Alert when ESCU updates detections

This query can set up an alert for when ESCU updates a detection, compared to the version you are using from clone. This requires ESCU v4.31.0 with the new metadata information being used.   | rest splunk_server=local count=0 /servicesNS/-/-/saved/searches | search action.notable.param.rule_title=* action.correlationsearch.metadata=* disabled=0 | rex field=action.correlationsearch.metadata “\”detection_id\”: \”(?P<detection_id>.{8}-.{4}-.{4}-.{4}-.{12})” | rex field=action.correlationsearch.metadata “\”detection_version\”: \”(?P<detection_version>.+)\”” | […]

Continue Reading →

Correlation Search Audit Search

 Use this search to audit your correlation searches. It includes various information like who is the author of the correlation search, who modified it, etc. In addition to that, the search also gives you an brief info on whether the correlation search has been triggered in past 30 days or not considering it has notable […]

Continue Reading →

Detect Credit Card Numbers using Luhn Algorithm

  Description Detect if any log file in Splunk contains Credit Card numbers. index=* ((source IN(“*.log”,”*.bak”,”*.txt”, “*.csv”,”/tmp*”,”/temp*”,”c:\tmp*”)) OR (tag=web dest_content=*)) | eval comment=”Match against the simple CC regex to narrow down the events in the lookup” | rex max_match=1 “[\”\s\’\,]{0,1}(?<CCMatch>[\d.\-\s]{11,24})[\”\s\’\,]{0,1}” | where isnotnull(CCMatch) | eval comment=”Apply the LUHN algorithm to see if the CC number […]

Continue Reading →

CrowdStrike Audit Event Correlation

Summary CrowdStrike creates logs in JSON format and sends 2 different datasets to the same sourcetype; security events from their detection tools and audit events from their management tool.  These audit tools contain analyst data about when they mark events as true positive, and withing CrowdStrike these are joined with the security event itself.  To […]

Continue Reading →

List all ES Correlation Searches

| rest splunk_server=local count=0 /services/saved/searches | where match(‘action.correlationsearch.enabled’, “1|[Tt]|[Tt][Rr][Uu][Ee]”) | rex field=action.customsearchbuilder.spec “datamodel\\\”:\s+\\\”(?<Data_Model>\w+)” | rex field=action.customsearchbuilder.spec “object\\\”:\s+\\\”(?<Dataset>\w+)” | rename action.correlationsearch.label as Search_Name title as Rule_Name eai:acl.app as Application_Context request.ui_dispatch_app as UI_Dispatch_Context description as Description Data_Model as Guided_Mode:Data_Model Dataset as Guided_Mode:Dataset action.customsearchbuilder.enabled as Guided_Mode action.customsearchbuilder.spec as Guided_Mode:Search_Logic search as Search dispatch.earliest_time as Earliest_Time dispatch.latest_time as Latest_Time […]

Continue Reading →