1 2 3 4 5 |
index=_audit sourcetype="incident_review" | table rule_name comment status | rename rule_name as "Notable Event" comment as "Closing Comment" status as Status | eval Status=if(Status=5,"Closed",if(Status=2,"In Progress","Not assigned")) | dedup "Closing Comment" |
Investigate by MAC, IP all VPN authentications through CISCO_ISE
Helps to investigate authentications through CISCO_ISE device. This identifies who logs in, the MAC address and IP for any use cases
1 2 3 4 5 6 7 |
index=<your cisco index> "<your IP>" |rex field="cisco_av_pair" "mdm-tlv=device-mac=(?<MAC_ID>\w+-\w+-\w+-\w+-\w+-\w+)" |rex field="cisco_av_pair" "mdm-tlv=device-platform=(?<OS>\w+)" |rex field=_raw "(?<IP><IP regex>)" |iplocation IP |stats c sum(Acct_Input_Packets) as Packets_In sum(Acct_Output_Packets) as Packets_Out by _time User_Name Framed_Protocol src_mac City Country Region IP MAC_ID OS Acct_Status_Type |rename _time as Time RequestLatency as LoadTime Acct_Status_Type as Status IP as <your choice> |convert ctime(Time) |fields + Time User_Name MAC_ID OS "SourceIP - DestIP" City Country Region Framed_Protocol Status Packets_Out Packets_In |
Investigate an IP through Palo Alto Logs
1 2 3 4 |
index= <strong><your palo alto index> <IP you want to investigate></strong> |stats c sum(bytes) as Bytes_Out by _time user application action dest_ip dest_location src_ip client_ip client_location session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive" |fields + _time user application action dest_ip dest_location client_ip client_location Bytes_Out session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive" |rename client_ip as SourceIP |fields - user session_end_reason "app:prone_to_misuse" "app:used_by_malware" "app:evasive" dest_ip |
List Deployment Client
1 2 3 |
index=_internal sourcetype=splunkd "deployment_client" |stats latest(_time) as LatestReportTime values(server_name) as Server_Name by host |convert ctime(LatestReportTime) |rename host as Host |fields + Host Server_Name LatestReportTime |
List Reports and Wrap the text
1 2 3 4 5 |
|rest /servicesNS/-/-/saved/searches |table search title description alert_type "alert.expires" "alert.suppress" "alert.suppress.fields" |search alert_type="always" |fillnull value=0 triggered_alert_count |sort "triggered_alert_count" desc |rex max_match=100 field="search" "(?<split__regex>.{0,100}(?:\s|$)|.{100})" | rename split__regex as search |
List Notable events with closing history details
1 2 3 |
`notable` | stats latest(lastTime) as LastTimeSeen values(rule_name) as "Rule Name" values(comment) as "Historical Analysis" values(user) as User by _time event_id, urgency | eval LastTimeSeen=strftime(LastTimeSeen,"%+") |
Listing Data models
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
|datamodel |rex field=_raw "\"description\":\"(?<Description>\w+|\w+\s+\w+|\w+\s+\w+\s+\w+|\w+\s+\w+\s+\w+\s+\w+\s+\w+|\w+\s+\w+\s+\w+\s+\w+\s+\w+\s+\w+|\w+\s+\w+\s+\w+\s+\w+\s+\w+\s+\w+\s+\w+)\"\," |rex field=_raw "\"modelName\":\"(?<DataSetName>\w+|\w+\s+\w+|\w+\s+\w+\s+\w+)\"\," |rex field=_raw "\"parentName\":\"(?<ParentName>\w+|\w+\s+\w+|\w+\s+\w+\s+\w+)\"\," |rex field=_raw "\"autoextractSearch\":(?<SearchDetails>.*\")\,\"previewSearch.*" |table Description DataSetName SearchDetails |eval SearchDetails=replace(SearchDetails,",\"previewSearch.*","") |fillnull Description value="Description not available" |