Splunk

PreviousSIFT Workstation NextSyslog

Last updated 2 years ago

Splunk

Description: SIEM with advanced functionality
Installation: download from
Usage
- Starting Splunk on Linux
  - If not a service: sudo /opt/splunk/bin/splunk start
  - If running as a service: sudo systemctl start Splunkd
- Basic Search Queries
  - Search source IP field (src) and the IP address value 10.10.10.50: search src="10.10.10.50"
  - Search desttination IP field (dst): search dst="10.10.100.5"
  - Search source IP field (src) and destination IP field (dst) the IP address value 10.10.10.50: search src="10.10.10.50" OR dst="10.10.10.50"
  - Search source IP field (src) to any destination IP field (dst) on the 10.10.10.0/24: search src="10.10.10.73" dst="10.10.10.*"
  - Simple failed login failure search: search pass* AND fail*
  - Show executables denerated from process, in this case cmd.exe, from Sysmon logs: index="botsv1" earliest=0 Image="*\\cmd.exe" | stats values(CommandLine) by host
  - Search for newly created windows user: search eventID field for 4270 or "net user"
  - Search for windows user logins: search eventID field for 4624
  - To search for web scanners: index=index_name sourcetype=stream:http src_ip=xxx.xxx.xxx.xxx | stats count by src_headers | sort -count | head 3
  - Search for .exe: index=botsv1 sourcetype=stream:http dest_ip="xxx.xxx.xxx.xxx" *.exe
  - To display search results in reverse chronological order: | reverse
- Resources
- Advanced SPL Examples (more can be found at )
  - Search for credentials submitted to form:
    index=botsv1 sourcetype=stream:http dest_ip="xxx.xxx.xxx.xxx" http_method=POST form_data=*username*passwd* | rex field=form_data "passwd=(?<creds>\w+)" | table _time src_ip uri http_user_agent creds
  - To get metadata information on sourcetypes or other fields in an index:
    | metadata type=sourcetypes index=botsv2 | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S") | eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | sort - totalCount
  - List all values within a field (eg sourcetype or source):
    index="botsv3" | top limit=* source | sort - count
  - Time of crypto mining on host (fss = mining start fes = mining stop)
    index="botsv3" source="cisconvmflowdata" coinhive | stats min(fss) as starttime, max(fes) as endtime | eval timetaken = endtime-starttime | table timetaken
  - Search for IAM key of account that generated most distinct errors:
    index="botsv3" sourcetype="aws:cloudtrail" user_type=IAMUser errorCode!=success eventSource="iam.amazonaws.com" | stats dc(errorMessage) as errors by userIdentity.accessKeyId | sort -errors
  - To detect syn scanning:
    index="botsv3" tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <= 1024

PreviousSIFT Workstation NextSyslog

Last updated 2 years ago

Description: SIEM with advanced functionality
Installation: download from
Usage
- Starting Splunk on Linux
  - If not a service: sudo /opt/splunk/bin/splunk start
  - If running as a service: sudo systemctl start Splunkd
- Basic Search Queries
  - Search source IP field (src) and the IP address value 10.10.10.50: search src="10.10.10.50"
  - Search desttination IP field (dst): search dst="10.10.100.5"
  - Search source IP field (src) and destination IP field (dst) the IP address value 10.10.10.50: search src="10.10.10.50" OR dst="10.10.10.50"
  - Search source IP field (src) to any destination IP field (dst) on the 10.10.10.0/24: search src="10.10.10.73" dst="10.10.10.*"
  - Simple failed login failure search: search pass* AND fail*
  - Show executables denerated from process, in this case cmd.exe, from Sysmon logs: index="botsv1" earliest=0 Image="*\\cmd.exe" | stats values(CommandLine) by host
  - Search for newly created windows user: search eventID field for 4270 or "net user"
  - Search for windows user logins: search eventID field for 4624
  - To search for web scanners: index=index_name sourcetype=stream:http src_ip=xxx.xxx.xxx.xxx | stats count by src_headers | sort -count | head 3
  - Search for .exe: index=botsv1 sourcetype=stream:http dest_ip="xxx.xxx.xxx.xxx" *.exe
  - To display search results in reverse chronological order: | reverse
- Resources
- Advanced SPL Examples (more can be found at )
  - Search for credentials submitted to form:
    index=botsv1 sourcetype=stream:http dest_ip="xxx.xxx.xxx.xxx" http_method=POST form_data=*username*passwd* | rex field=form_data "passwd=(?<creds>\w+)" | table _time src_ip uri http_user_agent creds
  - To get metadata information on sourcetypes or other fields in an index:
    | metadata type=sourcetypes index=botsv2 | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S") | eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | sort - totalCount
  - List all values within a field (eg sourcetype or source):
    index="botsv3" | top limit=* source | sort - count
  - Time of crypto mining on host (fss = mining start fes = mining stop)
    index="botsv3" source="cisconvmflowdata" coinhive | stats min(fss) as starttime, max(fes) as endtime | eval timetaken = endtime-starttime | table timetaken
  - Search for IAM key of account that generated most distinct errors:
    index="botsv3" sourcetype="aws:cloudtrail" user_type=IAMUser errorCode!=success eventSource="iam.amazonaws.com" | stats dc(errorMessage) as errors by userIdentity.accessKeyId | sort -errors
  - To detect syn scanning:
    index="botsv3" tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <= 1024