Primary Search for Local Domain Controller Exploitation by Zerologon index=”<windows_index>” (sourcetype=”<windows_sourcetype_security>” OR source=”windows_source_security”) EventCode=”4742″ OR EventCode=”4624″ AND (src_user=”*anonymous*” OR member_id=”*S-1-0*”) `comment(“This looks for all 4624 and 4742 events under an ‘ANONYMOUS USER’, which are tied to the exploitation of Zerologon”)` | eval local_system=mvindex(upper(split(user,”$”)),0) `comment(“This effectively splits the user field, which when parsed with the TA […]
ProofPoint TAP Dashboard
<form> <label>TAP Dashboard</label> <description>Direct pull from TAP API</description> <fieldset autoRun=”true” submitButton=”false”> <input type=”time” token=”time” searchWhenChanged=”true”> <label>Select Time</label> <default> <earliest>@d</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Quarantine Trends</title> <chart> <search> <query>sourcetype=proofpoint_tap quarantineFolder=* AND quarantineFolder!=”” | stats dc(messageID) AS distinct_message_ids by quarantineFolder | sort -distinct_message_ids</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name=”charting.chart”>pie</option> <option name=”charting.chart.showDataLabels”>all</option> <option name=”charting.drilldown”>all</option> <option name=”charting.legend.placement”>none</option> <option […]
Detect Dying Sourcetypes
This alert is used for looking at a prior dataset of indexes and sourcetypes reporting over time, and then involves pairing to a closer, temporal dataset. Appending the results allows you to view sourcetypes that have stopped reporting, but existed in the prior period. | tstats count where earliest=-90d latest=-60d index=proxies_na by _time sourcetype […]
Triggered Alert Analytics
Primary Dashboards Contains alert analytics for both triggered alerts and saved searches. Please replace $name$ with the saved search naming convention you utilize (ie. 0001 – AlertName). You will need an outputlookup to generate the bottom two tables; it will be based on the query that generates the second table in the dashboard. <form theme=”dark”> […]
F5 SL ASM iRule Parser for Hosted Deployments
sourcetype=f5:silverline:asm irule=* vs_ip=* | rex “(?<log>.*)” | eval log_stripped = replace(log, “\\\\”,””) | rex field=log_stripped “data=\”(?<data_section>.*?)\”, irule=” | spath input=data_section
Groundspeed Violation/Improbable Access
Oftentimes we are required to determine impossible or improbably access events. Typically, this is a relatively simple thing to do in a modern SIEM, however Splunk, without ESS, does not have a “great” way to handle this type of temporal correlation aside from appends or joins back to the original data. I constructed the following […]
F5 BigIP Brute Force and Session Abuse
Multiple Users with Authentications from Singular, non-Whitelisted IP Basically I needed a way to determine if a series of users are connecting from a singular IP. This is particular useful during COVID-19 WFH constraints. The search is intended to look at the VPN index for a new session initiation, excluding all RFC1918 traffic as a […]