Use this search to audit your correlation searches. It includes various information like who is the author of the correlation search, who modified it, etc. In addition to that, the search also gives you an brief info on whether the correlation search has been triggered in past 30 days or not considering it has notable […]
Query to see incidents logged by correlation search in ES incident review dashboard
Query to see incidents logged by correlation search in ES incident review dashboard
1 2 |
| `incident_review` |search rule_name="<correlation_search_name>" |
Detect Credit Card Numbers using Luhn Algorithm
Description Detect if any log file in Splunk contains Credit Card numbers.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
index=* ((source IN("*.log","*.bak","*.txt", "*.csv","/tmp*","/temp*","c:\tmp*")) OR (tag=web dest_content=*)) | eval comment="Match against the simple CC regex to narrow down the events in the lookup" | rex max_match=1 "[\"\s\'\,]{0,1}(?<CCMatch>[\d.\-\s]{11,24})[\"\s\'\,]{0,1}" | where isnotnull(CCMatch) | eval comment="Apply the LUHN algorithm to see if the CC number extracted is valid" | eval cc=tonumber(replace(CCMatch,"[ -\.]","")) | eval comment="Lower min to 11 to find additional CCs which may pick up POSIX timestamps as well." | where len(cc)>=14 AND len(cc)<=16 | eval cc=printf("%024d", cc) | eval ccd=split(cc,"") | foreach 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 [ | eval ccd_reverse=mvappend(ccd_reverse,mvindex(ccd,<<FIELD>>)) ] | rename ccd_reverse AS ccd | eval cce=mvappend(mvindex(ccd,0),mvindex(ccd,2),mvindex(ccd,4),mvindex(ccd,6),mvindex(ccd,8),mvindex(ccd,10),mvindex(ccd,12),mvindex(ccd,14),mvindex(ccd,16),mvindex(ccd,18),mvindex(ccd,20),mvindex(ccd,22),mvindex(ccd,24)) | eval cco=mvappend(mvindex(ccd,1),mvindex(ccd,3),mvindex(ccd,5),mvindex(ccd,7),mvindex(ccd,9),mvindex(ccd,11),mvindex(ccd,13),mvindex(ccd,15),mvindex(ccd,17),mvindex(ccd,19),mvindex(ccd,21),mvindex(ccd,23)) | eval cco2=mvmap(cco,cco*2) | eval cco2HT10=mvfilter(cco2>9) | eval cco2LT10=mvfilter(cco2<=9) | eval cco2LH10dt=mvmap(cco2HT10,cco2HT10-9) | fillnull value=0 cco2LT10 cco2LH10dt | eventstats sum(cce) as t1 sum(cco2LT10) as t2 sum(cco2LH10dt) as t3 BY cc | eval totalChecker=t1+t2+t3 | eval CCIsValid=if((totalChecker%10)=0,"true","false") | fields - cc ccd cce cco cco2 cco2HT10 cco2LT10 cco2LH10dt t1 t2 t3 totalChecker raw time | where CCIsValid="true" | eval comment="Find the field where we found the CC number" | foreach _raw * [ | eval CCStringField=if("<<FIELD>>"!="CCMatch" AND like('<<FIELD>>',"%".CCMatch."%"),"<<FIELD>>",CCStringField) ] | table _time CCMatch CCStringField source sourcetype host src dest http_user_agent |
CrowdStrike Audit Event Correlation
Summary CrowdStrike creates logs in JSON format and sends 2 different datasets to the same sourcetype; security events from their detection tools and audit events from their management tool. These audit tools contain analyst data about when they mark events as true positive, and withing CrowdStrike these are joined with the security event itself. To […]
Listing incident review and the closing comments
1 2 3 4 5 |
index=_audit sourcetype="incident_review" | table rule_name comment status | rename rule_name as "Notable Event" comment as "Closing Comment" status as Status | eval Status=if(Status=5,"Closed",if(Status=2,"In Progress","Not assigned")) | dedup "Closing Comment" |
List all ES Correlation Searches
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 |
| rest splunk_server=local count=0 /services/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | rex field=action.customsearchbuilder.spec "datamodel\\\":\s+\\\"(?<Data_Model>\w+)" | rex field=action.customsearchbuilder.spec "object\\\":\s+\\\"(?<Dataset>\w+)" | rename action.correlationsearch.label as Search_Name title as Rule_Name eai:acl.app as Application_Context request.ui_dispatch_app as UI_Dispatch_Context description as Description Data_Model as Guided_Mode:Data_Model Dataset as Guided_Mode:Dataset action.customsearchbuilder.enabled as Guided_Mode action.customsearchbuilder.spec as Guided_Mode:Search_Logic search as Search dispatch.earliest_time as Earliest_Time dispatch.latest_time as Latest_Time cron_schedule as Cron_Schedule schedule_window as Schedule_Window schedule_priority as Schedule_Priority alert_type as Trigger_Conditions:Trigger_Alert_When alert_comparator as Trigger_Conditions:Alert_Comparator alert_threshold as Trigger_Conditions:Alert_Threshold alert.suppress.period as Throttling:Window_Duration alert.suppress.fields as Throttling:Fields_To_Group_By action.notable.param.rule_title as Notable:Title action.notable.param.rule_description as Notable:Description action.notable.param.security_domain as Notable:Security_Domain action.notable.param.severity as Notable:Severity action.notable.param.default_owner as Notable:Default_Owner action.notable.param.default_status as Notable:Default_Status action.notable.param.drilldown_name as Notable:Drill-down_Name action.notable.param.drilldown_search as Notable:Drill-down_Search action.notable.param.drilldown_earliest_offset as Notable:Drill-down_Earliest_Offset action.notable.param.drilldown_latest_offset as Notable:drill-down_Latest_Offset action.notable.param.next_steps as Notable:Next_Steps action.risk.param._risk_score as Risk_Analysis:Risk_Score action.risk.param._risk_object as Risk_Analysis:Risk_Object_Field action.risk.param._risk_object_type as Risk_Analysis:Risk_Object_Type | eval Guided_Mode:Enabled = if(Guided_Mode == 1, "Yes", "No") | eval Real-time_Scheduling_Enabled = if(realtime_schedule == 1, "Yes", "No") | table disabled Search_Name, Rule_Name, Application_Context, UI_Dispatch_Context, Description, Guided_Mode:Enabled, Guided_Mode:Data_Model, Guided_Mode:Dataset, Guided_Mode:Search_Logic, Search, Earliest_Time, Latest_Time, Cron_Schedule, Real-time_Scheduling_Enabled, Schedule_Window, Schedule_Priority, Trigger_Conditions:Trigger_Alert_When, Trigger_Conditions:Alert_Comparator, Trigger_Conditions:Alert_Threshold, Throttling:Window_Duration, Throttling:Fields_To_Group_By, Notable:Title, Notable:Description, Notable:Security_Domain, Notable:Severity, Notable:Default_Owner, Notable:Default_Status, Notable:Drill-down_Name, Notable:Drill-down_Search, Notable:Drill-down_Earliest_Offset, Notable:drill-down_Latest_Offset, Notable:Next_Steps, Risk_Analysis:Risk_Score, Risk_Analysis:Risk_Object_Field, Risk_Analysis:Risk_Object_Type |