Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About mdicenzo
mdicenzo
Explorer
Member since:
07-11-2022
09-12-2023
Community Statistics
| Posts | 9 |
| Solutions | 0 |
| Karma Given | 6 |
| Karma Received | 0 |
| Member Since | 07-11-2022 |
Activity Feed
- Karma Re: Trigger Password Reset alarm by Admin by Distinct count of targets for yuanliu. 09-12-2023 07:30 AM
- Karma Re: Trigger Password Reset alarm by Admin by Distinct count of targets for yuanliu. 09-12-2023 07:30 AM
- Karma Re: Trigger Password Reset alarm by Admin by Distinct count of targets for yuanliu. 09-12-2023 07:30 AM
- Posted Re: Trigger Password Reset alarm by Admin by Distinct count of targets on Splunk Search. 09-11-2023 07:38 AM
- Posted Re: Trigger Password Reset alarm by Admin by Distinct count of targets on Splunk Search. 09-08-2023 07:14 AM
- Posted How to Trigger Password Reset alarm by Admin by Distinct count of targets? on Splunk Search. 09-06-2023 06:46 AM
- Posted Re: How do you set up a GET Workflow Action that links a field directly to an event on an AV web interface? on Knowledge Management. 08-17-2022 05:49 AM
- Karma Re: How to exclude notable events from triggering using erex? for richgalloway. 08-04-2022 10:36 AM
- Posted Re: How to exclude notable events from triggering using erex? on Splunk Search. 08-04-2022 09:10 AM
- Karma Re: How to exclude notable events from triggering using erex? for richgalloway. 08-04-2022 09:10 AM
- Tagged How to exclude notable events from triggering using erex? on Splunk Search. 08-04-2022 07:55 AM
- Posted How to exclude notable events from triggering using erex? on Splunk Search. 08-04-2022 07:51 AM
- Posted Re: Variable Substitution not working in drill down searches on Splunk Enterprise Security. 07-20-2022 08:06 AM
- Posted Re: Variable Substitution not working in drill down searches on Splunk Enterprise Security. 07-20-2022 07:24 AM
- Posted How to use variable names in notable events? on Splunk Enterprise Security. 07-11-2022 09:14 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
09-11-2023
07:38 AM
Thanks for the feedback. This worked for me!
... View more
09-08-2023
07:14 AM
Hello, Thanks for the feedback. I will be more specific next time. I wasn’t aware of the dc (distinct count) option in search. In the example you provided, how would I alert in which the dc has a count of over 5? Thank You
... View more
09-06-2023
06:46 AM
I want to essentially trigger an alarm if a user changes the password of multiple distinct user accounts within a given period of time.
I was able to start with the search below, which provides me a count of distinct user account change grouped by the source user.
When I try to apply a threshold logic to it, it doesn't appear to work. source="WinEventLog:Security" (EventCode=628 OR EventCode=627 OR EventCode=4723 OR EventCode=4724) | stats count(Target_Account_Name) by Subject_Account_Name
... View more
- Tags:
- splunk search
Labels
- Labels:
-
count
08-17-2022
05:49 AM
I am trying to do this same thing. Can you clarify what you did to get this to work? The field name is URL and the string already has https so I was trying to just put $!URL$ in the url link configuration.
... View more
08-04-2022
09:10 AM
This is eventually how I did this. Thank you for the help!
... View more
08-04-2022
07:51 AM
We have notable events for when a user is created on multiple devices. Most of them are expected for when devices are imaged.
I want to use erex to create a suppression for like accounts. They typically have the same beginning and are followed by 2 numbers. Example would ituser23, ituser24, ituser25.
I am using the search below for testing
index=notable source="Endpoint - Anomalous User Account Creation - Rule" | erex user examples="ituser23, ituser24, ituser25"
I am still getting user accounts that are unrelated such as phone or tablet.
When I look at the recommended regex it seems like it is not being granular enough.
... View more
- Tags:
- erex
Labels
- Labels:
-
search job inspector
07-20-2022
08:06 AM
So originally I tried to have this as the correlation search index=o365 sourcetype="mscs:azure:eventhub" "body.operationName"="Risky user" "body.properties.riskLevel"=high | rename body.properties.userDisplayName AS Display_Name | rename body.properties.userPrincipalName AS Email | stats values(body.operationName) AS Operation_Name, count AS result BY Display_Name | eval dd="index=o365 sourcetype=mscs:azure:eventhub body.operationName=\"User Risk Detection\" body.properties.riskLevel=high \"body.properties.userDisplayName\"=".Display_Name The drill down was then search $dd$. The problem is that the value in Display_Name needs quote for the search to work and I cannot seem to get that to work properly for .Display_Name. If I have a correlation search of index=o365 sourcetype="mscs:azure:eventhub" "body.operationName"="Risky user" "body.properties.riskLevel"=high | rename body.properties.userDisplayName AS Display_Name | rename body.properties.userPrincipalName AS Email | stats values(body.operationName) AS Operation_Name, count AS result BY Display_Name And a drill down of index=o365 sourcetype=mscs:azure:eventhub body.operationName="User Risk Detection" body.properties.riskLevel=high "body.properties.userDisplayName"=$Display_Name$ will that work?
... View more
07-20-2022
07:24 AM
I am struggling with the same thing, have you resolved this issue?
... View more
07-11-2022
09:14 AM
I am trying to include dynamic names for a notable event that I have triggering. When I try to use $variable$ it just shows that and does not pull the field value.
My search:
index = o365 sourcetype="mscs:azure:eventhub" body.operationName="User Risk Detection" "body.properties.riskLevel"=high | rename body.properties.userDisplayName AS "Display Name"
My Name:
Office 365 Risky User Detected - $Display Name$
Can anyone help?
... View more
- Tags:
- splunk-search
Labels
- Labels:
-
correlation search
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-12-2023
10:51 AM
|
