This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Here’s where you’ll find a buzzing community of Security professionals from around the world with one common mission: bringing their Security platforms to the next level.
Hi all, what is the process we should be following to ensure we don’t
get duplicate events? I found one reference to
“event.disambiguation_key”, is this the way forward?
What feed are you working with? In the past i’ve seen these errors be
raised from the api chronicle is hitting to pull the feed. I.e. if its a
PRODUCT feed, the PRODUCT api might be emitting this error when
chronicle attempts to interact with it. Are...
If you can safely redact a sample raw log enough to send it to me, I can
run it against the default Windows Event parser and tell you what the
issue is. You’re going to run into issues if you can’t use cbn_cli
though, if its possible to gain access I...
Okay, so im assuming you’re looking at raw log search here? Try to
search for the following in UDM: metadata.log_type="WINEVTLOG" If this
returns nothing then all of your logs aren’t parsing correctly Note:
“WINDOWS” needs to map to the log label you...
I use the dashboard to see which log sources have failed logs. I dont
know if theres an api call that allows you to see which log sources have
recent fails.
Do you mean logs that failed parsing? You can do that with cbn_cli, e.g.
cbn_cli.py --region EUROPE error -l WORKSPACE_ACTIVITY -sd
2023-08-01T00:00:00Z -ed 2023-08-16T07:50:00Z