One of the common tasks we perform is troubleshooting integrations between MSV and various SIEM solutions.

In this example, I'll provide a custom Splunk audit query used to troubleshoot legacy integrations. The same concept applies to other SIEM solutions.

Beyond the initial configuration and connection phase, it's beneficial to track the queries executed by the MSV Director. This helps troubleshoot advanced issues or estimate the required query rate limit.

For legacy Splunk integrations, providing the API username in this query displays MSV search activities with a human-readable time format.

The query returns multiple "count" fields because it yields several events that Splunk's time filters later refine. The minimum count value is what MSV receives.

index=_audit user=<MSV API User>
| eval search_et_ts=strftime(search_et ,"%m/%d/%y %H:%M:%S")
| eval search_lt_ts=strftime(search_lt ,"%m/%d/%y %H:%M:%S")
| eval indextime_ts=strftime(_indextime ,"%m/%d/%y %H:%M:%S")
| eval cd = _cd
| rex field=search ".*_indextime>=(?<indextime_from>\d+)\s"
| eval indextime_from_ts=strftime(indextime_from ,"%m/%d/%y %H:%M:%S")
| table  _time indextime_ts timestamp indextime_from indextime_from_ts search_et_ts search_lt_ts type cd info search mode name  source sourcetype user event_count result_count available_count api_lt api_et api_index_et api_index_lt api_lt apiIndexEndTime apiIndexStartTime apiStartTime add_offset add_timestamp search_et search_id search_lt ttl total_run_time   considered_events enable_lookup autojoin bucket eventtype fully_completed_search exec_time user has_error_msg fully_completed_search- mode roles fully_completed_search has_error_warn | sort _time asc