Example Splunk Queries
Splunk Queries
Glossary
- Index: Use to find all like events (Broad)
- Sourcetype: Only use logs from type specified (Narrow)
- For instance bluecoat only has 1 source type (bluecoat:proxysg:access:syslog) so we can use either just the index or the sourcetype
- Source: For specific locations or files.
- ie: source=/var/log/messages
- rare: Displays the least common values
- This is helpful when trying to find anomolies
- Dedup/ uniq: returns unique events or groups simular items based on field.
Find All Searchable Indices
| REST /services/data/indexes | dedup title | table title
Don't use index=*
BLUECOAT
Bluecoat web history based on user
Ideal for looking for traffic other than normal
index="bluecoat" cs_username=username url!="*microsoft*" url!="*google*" url!="*officeapps.live.com*" url!="*skype*" url!="*gstatic*"
| dedup dest_host
Ideal for all traffic aside from heartbeats and updates
index="bluecoat" cs_username=username url!="*.microsoft.com*" AND url!="*.officeapps.live.com*" AND NOT "Ads/Analytics"
| dedup dest
| eval url=substr(url,1,50)
| table _time cs_username http_method dest url status
| sort by _time
same command but no table added icons for methods
index="bluecoat" cs_username=username url!="*.microsoft.com*" AND url!="*.officeapps.live.com*" AND NOT "Ads/Analytics"
| dedup dest
| iconify http_method
Tanium
Find machines logged into by user
index="tanium" Last_Logged_In_User="domain//username" | dedup Computer_Name
| eval time = toString(date_hour) + ":" + toString(date_minute)
| eval date = tostring(date_mday) + "th of " + toString(date_month)
| table Computer_Name date time Last_Logged_In_User OS_Platform
Find logged in users by machine name
index="tanium" Computer_Name="example" | dedup Last_Logged_In_User
| eval time = toString(date_hour) + ":" + toString(date_minute)
| eval date = tostring(date_mday) + "th of " + toString(date_month)
| table Computer_Name date time Last_Logged_In_User OS_Platform
Find Users and Machines based on IP Address(non-NAT)
index="tanium" IP_Address="x.x.x.x" | dedup Last_Logged_In_User
| eval time = toString(date_hour) + ":" + toString(date_minute)
| eval date = tostring(date_mday) + "th of " + toString(date_month)
| table Last_Logged_In_User Computer_Name date time OS_Platform
DarkTrace
DO NOT USE -> NEEDS TESTING -> Compare darktrace with tripewire.
index="darktrace" host="x.x.x.x"
| rename device.ip as ip_address
| eval ip_address=toString(ip_address)+"/32"
| table ip_address score
| join type=inner ip_address
[ search index="ip360"
| table ip_address
]
| table ip_address score category
Tripwire
Returns data if IP Address is found. Replace x.x.x.x with the IP in question.
index="ip360" tag=vulnerability OR tag=report AND ip_address="x.x.x.x/*"
| dedup ip_address
| table ip_address category product vendor
Returns all IP Addresses tripwire scanned.
index="ip360" tag=vulnerability OR tag=report | dedup ip_address | table ip_address category product vendor
Windows SEC Event logs
Find access to share drives
sourcetype="WinEventLog:Security" EventCode=5140 (Share_Name="*\\C$" OR Share_Name="*D$" OR Share_Name="*E$" OR Share_Name="*F$" OR Share_Name="*U$") NOT Source_Address="::1"
| eval Destination_Sys1=trim(host,"1") | eval Destination_Sys2=trim(host,"2") | eval Dest_Sys1=lower(Destination_Sys1) | eval Dest_Sys2=lower(Destination_Sys2)
| rename host AS Destination | rename Account_Domain AS Domain | where Account_Name!=Dest_Sys1 | where Account_Name!=Dest_Sys2
| stats count values(Domain) AS Domain, values(Source_Address) AS Source_IP, values(Destination) AS Destination, dc(Destination) AS Dest_Count, values(Share_Name) AS Share_Name, values(Share_Path) AS Share_Path by Account_Name
Ideal to find login attempts -> still working
source="WinEventLog:Security" "EventCode=4723"
src_user!="*$" src_user!="svc*" status=failure
| chart count by src_user, status | sort - failure | head 20
I'm continuously updating this if you have any questions please comment