-
2 years, 5 months ago
MaryamSaniee wrote a new post
Use this splunk search to get datails about alert actions
| rest /services/saved/searches splunk_server=local count=0
|table title,actions -
2 years, 5 months ago
MaryamSaniee wrote a new post
(in reflected attacks a lotof external benign src’s send a lotof packets toward our servers, because our server’s IP spoofed before in request packets and were sent by attacker toward trusted servers and those […]
-
2 years, 5 months ago
MaryamSaniee wrote a new post
Use this splunk search to show Alert’s cron_schedule details:
| rest /services/saved/searches splunk_server=local count=0
| search “cron_schedule”=”*/*”
|table title,cron_schedule,author -
2 years, 7 months ago
MaryamSaniee wrote a new post
| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = “/etc/ssl/certs/*” Filesystem.file_path IN […]
-
2 years, 7 months ago
MaryamSaniee wrote a new post
index=* sourcetype=”juniper:firewall” src!=”192.168.*”
| bin _time span=5m
| stats dc(dest_port) as distinct_port by src,dest,_time
|where distinct_port >1000 -
2 years, 7 months ago
MaryamSaniee wrote a new post
index=*
((((EventCode=”4688″ OR EventCode=”1″) AND ((CommandLine=”*reg*” CommandLine=”*add*” CommandLine=”*/d*”) OR (CommandLine=”*Set-ItemProperty*” CommandLine=”*-value*”)) AND (CommandLine=”*00000000*” OR […] -
2 years, 7 months ago
MaryamSaniee commented on the post, RFQ (Request For Query) – Port Scan
In reply to: rashid47010 wrote a new post I am looking for the query[timechartl] for example 50 port scan attempts with in a second against list of organization public facing IP address. ViewOr another way (better way without timechart command):
for example list of organization public facing IP address is in range 123.6.0.0/16:
|index=firewall sourcetype=”juniper:firewall” src!=192.168.* AND dest=123.6.0.0/24
|bin _time span=1s
|stats dc(dest_port) as dest_port_count by src,dest,_time
|where dest_port_count >50 -
2 years, 7 months ago
MaryamSaniee commented on the post, RFQ (Request For Query) – Port Scan
In reply to: rashid47010 wrote a new post I am looking for the query[timechartl] for example 50 port scan attempts with in a second against list of organization public facing IP address. Viewfor example list of organization public facing IP address is in range 123.6.0.0/16:
|index=firewall sourcetype=”juniper:firewall” dest=123.6.0.0/24
|timechart span=1s dc(dest_port) as dest_port_count by src
|where dest_port_count >50 -
2 years, 7 months ago
MaryamSaniee became a registered member
-
2 years, 7 months ago
MaryamSaniee became a registered member
