tag:blogger.com,1999:blog-5331176366167100625.post966578546005031828..comments2024-03-20T03:15:18.893-07:00Comments on SecuritySynapse: Detecting Data Feed Issues with Splunk - Part IITony Leehttp://www.blogger.com/profile/04935721260910647091noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-5331176366167100625.post-80496743192495601002019-07-21T17:25:36.596-07:002019-07-21T17:25:36.596-07:00Nice! Do you mind sharing the search here when yo...Nice! Do you mind sharing the search here when you get a chance? Thanks for the tip.Tony Leehttps://www.blogger.com/profile/04935721260910647091noreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-45712206971557576392019-07-20T16:51:07.305-07:002019-07-20T16:51:07.305-07:00There are also the Splunk Universal Forwarder hear...There are also the Splunk Universal Forwarder heartbeat logs (every 2 minutes in my environment) and each host Windows Security logs are generally pretty active. I have a "last 5 min" search on the SUF heartbeats and should get at least 2 of them (YMMV) which also has tcp_thruput values. Do some baseline calculations and you can setup a stats summary by host for a period of time of how many minimum events you should expect to see. Key is to alert even if there are no heartbeats... so start your search with a lookup table of asset hosts, then "fillnull" with 0 for hosts that don't have matching heartbeat events. Same for WinEventLogs.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-29990000441310742622018-08-31T06:55:01.737-07:002018-08-31T06:55:01.737-07:00Thanks for the feedback!Thanks for the feedback!Tony Leehttps://www.blogger.com/profile/04935721260910647091noreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-2278748077747880472018-08-31T06:49:55.657-07:002018-08-31T06:49:55.657-07:00This helps out greatly! Keep up the good info.This helps out greatly! Keep up the good info.Anonymoushttps://www.blogger.com/profile/07683741476337057085noreply@blogger.com