How to Retrieve and Restore Snapshots from S3 Repository in OpenSearch
Step 1: List Available Snapshots First, you need to list the snapshots available in your S3 repository. You can do…
Threats
Creating Snapshot Management Policies with Keystore Integration and Slack Notification Setup
Step 1: Add AWS Credentials to the Keystore To securely store your AWS credentials, use the OpenSearch keystore. Add your…
Making Use of Building Block Rules in Elastic
Within the “Advanced Options” of the “About Rule” section of Elastic hides a useful feature that gets little attention. This…
Fields Aren’t Always Faster, Keyword Searches to Speed Up Splunk
When possible, use datamodels, they are generally your best bet for speed. However, not everything in your Splunk will be…
Making Use of Fillnull and Values() to Increase Rule Resiliency in Splunk
Within splunk we use “stats” and “tstats” a bunch as threat hunters. However, these useful operations can cause interesting events…
Creating Macros for Code Reuse in Splunk
When you find yourself constantly reusing certain strings of Splunk commands, it can be a lot easier to represent those…
Extracting fields in SPL
Sometimes when working with new log sources or unfamiliar event records being shipped to Splunk, you’ll encounter logs with important…
Elastic Flattened Fields Explained
Elastic has many “Field Types”. Flattened is a type that allows you to search subfields. Typically for cyber security analysts…
Splunk: How to Make Lookup Based on Wildcards
1) Add to transforms.conf stanza: batch_index_query = 0 case_sensitive_match = 0 filename = field_from_sourcetype.csv match_type = WILDCARD(Sourcetype) JOIN FOR FREE…
Splunk: How to Output Nested json as One Field
Often, especially when providing context to analysts who are responsible for triaging alerts, it is useful to provide all of…