The following shows IoC for directory traversal, RFI and LFI within IIS logging: index=* sourcetype=”ms:iis:default”NOT (“cookie.js” OR “script.js”) AND (referer=”-” OR referer=””) AND (uri_query=”*passwd*” OR uri_query=”*cmd*” OR uri_query=”*%00*” OR uri_query=”*.txt*”)|table _time, clientip, status, uri_query
IIS: 404 errors
Get an overview of all 404 errors, an increase might be an IoC index=web_p sourcetype=”ms:iis:default” status=404 | timechart count
IIS: 401 and 403 errors
Get an overview of 401 and 403 errors, an increase might be an IoC. <code>index=* sourcetype=”ms:iis:default” sc_status=401 OR sc_status=403 |table _time, sc_status, sc_substatus, uri_path | timechart count by sc_status</code>
IIS: Indicators of XSS and SQLi attacks
The following query show IoC for XSS and SQLi. The complete query is wrapped up since this site is not accepting it. The query should also include “OR javascript”, followed by “:alert”. index=* sourcetype=”ms:iis:default” NOT (“cookie.js” OR “script.js” OR “cookie-min.js” OR “RESET-COOKIE” OR “form.user-info-from-cookie”) AND (“&#” OR “script>” OR “script%3E” OR “`” OR “cookie” OR alert\( […]
IIS Response Time
host=”*” sourcetype=iis (insertIISurl) | eval time_taken = time_taken/1000 | stats max(time_taken) AS “Highest Response Time” host=”*” sourcetype=iis (insertIISurl) | eval time_taken = time_taken/1000 | stats avg(time_taken) AS “Average Response Time” host=”*” sourcetype=iis (insertIISurl) | eval time_taken = time_taken/1000 | stats fastest(time_taken) AS “Fastest Response Time” Above is 3 panels , Fastest, Average, and Longest response time. […]
Top Visited Pages in IIS Web Logs
There are a number of ways to track user behavior within web logs. One such method is to use the JSESSIONID which in this query is used. The variable you can/will change in this query is the reference to JSESSIONID as to better align with your web logs and web site(s) in general. This working […]
Simple GeoIP Information for Web Traffic
This simple query will show if IIS traffic came to a given site from three geographical possibilities: “United States” “International” or “Unknown” sources. This relies entirely on geoip lookup. You can change the country of “United States” to anything you desire for you own data set (just make the change in the eval section below!). […]
User Agent – Operating System Info for web traffic
The following Splunk Query will return a list of operating systems used within IIS logs traffic. It essentially uses a lookup to check the user agent against a known list. *NOTE* The app TA-browscap_express – HTTP User Agent lookup with browscap must be installed sourcetype=iis |dedup JSESSIONID | eval http_user_agent=urldecode(cs_User_Agent) | lookup browscap_lookup_express http_user_agent OUTPUT ua_platform_description […]
User Agent – Browser Details & Information for IIS
This Splunk query will reference a lookup table to return user agent (browser information) within IIS logs. Specifically the output will list browser name and version, crawler, and mobile. It will give a count based on visits not hits (hence the dedup). Depending on the length of time this query can take a very long […]
Total Unique Browsers detected in IIS logs
The following Splunk search query will show a count of unique browsers (calculation to include version) that hit a given website within IIS logs: sourcetype=iis | stats dc(cs_User_Agent)
Weekday Web Traffic Summary in IIS
The following Splunk query will show a summary of all weekday activity for a given website in IIS. sourcetype=”iis” (NOT date_wday=saturday) (NOT date_wday=sunday)| stats count(JSESSIONID) as Value| eval Metric=”Total Hits on Weekdays”| append[ search sourcetype=”iis” (NOT date_wday=saturday) (NOT date_wday=sunday)| stats dc(JSESSIONID) as Value| eval Metric=”Total Visits on Weekdays”]| append[ search sourcetype=”iis” (NOT date_wday=saturday) (NOT date_wday=sunday) […]
Weekend Web Traffic Summary in IIS
The following Splunk query will return a summary of weekend activity for a given IIS hosted website. sourcetype=”iis” (date_wday=saturday OR date_wday=sunday) | stats count(JSESSIONID) as Value | eval Metric=”Total Hits on Weekends” | append [ search sourcetype=”iis” (date_wday=saturday OR date_wday=sunday) | stats dc(JSESSIONID) as Value | eval Metric=”Total Visits on Weekends”] | append [ search […]
Visits by Hour of the Day in IIS
The following Splunk query will list the total visits for each hour in a given time range. sourcetype=”iis” | top limit=24 date_hour | sort +date_hour | rename count as Visits | rename date_hour as “Hour of the Day”
Total Hits on Most Active Day in IIS
The following Splunk query will return the total number of hits on the most active day in a given time range within an IIS environment: sourcetype=”iis” | top limit=1 date_mday | rename count as Value| fieldformat Value=tostring(Value,”commas”) | eval Metric=”Number of hits on Most active date” | fields – date_mday, count, percent | fields Metric, […]
Total Hits on Least Active Day in IIS
The following Splunk Query will return the total number of hits to a web site on the least active day of a given time range: sourcetype=”iis” | rare limit=1 date_mday | rename count as Value | fieldformat Value=tostring(Value,”commas”)| eval Metric=”Number of hits on least active date” | fields – date_mday, count, percent | fields Metric, […]
Most Active Day and Least Active Day for IIS Web Traffic
The following Splunk query will return the most active and the least active days for web traffic in an IIS environment: sourcetype=”iis” | bucket span=1d _time | top limit=1 _time | eval Date=strftime(_time, “%m/%d/%Y”) | eval Metric=”Most Active Date” | append [ search sourcetype=”iis” | bucket span=1d _time | rare limit=1 _time | eval Date=strftime(_time, […]
Visits by Days of the Week in IIS
The following Splunk query will show the number of web visits for each weekday: sourcetype=”iis” | eval uppercase=upper(substr(date_wday,1,1)).substr(date_wday,2)|dedup JSESSIONID| top limit=7 uppercase | eval sort_field=case(uppercase==”Sunday”,1, uppercase==”Monday”,2, uppercase==”Tuesday”,3, uppercase==”Wednesday”,4, uppercase==”Thursday”,5, uppercase==”Friday”,6, uppercase==”Saturday”,7) | sort + sort_field | fields – sort_field |rename count as Visits | rename uppercase as “Day of the Week”
Top 5 Visiting Countries in IIS
The following Splunk query will list the top 5 visiting countries using the built in “iplocation” feature in Splunk: sourcetype=”iis” | iplocation c_ip |top limit=5 Country | eval percent = round(percent,2) . ” %” | rename count as Views | rename percent as Percent
Real Time IIS Web Site Connections
Assuming JSESSIONID is auto-extracted, run the following REAL-TIME search (choose your window, I typically go with 5 minutes): sourcetype=”iis” | stats dc(JSESSIONID)
Average Duration of a Session within an IIS Web Environment
This query will report back the average duration of a session within an IIS web environment. The time format will be HH:MM:SS sourcetype=”iis” | stats range(_time) as duration by JSESSIONID | stats avg(duration) as AVG | fieldformat AVG=tostring(AVG,”duration”) | eval AVG=round(AVG, 0)
