-
5 years, 7 months ago
jwalzer commented on the post, Windows security daily domain activities
In reply to: ddanielnp wrote a new post sourcetype=WinEventLog:Security src_nt_domain!=”NT AUTHORITY” EventCode=4720 OR EventCode=4726 OR EventCode=4738 OR EventCode=4767 OR EventCode=4781 OR EventCode=4727 OR EventCode=4730 […] ViewJohn,
“ITS_Admin” is a value pulled via regex from the line:
| rex field=member_id “^w+W(?w*sw*sw*|w+_w+|w*sw*|w*)(sw+W|s)(?.*S)”
To test what the regex is pulling from your Windows events go to https://regex101.com/ and post the regex (minus the quotes) “^w+W(?w*sw*sw*|w+_w+|w*sw*|w*)(sw+W|s)(?.*S)” into the REGULAR EXPRESSION field and…[Read more]
-
5 years, 7 months ago
jwalzer commented on the post, Detailed User Activity
In reply to: tokenwander wrote a new post index=_* search=* user=* user!=- user!=splunk-system-user | rex field=search max_match=0 “indexs*=[s”]*(?.*?)[|s”)]” | rex field=search max_match=0 “[+(|+]index%3D(?.*?)[+|)+]” | […] ViewDoris,
You might want to copy the search to notepad/notepad++ first as I’ve noticed in general when trying to copy/paste searches some of the special characters don’t get copied correctly.
I copied this search to notepad++ and then copied from there to Splunk and was able to run the search
-
7 years, 10 months ago
jwalzer wrote a new post
Sysmon – cmd line for non -local connectionssourcetype=”xmlwineventlog:microsoft-windows-sysmon/operational” EventCode=3 Protocol=tcp Initiated=true | where DestinationIp!=”127.0.0.1″ AND […]
-
7 years, 10 months ago
jwalzer wrote a new post
sourcetype=”XmlWinEventLog:Microsoft-Windows-Sysmon/Operational” EventCode=3 Protocol=tcp Initiated=true | eval src=if(isnotnull(SourceHostname), SourceHostname+”:”+SourcePort, SourceIp+”:”+SourcePort) | eval […]
-
7 years, 10 months ago
jwalzer wrote a new post
index=* sourcetype=”xmlwineventlog:microsoft-windows-sysmon/operational” EventCode=1 | rex field=Image “[/](?[^/]*)$” | eval filename=lower(filename)| stats dc(filename) as NumFilenames values(filename) as […]
-
10 years ago
jwalzer became a registered member
