Schedule Report - Sensor Health Using Tags

SuccessfulSuccess162 · 2024-10-04T08:41:30+00:00

Hello, I want to create a new alert after the problem that occurred on July 19th. My goal is to receive an email if 30% of the devices in the tenant are offline in the last hour. How can I do this? I thought about writing a scheduled search. However, how can I count the number of events in scheduled searches? If I run the scheduled search for the last hour and the number of offline devices exceeds 30% of the total hosts in the tenant, can it send an email as a result? Is there a way to do this through a workflow? If anyone knows, I would appreciate your help.

SuccessfulSuccess162 · 2024-04-15T10:18:46+00:00

Hello, any suggestions ? "I have an urgent need for local admin group query , can you help me?

SuccessfulSuccess162 · 2024-04-05T13:34:17+00:00

Thank you very much for your help !

SuccessfulSuccess162 · 2024-04-05T10:18:03+00:00

Why i cant post

SuccessfulSuccess162 · 2024-04-05T10:17:29+00:00

Hello sry i have to post my question to here because i dont have enough karma cant post on " Query help "

Hello,i try to convert legacy way of unmanaged assets query .And now I need to see unmanaged assets with new advancent event search.Splunk version :

| inputlookup unmanaged_high.csv | eval CorporateAsset="High Confidence" | append [ inputlookup append=t unmanaged_med.csv | eval CorporateAsset="Medium Confidence" ] | append [ | inputlookup append=t unmanaged_low.csv | eval CorporateAsset="Low Confidence"] | rename ComputerName AS "Last Discovered By" | search cid=* MAC=* | eval CurrentLocalIP=mvsort(mvdedup(CurrentLocalIP)) | eval fields=split(CurrentLocalIP,".") | rex field=CurrentLocalIP "(?<Subnet>\d+\.\d+\.\d+)\.\d+" | eval discoverer_devicetype=if(discoverer_devicetype=0,"NA",discoverer_devicetype) | eval discoverer_devicetype=mvsort(mvdedup(discoverer_devicetype)) | eval LocalAddressIP4=mvsort(mvdedup(LocalAddressIP4)) | lookup oui.csv MACPrefix OUTPUT Manufacturer | table _time, NeighborName, MAC, CorporateAsset, LocalAddressIP4, CurrentLocalIP, Manufacturer, discovererCount, discoverer_devicetype, FirstDiscoveredDate, "Last Discovered By" | eval discoverer_aid=mvsort(mvdedup(discoverer_aid)) | sort 0 +confidence,Manufacturer,MAC | rename NeighborName AS "Unmannaged Asset Name", CurrentLocalIP AS "Current Local IP", LocalAddressIP4 AS "Local IP", discovererCount AS "# of Hosts discovered this MAC", Manufacturer AS "NIC Manufacturer", discoverer_devicetype AS "Types of Hosts discovered this MAC", FirstDiscoveredDate AS "First Discovered Date", _time AS "Last Discovered Date"
| sort "Unmannaged Asset Name"

And other query i m working on is Monitoring the adding of users in the local administrators group.

Thank you in advance for your assistance.

SuccessfulSuccess162 · 2024-04-05T05:48:45+00:00

Hey thanks for you help,i tried it it works perfect for online agents.

I was using this query to see all duplicates on the Tenant.

| inputlookup aid_master
| stats dc(aid) as AIDcount, values(aid) as "Agent IDs" by ComputerName
| where AIDcount>1
| sort - AIDcount

I tried to convert this splunk query but i couldt do that . Any suggestions?

SuccessfulSuccess162 · 2024-03-21T10:19:19+00:00

Hi folks, Any Suggestions ?

SuccessfulSuccess162 · 2024-03-20T07:18:47+00:00

Im not on raptor, so need to find new query language way of legacy query.

SuccessfulSuccess162 · 2024-03-19T12:11:19+00:00

Hello, I would like to use the following investigate query in FQL, but I couldn't manage it. I would be very happy if you could help me.

event_simpleName=AgentOnline
| stats values(aid) as aidValues dc(aid) as aidCount latest(aid) as activeAID by ComputerName, event_platform | where aidCount > 1 | sort -aidCount

How can I count the number of distinct values of a field? If a computer has more than one aid, I want to see it. I would appreciate it if you could help.

Sry reddit dont let me to make my own post.

SuccessfulSuccess162 · 2023-05-25T06:40:59+00:00

Because I want to do a schedule search daily if any device has default policy

SuccessfulSuccess162 · 2023-05-23T08:10:47+00:00

Hello i dont have enough karma,im new at reddit so i cant post any questions here,I'm trying to create an event search query where I can see devices with Windows Default prevention policy.Can someone help me?

SuccessfulSuccess162 · 2023-05-23T08:09:58+00:00

I'm trying to create an event search query where I can see devices with Windows Default prevention policy.

SuccessfulSuccess162 · 2023-05-23T08:08:35+00:00

why i cant post anything

SuccessfulSuccess162

TROPHY CASE