cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
maiks1
Engager
Member since: ‎03-02-2023
yesterday
Community Statistics
Posts 2
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎03-02-2023
Activity Feed
View All

2 values for "User" field being shown.

by in Splunk Search
yesterday
yesterday
Hi all! I'm currently trying to create a RDP session analysis dashboard.  I'm using sysmon eventlogs, specifically Event-ID "3" to create a SPL query that shows traffic on port 3389 with a few filters. I only want to see usernames that are existing in the windows domain.   index=windows source=sysmon DestinationPort=3389 EventCode=3 Image!="C:\Program Files\RANDOMAPP*" | rename User as SourceUser | search SourceUser!="NT AUTHORITY\NETWORK SERVICE" SourceUser!="NT-AUTHORITY\Network Service" SourceUser!="NT-AUTHORITY\SYSTEM" | stats count by SourceUser Image SourceHostname DestinationHostname SourceIp DestinationIp DestinationPort | sort - count   Since last week, the "Image" value has unexpectedly started appearing in the "User" field in all events. Why is this happening and how can I prevent it from appearing in the "User" field?    When I add the following query, no events are displayed. Could it be that the "User" field is getting mixed up with the "Image" field?   User!=Windows\* User!="Program Files*"   Also, if you check the events, you can see 2 events being displayed for “User” Sorry for the bazilion questions, but I'm starting to get a bit frustrated here 😅 Thanks in advance for your help and have a great day!       ... View more
Labels

Splunk Cloud Universal Forwarder Network Telemetry...

by in Getting Data In
‎03-02-2023 01:13 AM
‎03-02-2023 01:13 AM
Hi all! I'm currently struggling to ingest network telemetry from windows endpoints/servers into Splunk Cloud. We've installed Splunk's Universal Forwarder on each instance. SysMon Logs and basic Windows events that you can tick in the setup of UF are also being forwarded already.  Isn't the UF also supposed to capture network data? If that's not the case, what's best practice or what method do you use? We want to monitor unusual spikes in network traffic and be able to see what client it is and where it's sending its data to. I already opened 2 support tickets but I've gotten no response in over a week now. That's why I'm trying it here now. Hope you're having a great day and thanks in advance for your help. -Maik  ... View more
Contact Me
Online Status
Offline
Date Last Visited
yesterday
Karma given to
View All