Hi guys, I'm working on a search that shows more that 10 accounts disabled within a five minute time frame. I feel like the dumbest girl on earth. I know my search works for the most part as the events tab shows the exact amount of events that occurred within that period of time, however, the statistics tab does not display a table: index=wineventlog EventCode=4725 | bin span=5m _time | stats count(user), values(user) by _time EventCode | where count > 10 I also tried index=wineventlog EventCode=4725 | bin span=5m _time | table user, Time  | search count > 10 Any help would be much appreciated. Thanks   ... View more

Hi guys, I'm trying to create a search that triggers an alert every time a user has been signed out of their o365 session, however, I am unable to identify which is the correct workload. I'd like to clarify that I currently do not have access to the o365 splunk add-on (and it probably won't be installed anytime soon). Which workload do I need to use if I need to identify activity performed in the o365 admin portal? I initially thought it would be index=o365 sourcetype=o365:management:activity Workload=SecurityComplianceCenter but it doesn't seem to show me anything related to sessions that have been signed out. Any useful feedback would be much appreciated.   Thanks! ... View more

Hi guys,   I'm going crazy and I'm completely lost. I'm trying to create a query that displays concurrent connections. I understand that this has been previously asked but what seemed to be the solution or "most popular" answer didn't work for me and seemed to be too complicated. I'm trying to create a search that finds concurrent connections and then creates a table with the time, user and when the concurrency occurred. I know I am missing something because even though I get no errors, I see a message saying "572781 events were ignored due to missing or invalid start or duration fields." This is my search index=fw tag=vpn |eval "start"=cisco_vpn_start |eval "start"=ftnt_fgt_vpn_start |eval "stop"=cisco_vpn_end |eval "stop"=ftnt_fgt_vpn_end |eval "total_time"=start-stop | concurrency duration=total_time | timechart span=5m max(concurrency) as concurrency | where concurrency > 0 | table concurrency, user, _time   Explained, we basically have to vpns Duration: the total time from when one session starts until it ends. Concurrency: measures the number of events which have spans that overlap with the start of each event. I'm using 5 minutes as a time span and I want it to display the events where there is at least one concurrent connection. My brain is fried and I can't figure out what I'm doing wrong. I've been biting my nails and I think I peeled off all my nail polish. Any help would be greatly appreciated.   ... View more

I'm trying to get better visibility of our PowerShell activity in one of my boxes (cola182) so I enabled process Auditing (EventCode 4688) - Which is working perfectly fine. However, when I attempted to enable Module Logging (4103)  and Script Block Logging (4104) it doesn't seem like I am receiving these logs. I went to Policy Editor > Computer Configuration > Windows Components > Powershell logging and made sure that the following were enabled (literally the 3 of them are showing as enabled): Turn on Module Logging Turn on PowerShell Script Block Logging Turn on PowerShell transcription. I ran a crappy little test.ps1 script in cola182 in hopes that this activity would be reflected in my splunk logs: $alert = { "I like chicken salad sandwiches" } & $alert & $alert When I check splunk, I am able to see this activity,  but it doesn't come up under 4103   LogName=Windows PowerShell SourceName=PowerShell EventCode=800 EventType=4 Type=Information ComputerName=Cola182  TaskCategory=Pipeline Execution Details OpCode=Info RecordNumber=6578 Keywords=Classic Message=Pipeline execution details for command line: . ParameterBinding(Out-Default): name="InputObject"; value="I like chicken salad sandwiches"   As simple as my initial script is, technically it's a script block. Howcome I'm not able to see this activity? What am I missing? Thanks!   ... View more

Hi guys, I can see how this question comes across as dumb but I would like to remove duplicated entries from my ip_intel kv store. I understand the whole purpose of a kv_store is used for data that constantly gets updated. I am finding lots of duplicated IPs in my ip_intel kvstore and I'd like to know if there's a better way to do it than just  | inputlookup ip_intel | dedup ip I'd like to cleanup the file from duplicates and not just create a dedup search.     Thanks! 🙂   ... View more