Investigate by MAC, IP all VPN authentications through CISCO_ISE

Helps to investigate authentications through CISCO_ISE device. This identifies who logs in, the MAC address and IP for any use cases index=<your cisco index> “<your IP>” |rex field=”cisco_av_pair” “mdm-tlv=device-mac=(?<MAC_ID>\w+-\w+-\w+-\w+-\w+-\w+)” |rex field=”cisco_av_pair” “mdm-tlv=device-platform=(?<OS>\w+)” |rex field=_raw “(?<IP><IP regex>)” |iplocation IP |stats c sum(Acct_Input_Packets) as Packets_In sum(Acct_Output_Packets) as Packets_Out by _time User_Name Framed_Protocol src_mac City Country Region IP […]

Continue Reading →

Investigate an IP through Palo Alto Logs

index= <your palo alto index> <IP you want to investigate> |stats c sum(bytes) as Bytes_Out by _time user application action dest_ip dest_location src_ip client_ip client_location session_end_reason “app:able_to_transfer_file” “app:has_known_vulnerability” “app:prone_to_misuse” “app:used_by_malware” “app:evasive” |fields + _time user application action dest_ip dest_location client_ip client_location Bytes_Out session_end_reason “app:able_to_transfer_file” “app:has_known_vulnerability” “app:prone_to_misuse” “app:used_by_malware” “app:evasive” |rename client_ip as SourceIP |fields – user […]

Continue Reading →

List Deployment Client

index=_internal sourcetype=splunkd “deployment_client” |stats latest(_time) as LatestReportTime values(server_name) as Server_Name by host |convert ctime(LatestReportTime) |rename host as Host |fields + Host Server_Name LatestReportTime

Continue Reading →

List Reports and Wrap the text

|rest /servicesNS/-/-/saved/searches |table search title description alert_type “alert.expires” “alert.suppress” “alert.suppress.fields” |search alert_type=”always” |fillnull value=0 triggered_alert_count |sort “triggered_alert_count” desc |rex max_match=100 field=”search” “(?<split__regex>.{0,100}(?:\s|$)|.{100})” | rename split__regex as search

Continue Reading →

Timestamps from the future.

Shows all hosts that are sending events with timestamps greater than 5 mins (300 seconds) from the current time. | metadata type=hosts | where lastTime>now()+300 | eval mins_in_future=(lastTime-now())/60 | eval years_in_future=mins_in_future/60/24/365 | fieldformat lastTime=strftime(lastTime,”%Y-%m-%d %H:%M:%S %Z”) | table lastTime, host, mins_in_future, years_in_future | sort – mins_in_future

Continue Reading →

Datamodel Search Performance

See how well your DM searches are running. Run this search using the Line Chart visualization: index=_internal sourcetype=scheduler component=SavedSplunker ACCELERATE NOT skipped run_time=* | rex field=savedsearch_id “ACCELERATE_(?:[A-F0-9\-]{36}_)?(?<acceleration>.*?)_ACCELERATE” | timechart span=5m max(run_time) AS run_time by acceleration

Continue Reading →

Listing Data models

|datamodel |rex field=_raw “\”description\”:\”(?<Description>\w+|\w+\s+\w+|\w+\s+\w+\s+\w+|\w+\s+\w+\s+\w+\s+\w+\s+\w+|\w+\s+\w+\s+\w+\s+\w+\s+\w+\s+\w+|\w+\s+\w+\s+\w+\s+\w+\s+\w+\s+\w+\s+\w+)\”\,” |rex field=_raw “\”modelName\”:\”(?<DataSetName>\w+|\w+\s+\w+|\w+\s+\w+\s+\w+)\”\,” |rex field=_raw “\”parentName\”:\”(?<ParentName>\w+|\w+\s+\w+|\w+\s+\w+\s+\w+)\”\,” |rex field=_raw “\”autoextractSearch\”:(?<SearchDetails>.*\”)\,\”previewSearch.*” |table Description DataSetName SearchDetails |eval SearchDetails=replace(SearchDetails,”,\”previewSearch.*”,””) |fillnull Description value=”Description not available”

Continue Reading →

Significant Data Ingress/Egress

Generally, one expects a client-server conversation to be greater on the download side rather than more data uploaded.  This search can detect greater upload than download over a time period, like a client sending significantly more data than it receives from a server (e.g. data ex-filtration). For the best search results, query on a sourcetype […]

Continue Reading →

Detect Indexers in Maintenance Mode

This query will show any clustered indexers that are currently in maintenance mode. For it to work as an alert you will need to schedule it. It will not work if you run it in real time.   sourcetype=splunkd reason=”‘Maintenance mode*” | dedup host | eval maintenance_mode_enabled=if(reason=”‘Maintenance mode started'”, “true”, “false”) | where maintenance_mode_enabled=”true” | […]

Continue Reading →

Multiple Malware Detections on a Single Host

This is a simple enough query for detecting a host with multiple infections/detections. The reason for the bucket and incorporating a search over a longer time span (say 60m) is I found it to provide better results and less false negatives if the infrastructure isn’t setup to ingest data in near real-time. index=malware category=”something_high_fidelity” | […]

Continue Reading →

Baselining Dashboard

This is better and more flexible option then timewrap in my opinion. Performance ain’t too shabby either. index=foo earliest=-1d latest=now | timechart span=10m count as Current | appendcols [ search index=foo earliest=-1mon-1d latest=-mon | timechart span=10m count as “-1 Month”] | appendcols [ search index=foo earliest=-1w-1d latest=-w | timechart span=10m count as “-1 Week”]

Continue Reading →

IPS Traffic Increase

You can use this for any type of baselining alerts around a predefined standard deviation. I used the IDS data model but the same logic can be applied to any random index. |`tstats` count from datamodel=Intrusion_Detection.IDS_Attacks where IDS_Attacks.ids_type=”network” by IDS_Attacks.dest,_time span=10m | stats count by IDS_Attacks.dest,_time| eval threshold=relative_time(now(),”-10m”) | stats max(eval(if(_time>=threshold, count null()))) as latest […]

Continue Reading →

Nessus Security Center Dashboard

Description: This dashboard is intended make it easier to search the results from Nessus Security Center. It doesn’t require any additional addons. <form> <label>Nessus Scan Results</label> <fieldset submitButton=”true” autoRun=”false”> <input type=”checkbox” token=”t_severity”> <label>Severity</label> <choice value=”Critical”>Critical</choice> <choice value=”High”>High</choice> <choice value=”Medium”>Medium</choice> <choice value=”Low”>Low</choice> <prefix>(</prefix> <suffix>)</suffix> <initialValue>Critical,High,Medium,Low</initialValue> <valuePrefix>severity.name=</valuePrefix> <delimiter> OR </delimiter> </input> <input type=”multiselect” token=”t_scan_name”> <label>Scan Name</label> <choice […]

Continue Reading →