Non classé

Defender Queries – Cheatsheets

Find all mails from the sender, url containing the domain and all actions/clicked by user let custom_domain= »$YOUR_DOMAIN »; EmailEvents | where SenderFromDomain contains custom_domain | join kind=leftouter UrlClickEvents on $left.RecipientEmailAddress==$right.AccountUpn | join kind=fullouter ( UrlClickEvents | where Url contains custom_domain) on $left.RecipientEmailAddress==$right.AccountUpn | join kind=leftouter EmailPostDeliveryEvents on $left.NetworkMessageId==$right.NetworkMessageId | extend Url = strcat(Url, Url1) | extend […]

Defender Queries – Cheatsheets Lire la suite »

Useful Splunk commands – Cheatsheets

Check last triggered of each rule | rest /servicesNS/-/-/saved/searches | regex title = « $REGEX_to_match_your_rules_standard » | search disabled=0 request.ui_dispatch_app= »$YOUR_RULES_APP » | rename title as ss_name | join type=left [ search index=_audit action=alert_fired ss_app= »$YOUR_RULES_APP » | stats latest(trigger_time) as lt by ss_name | fields ss_name,lt] | eval Triggered_time=strftime(lt, « %d/%m/%Y %I:%M:%S %p ») | eval Triggered_time=if(isnull(Triggered_time), « Not Triggered », Triggered_time) | eval

Useful Splunk commands – Cheatsheets Lire la suite »

Install Splunk – one shot

#!/bin/bash check_and_install() { local package=$1 if ! command -v $package &> /dev/null; then echo « $package is not installed. Attempting to install… » sudo apt-get update sudo apt-get install -y $package else echo « $package is already installed. » fi } check_and_install wget check_and_install gpg check_and_install sudo url_download_splunk=’’ url_licence=’’ echo -e ‘n’ read -p « First enter the decryption key

Install Splunk – one shot Lire la suite »

How to debug Splunk High Memory CPU on Search Head Cluster?

How to debug Splunk High Memory CPU on Search Head Cluster? Which Process consumes the most? index=_introspection sourcetype=splunk_resource_usage | stats median(data.pct_memory) by data.process_type Check the searches by user index=_audit action= »search » info= »completed » NOT user= »splunk-system-user » | table user, is_realtime, total_run_time, exec_time ,result_count | eval exec_time=strftime(exec_time, »%m/%d/%Y %H:%M:%S:%3Q ») | sort 0 – total_run_time Check the use by components ,

How to debug Splunk High Memory CPU on Search Head Cluster? Lire la suite »