• Description: SIEM with advanced functionality

  • Usage

    • Starting Splunk on Linux

      • If not a service: sudo /opt/splunk/bin/splunk start

      • If running as a service: sudo systemctl start Splunkd

    • Basic Search Queries

      • Search source IP field (src) and the IP address value search src=""

      • Search desttination IP field (dst): search dst=""

      • Search source IP field (src) and destination IP field (dst) the IP address value search src="" OR dst=""

      • Search source IP field (src) to any destination IP field (dst) on the search src="" dst="10.10.10.*"

      • Simple failed login failure search: search pass* AND fail*

      • Show executables denerated from process, in this case cmd.exe, from Sysmon logs: index="botsv1" earliest=0 Image="*\\cmd.exe" | stats values(CommandLine) by host

      • Search for newly created windows user: search eventID field for 4270 or "net user"

      • Search for windows user logins: search eventID field for 4624

      • To search for web scanners: index=index_name sourcetype=stream:http src_ip=xxx.xxx.xxx.xxx | stats count by src_headers | sort -count | head 3

      • Search for .exe: index=botsv1 sourcetype=stream:http dest_ip="xxx.xxx.xxx.xxx" *.exe

      • To display search results in reverse chronological order: | reverse

    • Advanced SPL Examples (more can be found at https://github.com/EvolvingSysadmin/Splunk-Tools)

      • Search for credentials submitted to form:

        index=botsv1 sourcetype=stream:http dest_ip="xxx.xxx.xxx.xxx" http_method=POST form_data=*username*passwd* 
          | rex field=form_data "passwd=(?<creds>\w+)" 
          | table _time src_ip uri http_user_agent creds
      • To get metadata information on sourcetypes or other fields in an index:

          | metadata type=sourcetypes index=botsv2 
          | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") 
          | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S") 
          | eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") 
          | sort - totalCount
      • List all values within a field (eg sourcetype or source):

          | top limit=* source
          | sort - count
      • Time of crypto mining on host (fss = mining start fes = mining stop)

        index="botsv3" source="cisconvmflowdata" coinhive
          | stats min(fss) as starttime, max(fes) as endtime
          | eval timetaken = endtime-starttime
          | table timetaken
      • Search for IAM key of account that generated most distinct errors:

        index="botsv3" sourcetype="aws:cloudtrail" user_type=IAMUser errorCode!=success eventSource="iam.amazonaws.com"
          | stats dc(errorMessage) as errors by userIdentity.accessKeyId
          | sort -errors
      • To detect syn scanning:

        index="botsv3" tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <= 1024

Last updated