Linux Deletion of SSL Certificate (mitre : T1485 , T1070.004 , T1070)

Continue Reading →

port scan attack (by juniper)

Continue Reading →

DLL Serach Oreder Hijacking (mitre : T1574.001)

Continue Reading →

1st time connection between servers (FTD CISCO)

Description: This query helps you to see all new connections between servers. Still work in progress and can be extended further. “White-listing” happens through the lookup files. Query:

Continue Reading →

Show all successful splunk configuration changes by user

Continue Reading →

Truncated Data Issues

Displays sourcetypes being truncated on ingest, then on selection, shows the related _internal message & the an event that caused it to trigger.

Continue Reading →

List the size of lookup files with an SPL search.

Continue Reading →

Detect Credit Card Numbers using Luhn Algorithm

  Description Detect if any log file in Splunk contains Credit Card numbers.

Continue Reading →

Indexes size and EPS

Description: SPL request to display by index : Index name Index size Events sum, min, avg, max, perc95 Events sum, min, avg, max, perc95 to work hours (8am-6pm) Required: Splunk license Query:

Continue Reading →

Software inventory

I’ve been looking a while for something like this, and decided to make it myself. This relies on the tinv_software _inventory add-on found on Splunkbase, but you can do it without, if you feel like it.

Hope this helps. Let me know if you have any suggestions.

Continue Reading →

DNS search for encoded data

Description: Use this Splunk search to find Base64 encoded content in DNS queries. The goal is to examine the DNS query field of the dns events to find subdomain streams that contain only Base64 valid characters. Utilizing DNS queries with encoded information is a known method to exfiltrate data. But you do not know if […]

Continue Reading →

Show cron frequency and scheduling of all scheduled searches

This search shows you all scheduled searches and their respective cron frequency and cron schedule. This also helps finding frequently running saved searches.

Continue Reading →

Data model Acceleration Details

This Splunk Search shows you a lot of good information about your data model acceleration and performance.

 

Continue Reading →

Splunk CIM Assist

Got tired of having to go through each data source to determine what indexes should go into the Splunk_SA_CIM search macros, this does the leg work.

Continue Reading →

Search for disabled AD accounts that have been re-enabled

This is a search you can use as an alert or whatever you desire to look for AD accounts that have been disabled in the past 90 days then re-enabled in the past 24h. You can tweak as needed.

Continue Reading →

Query for when PowerShell execution policy is set to Bypass

Continue Reading →

Reports Owned by Admin Users and Writable by Others

 

I got a little fancy there with 

. The link is for clicking from the inline table of the alert email. You can easily skip that.

Continue Reading →