Collection of Splunking Tools, SPL Code and Resources
- SPL Examples
- Splunk Hunting and IOCs
- Sysmon Monitoring
- Threat Intelligence Applications
- Document Resources
- Online Resources
index=win_servers sourcetype=windows:security
| table EventCode
index=win_servers sourcetype=windows:security EventCode=4720 OR (EventCode=4732 Administrators)
| transaction Security_ID maxspan=180m
| search EventCode=4720 EventCode=4732
| table _time, EventCode, Security_ID, SamAccountName
Note:
- 4720: new user created
- 4732: user added to security group
- 4624: successful user login
index=* sourcetype=firewall*
| stats dc(dest_port) as num_dest_port dc(dest_ip) as num_dest_ip by src_ip
| where num_dest_port >500 OR num_dest_ip > 500
Note: internal scanning > external scanning
index=systems sourcetype=audit_logs user=svc_*
| table _time dest user
index=systems sourcetype=audit_logs user=svc_*
| stats earliest(_time) as earliest latest(_time) as latest by user, dest
| eval isOutlier=if(earliest >= relative_time(now(), "-1d@d"), 1, 0)
| convert ctime(earliest) ctime(latest)
| where isOutlier=1
index=* sourcetype=win*security user=* user!=""
| stats count(eval(action="success")) as successes count(eval(action="failure")) as failures by user, ComputerName
| where successes>0 AND failures>100
index=network sourcetype=firewall_data app=tor src_ip=*
| table _time src_ip src_port dest_ip dest_port bytes app
index=* sourcetype=symantec:*
| stats count range(_time) as TimeRange by Risk_Name, Computer_Name
| where TimeRange>1800
| eval TimeRange_In_Hours = round(TimeRange/3600,2), TimeRange_In_Days = round (TimeRange/3600/24,2)
index=* (sourcetype=wineventlog AND (EventCode=1102 OR EventCode=1100)) OR (sourcetype=wineventlog AND EventCode=104)
| stats count by _time EventCode Message sourcetype host
Note:
- 1102: security log cleared
- 1100: event logging service shutdown
- 104: event log cleared
index=* sourcetype=websense*
| where bytes_out > 35000000
| table _time src_ip bytes* uri
index=web sourcetype=access_combined
| iplocation clientip
| stats dc(clientip) by Country
index=web sourcetype=access_combined
| iplocation clientip
| geostats dc(clientip) by Country
index=* sourcetype=firewall_data dest_port!=443 app=workday*
| table _time user app bytes* src_ip dest_ip dest_port
| tstats prestats=t count WHERE index=apps by host _time span=1m
| timechart partial=f span=1m count by host limit=0
index=main sourcetype=vmstat
| timechart max(memUsedPct) by host
index=main sourcetype=vmstat
| stats max(memUsedPct) as memused by host
| where memused>80
Search for changes related to the following items/IOCs during threat-hunting/incident response:
- Applications Using Wrong Ports
- Coin Address
- DNS Anomolies
- Domain Names
- Email Addresses
- Email Subject Lines
- File Names
- File Path
- Geolocation
- Hashes
- HTML Response Sizes
- Increased network usage
- IP Addresses
- MAC Addresses
- Mutex Names
- Passwords
- Registry Keys
- Registry Values
- Service Name
- Strings
- TLS Certificate Serial Numbers
- Unusual privileged account activity
- URL
- Usernames
sysmon.exe -i -h md5 -l -n
- Splunk ThreatHunting App
- Splunk Enterprise Security
- Splunk Security Essentials
- Dragos Threat Intelligence
- Splunk Quick Reference Guide
- Splunk Search Cheat Sheet
- Operationalizing Threat Intelligence Using Splunk Enterprise Security
- Splunk IOCs: Indicators of Crap Presentation
- Windows LOG-MD ATT&CK Cheat Sheet
- Windows ATT&CK Logging Cheat Sheet
- Windows Logging Cheat Sheet
- Windows Advanced Logging Cheat Sheet
- Windows File Auditing Cheat Sheet
- Windows PowerShell Logging Cheat Sheet
- Windows Registry Auditing Cheat Sheet
- Windows Splunk Logging Cheat Sheet
- Windows Sysmon Logging Cheat Sheet
- RegEx 101
- Mockaroo fake data generator
- Crontab Guru for Cron Expressions
- whois
- Windows Event Logs Defined
- Windows Security Log Events
- Windows Logging Cheat Sheets
- MITRE ATT&CK
- MITRE File Scanning
- ARTHIR
- Splunk Lookups for IOCs
- Accelerating Forensic Triage with Splunk
- Splunk for IR and Forensics 1
- Windows Log Malicious Discover Log-MD