-
4 years, 7 months ago
riparino wrote a new post
Primary Search for Local Domain Controller Exploitation by Zerologon
index=”” (sourcetype=”” OR source=”windows_source_security”) EventCode=”4742″ OR EventCode=”4624″ AND (src_user=”*anonymous*” OR […] -
4 years, 9 months ago
riparino wrote a new post
TAP Dashboard
Direct pull from TAP APISelect Time
@d
nowQuarantine Trends […]
-
4 years, 11 months ago
riparino wrote a new post
This alert is used for looking at a prior dataset of indexes and sourcetypes reporting over time, and then involves pairing to a closer, temporal dataset. Appending the results allows you to view sourcetypes that […]
-
4 years, 11 months ago
riparino wrote a new post
Primary Dashboards
Contains alert analytics for both triggered alerts and saved searches. Please replace $name$ with the saved search naming convention you utilize (ie. 0001 – AlertName).You will need an […]
-
4 years, 11 months ago
riparino wrote a new post
F5 SL ASM iRule Parser for Hosted Deploymentssourcetype=f5:silverline:asm irule=* vs_ip=* | rex “(?.*)” | eval log_stripped = replace(log, “\”,””) | rex field=log_stripped “data=”(?.*?)”, irule=” | spath input=data_section
-
4 years, 11 months ago
riparino wrote a new post
Groundspeed Violation/Improbable AccessOftentimes we are required to determine impossible or improbably access events. Typically, this is a relatively simple thing to do in a modern SIEM, however […]
-
4 years, 11 months ago
riparino commented on the post, Show your triggered alerts
In reply to: Azeemering wrote a new post This search shows all the alerts that where triggered in your splunk environment: index=_audit action=alert_fired ss_app=* | eval ttl=expiration-now() | search ttl>0 | convert […] ViewI re-read the title and got the right context for it now. Ty.
-
4 years, 11 months ago
riparino commented on the post, Show your triggered alerts
In reply to: Azeemering wrote a new post This search shows all the alerts that where triggered in your splunk environment: index=_audit action=alert_fired ss_app=* | eval ttl=expiration-now() | search ttl>0 | convert […] ViewThis only measures triggered alerts though, no? If you do not have an action set to trigger a “Triggered Alert”, this won’t give back correct stats.
-
4 years, 12 months ago
riparino wrote a new post
Multiple Users with Authentications from Singular, non-Whitelisted IP
Basically I needed a way to determine if a series of users are connecting from a singular IP. This is particular useful during COVID-19 WFH […] -
5 years ago
riparino became a registered member
-
5 years ago
riparino became a registered member
Hello Deari saw your profile and became interested in you, my name is Marie Cooper i am working with united State Army, i will like to have a friend like you,i have something to share with you, please email me through (coopermarie442@gmail.com) for more information about me, i will check my mail to know if you have contacted me because i am…[Read more]