Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About 0p3r4t0r8089
0p3r4t0r8089
Explorer
Member since:
03-15-2023
02-12-2024
Community Statistics
| Posts | 7 |
| Solutions | 1 |
| Karma Given | 3 |
| Karma Received | 0 |
| Member Since | 03-15-2023 |
Activity Feed
- Karma Re: How can limit the number of events shown on a table after using stats list for yuanliu. 02-12-2024 12:18 PM
- Posted Re: How can limit the number of events shown on a table after using stats list on Splunk Search. 02-12-2024 12:17 PM
- Karma Re: How can limit the number of events shown on a table after using stats list for yuanliu. 02-12-2024 12:15 PM
- Posted Re: How can limit the number of events shown on a table after using stats list on Splunk Search. 01-05-2024 03:23 PM
- Posted Re: How can limit the number of events shown on a table after using stats list on Splunk Search. 01-05-2024 03:18 PM
- Posted How can limit the number of events shown on a table after using stats list on Splunk Search. 01-04-2024 12:16 PM
- Posted Re: Stats / Eval to find results of email recipients who clicked a link on Splunk Search. 03-15-2023 09:31 AM
- Karma Re: Stats / Eval to find results of email recipients who clicked a link for ITWhisperer. 03-15-2023 09:31 AM
- Posted What stats/eval to use to find results of email recipients who clicked a link? on Splunk Search. 03-15-2023 08:14 AM
Topics I've Started
02-12-2024
12:17 PM
Yep, sorry about that. It wouldn't let me leave karma on the post I marked correct. Karma given for this one.
... View more
01-05-2024
03:23 PM
Thanks @yuanliu , Your search produced the output in the format they are looking for perfectly. As such, I will credit you with the correct answer (for my use). However, when using this same search in a dashboard, it only produces the latest event in the table output. The same query from the search app works just fine, I have no idea why... Any thoughts?
... View more
01-05-2024
03:18 PM
Thanks, PickleRick. Your advice is accurate but The output is sorting alphabetically and still includes more than 5 events for whatever reason. I've removed the second subsearch as mentioned, I should have caught that (I inherited this report). I'll keep testing your suggestions and see if I can make it do what they want.
... View more
01-04-2024
12:16 PM
I have a report that lists malware received by email that is part of a dashboard. Some months the list for each person can have dozens of events listed. Management would like to only show the latest 5 events for each person. I'm having difficulty finding a good way to accomplish this. Search: index="my_index" [| inputlookup InfoSec-avLookup.csv | rename emailaddress AS msg.parsedAddresses.to{}] final_module="av" final_action="discard" | rename msg.parsedAddresses.to{} AS To, envelope.from AS From, msg.header.subject AS Subject, filter.modules.av.virusNames{} AS Virus_Type | eval Time=strftime(_time,"%H:%M:%S %m/%d/%y") | stats count, list(From) as From, list(Subject) as Subject, list(Time) as Time, list(Virus_Type) as Virus_Type by To | search [| inputlookup InfoSec-avLookup.csv | rename emailaddress AS To] | sort -count | table Time,To,From,Subject,Virus_Type | head 5 Current Output: time - user1 - sender1@xyz.com - Subject1 - Virus_A time - - sender2@xyz.com - Subject1 - Virus_B time - - sender2@xyz.com - Subject1 - Virus_C time - - sender2@xyz.com - Subject1 - Virus_B time - - sender2@xyz.com - Subject1 - Virus_B time - - sender2@xyz.com - Subject1 - Virus_B time - - sender2@xyz.com - Subject1 - Virus_B time - user2 - sender1@xyz.com - Subject1 - Virus_A time - - sender2@xyz.com - Subject1 - Virus_B time - - sender2@xyz.com - Subject1 - Virus_C time - - sender2@xyz.com - Subject1 - Virus_B time - - sender2@xyz.com - Subject1 - Virus_B time - - sender2@xyz.com - Subject1 - Virus_B time - - sender2@xyz.com - Subject1 - Virus_B time - user3 - sender1@xyz.com - Subject1 - Virus_A time - - sender2@xyz.com - Subject1 - Virus_B time - - sender2@xyz.com - Subject1 - Virus_C time - - sender2@xyz.com - Subject1 - Virus_B time - - sender2@xyz.com - Subject1 - Virus_B time - - sender2@xyz.com - Subject1 - Virus_B time - - sender2@xyz.com - Subject1 - Virus_B I'd like to limit it to the latest 5 events by user time - user1 - sender1@xyz.com - Subject1 - Virus_A time - - sender2@xyz.com - Subject1 - Virus_B time - - sender2@xyz.com - Subject1 - Virus_C time - - sender2@xyz.com - Subject1 - Virus_B time - - sender2@xyz.com - Subject1 - Virus_B time - user2 - sender1@xyz.com - Subject1 - Virus_A time - - sender2@xyz.com - Subject1 - Virus_B time - - sender2@xyz.com - Subject1 - Virus_C time - - sender2@xyz.com - Subject1 - Virus_B time - - sender2@xyz.com - Subject1 - Virus_B time - user3 - sender1@xyz.com - Subject1 - Virus_A time - - sender2@xyz.com - Subject1 - Virus_B time - - sender2@xyz.com - Subject1 - Virus_C time - - sender2@xyz.com - Subject1 - Virus_B time - - sender2@xyz.com - Subject1 - Virus_B Any help greatly appreciated! Thank you!
... View more
03-15-2023
09:31 AM
Thanks, @ITWhisperer ! That's exactly what I needed!
... View more
03-15-2023
08:14 AM
Hello,
I'm building a report to list all phishing and malware threat detections by sender, classification, and threat url. The data contains two types of events "clicksAllowed" and "clicksBlocked". I want to add a list of recipients if their click was allowed "clicksAllowed" and I'm struggling with how to structure my query. I'm currently trying to do this with stats and eval (I thought about using subsearch too maybe), hopefully, I'm on the right track but I can't figure out how to show only the recipients who clicked while still showing counts of how many clicks were allowed and blocked.
Current search (without who clicked):
index=tap sourcetype="pp_tap_siem" classification IN (phish, malware) threatStatus=active | eval time=strftime(_time,"%m/%d/%y @ %H:%M:%S") | stats earliest(time) AS First_Seen, latest(time) AS Last_Seen count(eval(eventType="clicksPermitted")) AS Clicks_Permitted, count(eval(eventType="clicksBlocked")) AS Clicks_Blocked, values(threatURL) AS TAP_Link BY sender, classification, url | table First_Seen, Last_Seen, classification, sender, Clicks_Permitted, Clicks_Blocked, AT_Risk_Users, url, TAP_Link | sort -Last_Seen
Output looks like:
First_Seen
Last_Seen
classification
sender
Clicks_Permitted
Clicks_Blocked
AT_Risk_Users
url
TAP_Link
03/14/23 @ 17:52:36
03/14/23 @ 17:52:36
phish
badguy@domain.com
1
1
list of 1 person here
hxxp://baddomain.com
hxxp://link_tothreatintel_webportal.com/uniqueguid
01/05/23 @ 12:34:44
01/05/23 @ 17:44:41
phish
badguy2@domain.com
39
3
list of 39 people here
hxxp://baddomain2.com
hxxp://link_tothreatintel_webportal.com/uniqueguid
01/18/23 @ 15:43:20
02/16/23 @ 22:46:19
malware
badguy3@domain.com
4
0
list of 4 people here
hxxp://baddomain.com
hxxp://link_tothreatintel_webportal.com/uniqueguid
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-12-2024
05:35 PM
|
