The following shows IoC for directory traversal, RFI and LFI within IIS logging: index=* sourcetype=”ms:iis:default”NOT (“cookie.js” OR “script.js”) AND (referer=”-” OR referer=””) AND (uri_query=”*passwd*” OR uri_query=”*cmd*” OR uri_query=”*%00*” OR uri_query=”*.txt*”)|table _time, clientip, status, uri_query
IIS: 404 errors
Get an overview of all 404 errors, an increase might be an IoC index=web_p sourcetype=”ms:iis:default” status=404 | timechart count
IIS: 401 and 403 errors
Get an overview of 401 and 403 errors, an increase might be an IoC. <code>index=* sourcetype=”ms:iis:default” sc_status=401 OR sc_status=403 |table _time, sc_status, sc_substatus, uri_path | timechart count by sc_status</code>
IIS: Indicators of XSS and SQLi attacks
The following query show IoC for XSS and SQLi. The complete query is wrapped up since this site is not accepting it. The query should also include “OR javascript”, followed by “:alert”. index=* sourcetype=”ms:iis:default” NOT (“cookie.js” OR “script.js” OR “cookie-min.js” OR “RESET-COOKIE” OR “form.user-info-from-cookie”) AND (“&#” OR “script>” OR “script%3E” OR “`” OR “cookie” OR alert\( […]
Remove Z or T string from your Timestamp
| rest /services/authentication/current-context | table username roles updated | search username!=splunk-system-user | rex field=updated (?<timestampA>\d{4}-\d{2}-\d+)T(?<timestampB>\d+:\d+:\d+.\d+) | eval timestamp= timestampA + timestampB | eval timestamp = strptime(timestamp, “%Y-%m-%d%H:%M:%S.%3N”) | eval timestamp=strftime(timestamp, “%c”) |fields – timestampA timestampB
Find passwords in User_Name field
This eval for password can be easily used for any field where a user can accidentally type in a password or even worse both username/password during login which generates a failed event. Below example is for Windows failed login. The eval will match 10 or more characters with 1 uppercase, 1 lower case, 1 […]
Unable to get a search to work properly
Hi All, I have been trying to get the following search to work for weeks now, with no luck. My entire team has looked at it as well as our local user group and our Account Manager’s SE. No one has been able to figure out why the search isn’t working properly. Here is some […]
Fishies! Fun Query and Easter Egg
Here is a fun query that you may have seen as an Easter egg in an app. I stumbled on this while cleaning up old saved searches. If you know the app comment below! FYI make sure you run this in real time otherwise you won’t see the fun part :) index=_* OR index=* […]
Find queues that are nearly full
Easily find Splunk Instances (both forwarders and full installs) that have queues that are over 80% full! index=_internal group=queue | eval percfull=((current_size_kb/max_size_kb)*100) | search percfull>80 | dedup host, name | table _time host name current_size_kb max_size_kb
Extract DNS Queries from netscaler syslog
To extract the DNS logging from netscaler:syslog you need the following regex: ^\s+(?P<date>[^:]+):(?P<time>[^ ]+)(?:[^:\n]*:){3}(?P<source_ip>[^#]+)(?:[^/\n]*/){8}\d+#(?P<dns>(?#)[_a-zA-Z0-9.-]+)(\.\/) You can now put it in the query and get an overview of all DNS queries. index=network_netscaler sourcetype=”citrix:netscaler:syslog” DNS | regex “^\s+(?P<date>[^:]+):(?P<time>[^ ]+)(?:[^:\n]*:){3}(?P<source_ip>[^#]+)(?:[^/\n]*/){8}\d+#(?P<dns>(?#)[_a-zA-Z0-9.-]+)(\.\/)” | table time, date, source_ip, dns
Sysmon – cmd line for non -local connections
sourcetype=”xmlwineventlog:microsoft-windows-sysmon/operational” EventCode=3 Protocol=tcp Initiated=true | where DestinationIp!=”127.0.0.1″ AND DestinationHostname!=SourceHostname| table _time User Computer ProcessId ProcessGuid DestinationHostname DestinationPort | join type=inner [ search sourcetype=”xmlwineventlog:microsoft-windows-sysmon/operational” EventCode=1 | table _time ProcessGuid ProcessId CommandLine]
Sysmon – Outbound Connections by Process
sourcetype=”XmlWinEventLog:Microsoft-Windows-Sysmon/Operational” EventCode=3 Protocol=tcp Initiated=true | eval src=if(isnotnull(SourceHostname), SourceHostname+”:”+SourcePort, SourceIp+”:”+SourcePort) | eval dest=if(isnotnull(DestinationHostname), DestinationHostname+”:”+DestinationPort, DestinationIp+”:”+DestinationPort) | eval src_dest=src+ ” => ” + dest | stats values(src_dest) as Connection by ProcessGuid ProcessId User Computer Image
Sysmon – Find Processes with Renamed Executables
index=* sourcetype=”xmlwineventlog:microsoft-windows-sysmon/operational” EventCode=1 | rex field=Image “[\\\/](?<filename>[^\\\/]*)$” | eval filename=lower(filename)| stats dc(filename) as NumFilenames values(filename) as Filenames values(Image) as Images by Hashes | where NumFilenames>1
Overview of all medium to critical risks for Win20xx
Get an overview of all medium to critical risks for Windows 2008 / 2012: Windows 2008: sourcetype=”tenable:sc:vuln” cpe:/o:microsoft:windows_server_2008 | table ip, netbiosName, dnsName, severity.name, pluginName, solution, description | join ip type=inner max=0 [ search index=main sourcetype=”tenable:sc:vuln” baseScore>3 | table ip, netbiosName, dnsName, severity.name, pluginName, solution, description ] | sort by severity.name | chart count by […]
User Info Dashboard – Using REST
I found this very useful user statistics/information splunk dashboard on www.function1.com/2016/06/rest-easy-with-the-splunk-rest-api. They have additional Splunk REST queries and examples worth checking out! <dashboard> <label>REST API: access control</label> <row> <panel> <single> <title>You are</title> <searchString>| rest /services/authentication/current-context | where NOT username=”splunk-system-user” | fields username</searchString> <earliestTime>0</earliestTime> <latestTime/> <option name=”drilldown”>none</option> […]
Use REST to gather Index Info
Here is some SPL to get useful information via REST on indexes within your Splunk environment: | REST /services/data/indexes | eval currentDBSizeMB=tostring(currentDBSizeMB, “commas”) | eval totalEventCount=tostring(totalEventCount, “commas”) | eval frozenTimePeriodInHours=(frozenTimePeriodInSecs/60/60) | table title splunk_server currentDBSizeMB frozenTimePeriodInHours maxTime minTime totalEventCount
License Usage by Pool per hour for last 24 hours
Have a misbehaving License Pool that the admin swears he fixed this morning? index=_internal source=*license_usage.log* type=Usage earliest=-24h| bucket _time span=1h | stats sum(b) as bytes by _time, pool | eval GB = round(bytes/1024/1024/1024,5) | fields _time pool GB
Detect ShellShock Attempts in Apache Logs
sourcetype=”apache:access” http_method=POST request=”*{ :;};*” OR request=”*/bin/*” A very simple query to detect attempts at running Linux commands on an Apache web server. The POST http request is where the command is injected. By searching the “request” field for tell tale signs of the attempt you can understand when and where the attack is occurring […]
Overview SMB Shares with unprivileged access (tenable)
This search will give an overview of all SMB shares with unprivilged access. sourcetype=”tenable:sc:vuln” pluginID=42411 | table ip dnsName pluginText | rename “pluginText” as “Shares enabled” | rename “dnsName” as “DNS Name” | rename “ip” as “IP address”
Time Offset on Splunk Servers
This Splunk Query shows if there is a time offset on your Splunk servers. I borrowed and modified this one from the splunk clock skew search posted on www.bbosearch.com (another pretty awesome site like this one!). My version strips the unnecessary and renames some fields, but feel free to do what you want with it: […]
