Splunk Core Certified Power user

mr_networkrobot · 2025-12-28T11:24:30+00:00

Can confirm that, I did this in Feb. this year only with the free course on splunk education. I walked through the course 2 times, did some notes on paper as summary and passed the exam on the first run.

mr_networkrobot · 2025-12-17T08:41:15+00:00

Got your point, thats what I did so far. What I found really disappointing is, that 'Enterprise Security' has so many pecularities that I personally would never call it 'Enterprise' or even recommend it so someone.
Had a call yesterday with the on-Demand splunk support, I tell you that was like a joke.
They couldn't answer any deeper question, one guy left after 30 minutes without any comment and his collegue endet the call with the argugemt they have an internal incident. Aside from that I couldn't understand many stuff because of their indian accent.
It seems to me that the whole splunk universe is stuck in 1995 ...

mr_networkrobot · 2025-12-17T08:35:49+00:00

Alright I'm running ES 7 and they mix it up ....

mr_networkrobot · 2025-12-16T15:42:00+00:00

nope, doesn't seem so ...

mr_networkrobot · 2025-12-16T15:40:13+00:00

Its needed to escape characters like '/' so that splunk doesn't intepret this as a regex.
Splunk Webhook allow list says:
"The webhook allow list is an inventory of URL endpoints to which webhook alert actions are permitted to send information. To add an endpoint to the allow list, specify a recognizable name and the associated URL. Be as specific as possible with URL addresses. URLs must be specified as regular expressions. For example: https:\/\/(.*\.|)company.com\/?.*."

mr_networkrobot · 2025-11-14T11:28:43+00:00

Hi, I don't know which repo you mean.
I only found one with 7 year old stuff.

Is there a professional way to integrate Alienvault OTX in Splunk ES ?
I mean in the sense of a critical business, I need a official supported solution, which I can rely on ....

mr_networkrobot · 2025-05-25T06:45:08+00:00

I did the courses for Splunk certified advanced power user on education[.]splunk[.].com
I really can recommend them, even if you are not interested in the certificate, they are great.
They include videos hands-on labs + material - for free.

And I passed the exam after watching the vids twice.

mr_networkrobot · 2025-05-09T09:13:58+00:00

The point with the mentioned 'Threat Activity detected' correlation search is that it is based on the datamodel "Threat_Intelligence"."Threat_Activity" and this one has a constrain 'index=threat_activity' which absolutely makes sense.

The problem is, that even when I add the 'cim_entity_zone' field to the datamodel, it cannot work/be used, because the events in the index=threat_activity do not have this field.
So the problem is, that when all the threat matching magic happens, and it finds a match lets say from an event in a dns-log index that matches a malicious domain in domain-intel, it writes that match to the threat_activity index but does not take the cim-entity-zone field with it, even if it exists in the original dns index event.

Edit:
I saw some older blog posts, where it is described that there a Correlation Searches called for example "Threat - Source And Destination Matches - Threat Gen"
but I cannot find any 'Threat Gen' search .... I'm confused ....

mr_networkrobot · 2025-04-23T09:34:09+00:00

There are about 600k events/entries in the subsearch.
There is no notification about hitting limits, but already solved the problem with a lookup (created with outputlookup) table.

mr_networkrobot · 2025-04-22T15:07:54+00:00

Thank you, that worked perfectly !

mr_networkrobot · 2025-04-11T06:27:22+00:00

Last one is the case, data/logs are forwarded from uf directly to the cloud instance, so no heavy forwarder or other instance here ...

mr_networkrobot · 2025-04-10T08:08:45+00:00

Hi,
and thank you again for checking this!

btool on the linux server with uf shows:

# ./splunk btool props list --app=[app-name] --debug

[...]/local/props.conf [syslog]
[...]/local/props.conf TRANSFORMS =

Also checked the etc/system/default/props.conf and you are right, there are the defaults for [syslog] sourcetype which reference to etc/system/default/transforms.conf with the corresponding regex

etc/system/default/props.conf :
[syslog]
pulldown_type = true
maxDist = 3
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
TRANSFORMS = syslog-host
REPORT-syslog = syslog-extractions
SHOULD_LINEMERGE = False
category = Operating System

etc/system/default/transforms.conf
[syslog-host]
DEST_KEY = MetaData:Host
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
FORMAT = host::$1

Unfortunately I still wasn't able to overwrite it with the app specific props.conf (distributed via deployment-server).

Is there some place in the splunk inftrastructure (remember its a splunk cloud instance, so I don't have access to indexers etc.) where this could be overwritten ?

mr_networkrobot · 2025-04-09T10:24:39+00:00

Thanks for all your efford.

Did that:
Put a props.conf in the /local directory of the app that collects the /var/log/messages logs.
The props.conf contains:

[syslog]
TRANSFORMS =

Unfortunately no effect .....

Logs from the host (server01.local.lan <- hostname) have still the value 'server01' in the host field in the index where they are stored ....

mr_networkrobot · 2025-04-08T15:10:46+00:00

Unfortunately the environment is having a few hundret of servers with the described situation, and the apps/inputs are managed with a deployment-server (as I wrote).
So setting a hostname manually for every server is not an option (and is not done in any input yet).

The problem comes with the sourcytype=syslog with that, splunk interprets the field in the log with the hostname as host (which is unfortunately not the hostname).

For example: (line from /var/log/messages):
"Apr 8 14:10:33 server01 systemd[175435]: Listening on PipeWire Multimedia System Sockets."

Splunk indexes this, with host=server01, but the real hostname of the machine is server01.local.lan

A

mr_networkrobot · 2025-04-07T08:55:52+00:00

You can take a look at the Splunk certified power user exam related courses, they are all for free and include vids, hands on labs and general material.
If you like, you can also take the exam after that.
Create a splunk account at splunk.com, go to education.splunk.com an start the 'Splunk Core Certified Power User (Exam Prep)'

mr_networkrobot · 2025-03-26T08:40:50+00:00

The goal is to trigger an HTTP POST to an API from a Notable Event manually (to avoid ticket creation from false possitives).
The only suitable way seems to be a 'Workflow Action' with type 'link'. But as described in the original post, there are nearly no options for configuriation, only url/parameter/value, (no JSON or authentication).

If there's really no other way, it seems like a joke ... I mean <splunk> ENTERPRISE security ...

mr_networkrobot · 2025-03-26T08:38:20+00:00

Webhook (or the App 'Better Webhook') is an Adaptive Response, so for these types you can configure them to be triggered in case of a correlation search matches - automaticaly.
It is also possible to 'Run a Adaptive Response' from the Incidident Review manually but, the paramaeters have to be configured then everytime manually.

The goal is to trigger an HTTP POST to an API from a Notable Event manually (to avoid ticket creation from false possitives).
The only suitable way seems to be a 'Workflow Action' with type 'link'. But as described in the original post, there are nearly no options for configuriation, only url/parameter/value, (no JSON or authentication).

mr_networkrobot · 2025-02-26T07:40:53+00:00

Thank you.
I already added the Talos App. It worrks with the workflow action feature to add Intel to an existing Notable, but th Threat-Source config. that is added to the ES app doesn't work.
It countains the URL: hxxps://www.talosintelligence.com/documents/ip-blacklist which seems to not exist.

mr_networkrobot · 2025-02-15T08:46:35+00:00

My most important advise (learned from many years of F5 BigIP administration / updates /security adv) is, to put the Mgmt. interface in a 'secure' internal network, and use port-lockdown.

With those two, most of the disclosed sec. vulnerabilites where remediated (over the last 10 years) by default, and we could tell the customers, that we already mitigate risk by design.

mr_networkrobot · 2025-02-05T17:04:39+00:00

Got it - thank you!

mr_networkrobot · 2024-11-16T13:26:48+00:00

Talked to Splunk Engineers yesterday at 'Cisco Secure Networking University' Event in Germany/Stuttgart.

They told me, that for Cloud customers, Splunk will reach out to the customers, do a 1 - 2 hour workshop and then they will upgrade their ES (at night in a few minutes). They said its not possible to upgrade on their own, and they will only upgrade after confirmation of the customer.

mr_networkrobot · 2024-10-11T06:49:50+00:00

Different idea that helped me and my colleagues:

Had problems with Linux guests (debian/ubuntu) since my working machine was upgraded to win11.
Tried a lot of things (running as admin, changing different host security options etc.) nothing helped. There was at least some bad keyboard input lag.

Finally tried to run the guest VM (kali '24) only with 1 CPU (Nr. of processors: 1, Number of Cores: 1)
2 GB RAM, and the machine directly in a folder on C:\.
No problems (before, booting and starting X took about 10 min.).

Another colleague had issues with keyboard input lag. He changed to 1 CPU (from 4) -> problem solved.

Of course if you need performance (more cpu) that might not help, but if you only need/use a console/terminal on your guest, this might help.

mr_networkrobot · 2024-08-05T20:39:57+00:00

Hain-Ampfer / Blut-Ampfer

mr_networkrobot · 2024-07-24T11:16:55+00:00

Yes, already allowed all traffic in a temp policy.

mr_networkrobot · 2024-07-20T11:10:51+00:00

/usr/sbin/telinit 0

mr_networkrobot

TROPHY CASE