104.17.211.204
Score:2
8:{} 2 items
Indicator:209.197.3.15
Score:3
... View more
06-02-2020
11:14 PM
Hi @kamlesh_vaghela
I tried this and it did not work, > DBotAvgScore.Indicator is array that is present in the Context data of Demisto.
Splunk Search on demisto threw an error.
... View more
06-02-2020
09:10 AM
The error is get is
Error in 'SearchParser': Missing a search command before '"'. Error at position '95' of search query 'search source="squid" clientip="xxxx" serv...{snipped} {errorcontext = er_ip IN(["204.79.197}'.
... View more
06-02-2020
09:00 AM
Working query
SELECT [EPOEvents].[ReceivedUTC] AS [timestamp],
[EPOEvents].[AutoID],
[EPOEvents].[ThreatName] AS [signature],
[EPOEvents].[ThreatType] AS [threat_type],
[EPOEvents].[ThreatEventID] AS [signature_id],
[EPOEvents].[ThreatCategory] AS [category],
[EPOEvents].[ThreatSeverity] AS [severity_id],
[EPOEvents].[DetectedUTC] AS [detected_timestamp],
[EPOEvents].[TargetFileName] AS [file_name],
[EPExtendedEvent].[SourceHash] AS [SourceHash],
[EPExtendedEvent].[SourceParentProcessHash] AS [SourceParentProcessHash],
[EPExtendedEvent].[SourceProcessHash] AS [SourceProcessHash],
[EPExtendedEvent].[TargetHash] AS [TargetHash],
[EPOEvents].[AnalyzerDetectionMethod] AS [detection_method],
[EPOEvents].[ThreatActionTaken] AS [vendor_action],
[EPOEvents].[TargetUserName] AS [logon_user],
[EPOComputerProperties].[DomainName] AS [dest_nt_domain],
[EPOEvents].[TargetHostName] AS [dest_dns],
[EPOEvents].[TargetHostName] AS [dest_nt_host],
[EPOComputerProperties].[IPHostName] AS [fqdn],
CAST([EPOEvents].[ThreatHandled] AS int) AS [threat_handled],
[dest_ip] = ( convert(varchar(3),
convert(tinyint,
substring(convert(varbinary(4),
convert(bigint,
([EPOComputerProperties].[IPV4x] + 2147483648))),
1,
1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),4,1))) ), [EPOComputerProperties].[SubnetMask] AS [dest_netmask], [EPOComputerProperties].[NetAddress] AS [dest_mac], [EPOComputerProperties].[OSType] AS [os], [EPOComputerProperties].[OSVersion] AS [os_version], [EPOComputerProperties].[OSBuildNum] AS [os_build], [EPOComputerProperties].[TimeZone] AS [timezone], [EPOEvents].[SourceHostName] AS [src_dns], [src_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),4,1))) ), [EPOEvents].[SourceMAC] AS [src_mac], [EPOEvents].[SourceProcessName] AS [process], [EPOEvents].[SourceURL] AS [url], [EPOEvents].[SourceUserName] AS [source_logon_user], [EPOEvents].[AnalyzerName] AS [product], [EPOEvents].[AnalyzerVersion] AS [product_version], [EPOEvents].[AnalyzerEngineVersion] AS [engine_version], [EPOEvents].[AnalyzerDATVersion] AS [dat_version], [EPOProdPropsView_THREATPREVENTION].[verDAT32Major] AS [TP_dat_version], [EPOProdPropsView_THREATPREVENTION].[verEngine32Major] AS [TP_engine32_version], [EPOProdPropsView_THREATPREVENTION].[verEngine64Major] AS [TP_engine64_version], [EPOProdPropsView_THREATPREVENTION].[verHotfix] AS [TP_hotfix], [EPOProdPropsView_THREATPREVENTION].[ProductVersion] AS [TP_product_version]
FROM [EPOEvents] LEFT JOIN [EPOLeafNodeMT] ON EPOEvents.AgentGUID = [EPOLeafNodeMT].[AgentGUID] LEFT JOIN [EPOEventFilterDesc] ON EPOEvents.[ThreatEventID] = [EPOEventFilterDesc].[EventId] AND ([EPOEventFilterDesc].[Language]='0409') LEFT JOIN [EPOComputerProperties] ON EPOLeafNodeMT.AutoID = [EPOComputerProperties].[ParentID] LEFT JOIN [EPOProdPropsView_THREATPREVENTION] ON EPOLeafNodeMT.AutoID = [EPOProdPropsView_THREATPREVENTION].[LeafNodeID] LEFT JOIN [EPExtendedEvent] ON [EPOEvents].[AutoID] = [EPExtendedEvent].[EventAutoID]
ORDER BY [EPOEvents].[DetectedUTC] asc
... View more
06-02-2020
08:51 AM
I have integrated Splunk with Demisto. I am trying to run the below search from Demisto:
source="squid" clientip="xxx" | where server_ip IN(${DBotAvgScore.Indicator}) | stats count by server_ip
DBotAvgScore.Indicator is an array that contains the below values
["204.79.197.200","13.107.18.254","117.18.237.29","13.107.21.200","104.16.133.229","35.241.8.149","52.88.91.154","104.17.211.204","209.197.3.15"]
The search gets replaced with the value of the array and fails to run because of '['.
I am stuck here. I would appreciate any help.
... View more
Labels
- Labels:
-
search
05-31-2020
09:14 PM
@PavelIP Just edited the comment, moderator removed the question since they are already addressing the same issue in the other post.
... View more
05-29-2020
09:22 AM
Thanks,
I've posted there as well.
Refer to the links below:
https://community.mcafee.com/t5/ePolicy-Orchestrator/McAfee-sql-db-duplicate-entries/m-p/659074#M72631
... View more
05-29-2020
06:49 AM
Nope. That was the first thing I checked.
EPOEvents has 39 rows and EPExtendedEvent has 39 rows.
When I run
select * from EPOEvents, EPExtendedEvent
It return 1521 rows.
... View more
05-29-2020
04:04 AM
I have integrated McAfee ePO 5.10 with Splunk 8.0.3 using DB-connect. I am seeing a lot of duplicate entries when I run the search below on SQL DB.
In the EPO-Events table, I only have 39 rows, whereas when I run this search it turns out to be 1,521 rows. Could someone please help? I am new to this.
SELECT [EPOEvents].[ReceivedUTC] AS [timestamp],
[EPOEvents].[AutoID],
[EPOEvents].[ThreatName] AS [signature],
[EPOEvents].[ThreatType] AS [threat_type],
[EPOEvents].[ThreatEventID] AS [signature_id],
[EPOEvents].[ThreatCategory] AS [category],
[EPOEvents].[ThreatSeverity] AS [severity_id],
[EPOEvents].[DetectedUTC] AS [detected_timestamp],
[EPOEvents].[TargetFileName] AS [file_name],
[EPOEvents].[AnalyzerDetectionMethod] AS [detection_method],
[EPOEvents].[ThreatActionTaken] AS [vendor_action],
CAST([EPOEvents].[ThreatHandled] AS int) AS [threat_handled],
[EPOEvents].[TargetUserName] AS [logon_user],
[EPOComputerProperties].[UserName] AS [user],
[EPOComputerPropertiesMT].[DomainName] AS [dest_nt_domain],
[EPOEvents].[TargetHostName] AS [dest_dns],
[EPOEvents].[TargetHostName] AS [dest_nt_host],
[EPOComputerPropertiesMT].[IPHostName] AS [fqdn],
[dest_ip] = ( convert(varchar(3),
convert(tinyint,
substring(convert(varbinary(4),
convert(bigint,
([EPOComputerPropertiesMT].[IPV4x] + 2147483648))),
1,
1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerPropertiesMT].[IPV4x] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerPropertiesMT].[IPV4x] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerPropertiesMT].[IPV4x] + 2147483648))),4,1))) ), [EPOComputerPropertiesMT].[SubnetMask] AS [dest_netmask], [EPOComputerPropertiesMT].[NetAddress] AS [dest_mac], [EPOComputerPropertiesMT].[OSType] AS [os], [EPOComputerPropertiesMT].[OSVersion] AS [os_version], [EPOComputerPropertiesMT].[OSBuildNum] AS [os_build], [EPOComputerPropertiesMT].[TimeZone] AS [timezone], [EPOEvents].[SourceHostName] AS [src_dns], [src_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),4,1))) ), [EPOEvents].[SourceMAC] AS [src_mac], [EPOEvents].[SourceProcessName] AS [process], [EPOEvents].[SourceURL] AS [url], [EPOEvents].[SourceUserName] AS [source_logon_user], [EPOEvents].[AnalyzerName] AS [product], [EPOEvents].[AnalyzerVersion] AS [product_version], [EPOEvents].[AnalyzerEngineVersion] AS [engine_version], [EPOEvents].[AnalyzerDATVersion] AS [dat_version], [EPExtendedEvent].[SourceHash], [EPExtendedEvent].[SourceParentProcessHash], [EPExtendedEvent].[SourceProcessHash], [EPExtendedEvent].[TargetHash], [EPOProdPropsView_THREATPREVENTION].[verDAT32Major] AS [TP_dat_version], [EPOProdPropsView_THREATPREVENTION].[verEngine32Major] AS [TP_engine32_version], [EPOProdPropsView_THREATPREVENTION].[verEngine64Major] AS [TP_engine64_version], [EPOProdPropsView_THREATPREVENTION].[verHotfix] AS [TP_hotfix], [EPOProdPropsView_THREATPREVENTION].[ProductVersion] AS [TP_product_version]
FROM "ePO_INSTANCE-1"."dbo"."EPOEvents", "ePO_INSTANCE-1"."dbo"."EPOProdPropsView_THREATPREVENTION", "ePO_INSTANCE-1"."dbo"."EPOComputerPropertiesMT", "ePO_INSTANCE-1"."dbo"."EPOComputerProperties", "ePO_INSTANCE-1"."dbo"."EPExtendedEvent"
ORDER BY AutoID ASC
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-02-2021
03:54 AM
|
