Timestamps from the future.

Shows all hosts that are sending events with timestamps greater than 5 mins (300 seconds) from the current time.

Continue Reading →

Search All Traffic by src / action – Creates Table

This is a magical query for tracking down all internal resources connecting to or from external IPs and Countries

Continue Reading →

List Notable events with closing history details

Continue Reading →

Datamodel Search Performance

See how well your DM searches are running. Run this search using the Line Chart visualization:

Continue Reading →

Listing Data models

Continue Reading →

Significant Data Ingress/Egress

Generally, one expects a client-server conversation to be greater on the download side rather than more data uploaded.  This search can detect greater upload than download over a time period, like a client sending significantly more data than it receives from a server (e.g. data ex-filtration). For the best search results, query on a sourcetype […]

Continue Reading →

Detect Indexers in Maintenance Mode

This query will show any clustered indexers that are currently in maintenance mode. For it to work as an alert you will need to schedule it. It will not work if you run it in real time.  

Continue Reading →

Breathing Fire Dragon when Starting dbx_task_server

Will return events that display a little dragon ascii art:

Continue Reading →

svchost Injection

The following Splunk Search will highlight svchost injections:

Continue Reading →

Multiple Malware Detections on a Single Host

This is a simple enough query for detecting a host with multiple infections/detections. The reason for the bucket and incorporating a search over a longer time span (say 60m) is I found it to provide better results and less false negatives if the infrastructure isn’t setup to ingest data in near real-time.

Continue Reading →

Baselining Dashboard

This is better and more flexible option then timewrap in my opinion. Performance ain’t too shabby either.

Continue Reading →

IPS Traffic Increase

You can use this for any type of baselining alerts around a predefined standard deviation. I used the IDS data model but the same logic can be applied to any random index.

You should be able to do something similar on a single sourcetype as such

Continue Reading →

Nessus Security Center Dashboard

Description: This dashboard is intended make it easier to search the results from Nessus Security Center. It doesn’t require any additional addons.

Continue Reading →

FireEye Internals Monitoring

Summary: FireEye produces 2 types of logs: security event logs (the primary function of FireEye), and internal system logs (Logs about the appliance).  Most users do not use the internal system logs, or are even aware that they are available.  Sometimes, the appliances are configured to send both logs via syslog, and the messages are […]

Continue Reading →

Disk Usage per Index by Indexer

Summary: Instead of grabbing data from all time, using the dbinspect command will allow administrators to quickly determine how big an index is.  There are additional fields in the dbinspect, so explore that to gain other data pivots.  

Continue Reading →

Apdex Score

Apdex Score Apdex is a measure of response time based against a set threshold. It measures the ratio of satisfactory response times to unsatisfactory response times. The response time is measured from an asset request to completed delivery back to the requestor. It determines user satisfaction, and is based on request type & response time. All […]

Continue Reading →