Summary CrowdStrike creates logs in JSON format and sends 2 different datasets to the same sourcetype; security events from their detection tools and audit events from their management tool. These audit tools contain analyst data about when they mark events as true positive, and withing CrowdStrike these are joined with the security event itself. To […]
Listing incident review and the closing comments
1 2 3 4 5 |
index=_audit sourcetype="incident_review" | table rule_name comment status | rename rule_name as "Notable Event" comment as "Closing Comment" status as Status | eval Status=if(Status=5,"Closed",if(Status=2,"In Progress","Not assigned")) | dedup "Closing Comment" |
List all ES Correlation Searches
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 |
| rest splunk_server=local count=0 /services/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | rex field=action.customsearchbuilder.spec "datamodel\\\":\s+\\\"(?<Data_Model>\w+)" | rex field=action.customsearchbuilder.spec "object\\\":\s+\\\"(?<Dataset>\w+)" | rename action.correlationsearch.label as Search_Name title as Rule_Name eai:acl.app as Application_Context request.ui_dispatch_app as UI_Dispatch_Context description as Description Data_Model as Guided_Mode:Data_Model Dataset as Guided_Mode:Dataset action.customsearchbuilder.enabled as Guided_Mode action.customsearchbuilder.spec as Guided_Mode:Search_Logic search as Search dispatch.earliest_time as Earliest_Time dispatch.latest_time as Latest_Time cron_schedule as Cron_Schedule schedule_window as Schedule_Window schedule_priority as Schedule_Priority alert_type as Trigger_Conditions:Trigger_Alert_When alert_comparator as Trigger_Conditions:Alert_Comparator alert_threshold as Trigger_Conditions:Alert_Threshold alert.suppress.period as Throttling:Window_Duration alert.suppress.fields as Throttling:Fields_To_Group_By action.notable.param.rule_title as Notable:Title action.notable.param.rule_description as Notable:Description action.notable.param.security_domain as Notable:Security_Domain action.notable.param.severity as Notable:Severity action.notable.param.default_owner as Notable:Default_Owner action.notable.param.default_status as Notable:Default_Status action.notable.param.drilldown_name as Notable:Drill-down_Name action.notable.param.drilldown_search as Notable:Drill-down_Search action.notable.param.drilldown_earliest_offset as Notable:Drill-down_Earliest_Offset action.notable.param.drilldown_latest_offset as Notable:drill-down_Latest_Offset action.notable.param.next_steps as Notable:Next_Steps action.risk.param._risk_score as Risk_Analysis:Risk_Score action.risk.param._risk_object as Risk_Analysis:Risk_Object_Field action.risk.param._risk_object_type as Risk_Analysis:Risk_Object_Type | eval Guided_Mode:Enabled = if(Guided_Mode == 1, "Yes", "No") | eval Real-time_Scheduling_Enabled = if(realtime_schedule == 1, "Yes", "No") | table disabled Search_Name, Rule_Name, Application_Context, UI_Dispatch_Context, Description, Guided_Mode:Enabled, Guided_Mode:Data_Model, Guided_Mode:Dataset, Guided_Mode:Search_Logic, Search, Earliest_Time, Latest_Time, Cron_Schedule, Real-time_Scheduling_Enabled, Schedule_Window, Schedule_Priority, Trigger_Conditions:Trigger_Alert_When, Trigger_Conditions:Alert_Comparator, Trigger_Conditions:Alert_Threshold, Throttling:Window_Duration, Throttling:Fields_To_Group_By, Notable:Title, Notable:Description, Notable:Security_Domain, Notable:Severity, Notable:Default_Owner, Notable:Default_Status, Notable:Drill-down_Name, Notable:Drill-down_Search, Notable:Drill-down_Earliest_Offset, Notable:drill-down_Latest_Offset, Notable:Next_Steps, Risk_Analysis:Risk_Score, Risk_Analysis:Risk_Object_Field, Risk_Analysis:Risk_Object_Type |