curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

page(threat-hunting): some queries require custom data model

This commit is contained in:
Ming Di Leom 2025-01-15 11:06:33 +00:00
parent a9c575817e
commit bd36476125
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
source/threat-hunting/index.md
View File

@ -634,6 +634,7 @@ SPL:
## Heavy Forwarder Status Monitor ## Heavy Forwarder Status Monitor
Description: heavy_fwd is either down or unable to forward logs to Splunk Cloud for more than 15 minutes. Description: heavy_fwd is either down or unable to forward logs to Splunk Cloud for more than 15 minutes.
Caveat: Require custom [data model](https://gitlab.com/curben/splunk-scripts/-/blob/main/threat-hunting/datamodels.json).
SPL: SPL:
```spl ```spl
@ -1287,6 +1288,7 @@ SPL:
## Splunk License Monitoring ## Splunk License Monitoring
Description: Alert when Splunk is ingesting more than 90% of license. License rollover at 00:00 UTC (Cloud) or timezone of the license master (Enterprise). Pay attention to the timezones of the app's owner and the license master. Adjust `cron_schedule` and also `earliest_time` to account for daylight saving. Description: Alert when Splunk is ingesting more than 90% of license. License rollover at 00:00 UTC (Cloud) or timezone of the license master (Enterprise). Pay attention to the timezones of the app's owner and the license master. Adjust `cron_schedule` and also `earliest_time` to account for daylight saving.
Caveat: Require custom [data model](https://gitlab.com/curben/splunk-scripts/-/blob/main/threat-hunting/datamodels.json).
SPL: SPL:
```spl ```spl