Newest Queries -

Splunk dashboard that displays User searches

Built this dashboard to give a high level overview of user search activity. The search powering the dashboard is looking that the _audit index and you will need to ensure that you have proper access to the internal Splunk indexes. The dashboard includes a TimeRange picker, radio button to include or exclude Splunk’s system user, […]

Continue Reading →

Windows Software Matrix

TeamC
1 0

Description: This query will generate a software matrix or viewing the versions and names of all software installed on windows hosts reporting to Splunk. It requires the Stanza [script://.\bin\win_installed_apps.bat] enabled in the Splunk_TA_Windows Add-on. We run this once a day and have a dashboard for viewing the data that’s hard set for the past 24 […]

Continue Reading →

ProofPoint TAP Dashboard

<form>
  <label>TAP Dashboard</label>
  <description>Direct pull from TAP API</description>
  <fieldset autoRun="true" submitButton="false">
    <input type="time" token="time" searchWhenChanged="true">
      <label>Select Time</label>
      <default>
        <earliest>@d</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Quarantine Trends</title>
      <chart>
        <search>
          <query>sourcetype=proofpoint_tap quarantineFolder=* AND quarantineFolder!="" | stats dc(messageID) AS distinct_message_ids by quarantineFolder 
| sort -distinct_message_ids</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.legend.placement">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Top 10 recipients</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" | top 10 recipient{} | rename recipient{} as Recipient count as Count</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>All Events Timeline</title>
        <search>
          <query>index=email_na index=email_na sourcetype="proofpoint_tap" eventType!=NULL | timechart count by eventType</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.text">Time</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>All Event Types</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" eventType!=NULL | chart count by eventType | rename count as Count</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Message Event Timeline</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" eventType=message* threatsInfoMap{}.classification!=NULL | timechart count by threatsInfoMap{}.classification</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.text">Time</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Top TAP Classification</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" | eval classification=if(isnotnull(classification), classification, 'threatsInfoMap{}.classification') | top limit=20 classification | rename classification as Classification count as Count</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Blocked Message Threat Types</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" eventType=messagesBlocked threatsInfoMap{}.threatType!=NULL | chart count as Count by threatsInfoMap{}.threatType | rename "threatsInfoMap{}.threatType" as "Threat Type"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>All Message Threat Types</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" threatsInfoMap{}.threatType!=NULL | chart count as Count by threatsInfoMap{}.threatType | rename "threatsInfoMap{}.threatType" as "Threat Type"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Message Spam Types</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" eventType=message* | eval spamType=if(malwareScore &gt; 0, "Malware", if(phishScore &gt; 0,"Phishing", if(spamScore &gt; 0, "Spam", if(imposterScore &gt; 0, "imposter", "notSpam")))) | top limit=20 spamType | rename "spamType" as "Spam Type" count as Count</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Delivered Message Threat Types</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" eventType=messagesDelivered threatsInfoMap{}.threatType!=NULL | chart count as Count by threatsInfoMap{}.threatType | rename "threatsInfoMap{}.threatType" as "Threat Type"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Click Event Timeline</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" eventType=click* classification!=NULL | timechart count as Count by classification | rename classification as Classification</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Click Event Types</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" eventType=click* classification!=NULL | chart count as Count by classification | rename classification as Classification</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Clicked SpamType Timeline</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" eventType=click* | eval spamType=if(malwareScore &gt; 0, "Malware", if(phishScore &gt; 0,"Phishing", if(spamScore &gt; 0, "Spam", if(imposterScore &gt; 0, "imposter", "notSpam"))))| timechart count as Count by spamType | rename "spamType" as "Spam Type"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
      </table>
    </panel>
    <panel>
      <chart>
        <title>Click Spam Types for Today</title>
        <search>
          <query>index=email_na sourcetype="proofpoint_tap" eventType=click* | eval spamType=if(malwareScore &gt; 0, "Malware", if(phishScore &gt; 0,"Phishing", if(spamScore &gt; 0, "Spam", if(imposterScore &gt; 0, "imposter", "notSpam"))))| top limit=20 spamType | rename "spamType" as "Spam Type" count as Count</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
      </chart>
    </panel>
  </row>
</form>

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

<form>

<label>TAP Dashboard</label>

<description>Direct pull from TAP API</description>

<label>Select Time</label>

</default>

</input>

</fieldset>

<row>

<panel>

<title>Quarantine Trends</title>

<chart>

<query>sourcetype=proofpoint_tap quarantineFolder=* AND quarantineFolder!="" | stats dc(messageID) AS distinct_message_ids by quarantineFolder

| sort -distinct_message_ids</query>

<earliest>$earliest$</earliest>

<latest>$latest$</latest>

</search>

<option name="refresh.display">progressbar</option>

</chart>

</panel>

<panel>

<chart>

<title>Top 10 recipients</title>

<query>index=email_na sourcetype="proofpoint_tap" | top 10 recipient{} | rename recipient{} as Recipient count as Count</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

</chart>

</panel>

</row>

<row>

<panel>

<chart>

<title>All Events Timeline</title>

<query>index=email_na index=email_na sourcetype="proofpoint_tap" eventType!=NULL | timechart count by eventType</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart">column</option>

<option name="charting.chart.stackMode">stacked</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

<option name="charting.legend.placement">right</option>

</chart>

</panel>

<panel>

<chart>

<title>All Event Types</title>

<query>index=email_na sourcetype="proofpoint_tap" eventType!=NULL | chart count by eventType | rename count as Count</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

</chart>

</panel>

</row>

<row>

<panel>

<chart>

<title>Message Event Timeline</title>

<query>index=email_na sourcetype="proofpoint_tap" eventType=message* threatsInfoMap{}.classification!=NULL | timechart count by threatsInfoMap{}.classification</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart">column</option>

<option name="charting.chart.stackMode">stacked</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

<option name="charting.legend.placement">right</option>

</chart>

</panel>

<panel>

<chart>

<title>Top TAP Classification</title>

<query>index=email_na sourcetype="proofpoint_tap" | eval classification=if(isnotnull(classification), classification, 'threatsInfoMap{}.classification') | top limit=20 classification | rename classification as Classification count as Count</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

</chart>

</panel>

</row>

<row>

<panel>

<chart>

<title>Blocked Message Threat Types</title>

<query>index=email_na sourcetype="proofpoint_tap" eventType=messagesBlocked threatsInfoMap{}.threatType!=NULL | chart count as Count by threatsInfoMap{}.threatType | rename "threatsInfoMap{}.threatType" as "Threat Type"</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

</chart>

</panel>

<panel>

<chart>

<title>All Message Threat Types</title>

<query>index=email_na sourcetype="proofpoint_tap" threatsInfoMap{}.threatType!=NULL | chart count as Count by threatsInfoMap{}.threatType | rename "threatsInfoMap{}.threatType" as "Threat Type"</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

</chart>

</panel>

<panel>

<chart>

<title>Message Spam Types</title>

<query>index=email_na sourcetype="proofpoint_tap" eventType=message* | eval spamType=if(malwareScore > 0, "Malware", if(phishScore > 0,"Phishing", if(spamScore > 0, "Spam", if(imposterScore > 0, "imposter", "notSpam")))) | top limit=20 spamType | rename "spamType" as "Spam Type" count as Count</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

</chart>

</panel>

<panel>

<chart>

<title>Delivered Message Threat Types</title>

<query>index=email_na sourcetype="proofpoint_tap" eventType=messagesDelivered threatsInfoMap{}.threatType!=NULL | chart count as Count by threatsInfoMap{}.threatType | rename "threatsInfoMap{}.threatType" as "Threat Type"</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

</chart>

</panel>

</row>

<row>

<panel>

<chart>

<title>Click Event Timeline</title>

<query>index=email_na sourcetype="proofpoint_tap" eventType=click* classification!=NULL | timechart count as Count by classification | rename classification as Classification</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart">column</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

<option name="charting.legend.placement">right</option>

</chart>

</panel>

<panel>

<chart>

<title>Click Event Types</title>

<query>index=email_na sourcetype="proofpoint_tap" eventType=click* classification!=NULL | chart count as Count by classification | rename classification as Classification</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

</chart>

</panel>

</row>

<row>

<panel>

<table>

<title>Clicked SpamType Timeline</title>

<query>index=email_na sourcetype="proofpoint_tap" eventType=click* | eval spamType=if(malwareScore > 0, "Malware", if(phishScore > 0,"Phishing", if(spamScore > 0, "Spam", if(imposterScore > 0, "imposter", "notSpam"))))| timechart count as Count by spamType | rename "spamType" as "Spam Type"</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

</table>

</panel>

<panel>

<chart>

<title>Click Spam Types for Today</title>

<query>index=email_na sourcetype="proofpoint_tap" eventType=click* | eval spamType=if(malwareScore > 0, "Malware", if(phishScore > 0,"Phishing", if(spamScore > 0, "Spam", if(imposterScore > 0, "imposter", "notSpam"))))| top limit=20 spamType | rename "spamType" as "Spam Type" count as Count</query>

<earliest>$time.earliest$</earliest>

<latest>$time.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

</chart>

</panel>

</row>

</form>

Continue Reading →

REST API: Table all Splunk User Email Addresses

The following simple Splunk query will put all Splunk User accounts with an email address into a panel for copy and paste purposes (such as copying all email addresses to send in an email). I’ve added a semi colon delimiter in order to literally be copy and paste into an application such as Microsoft Outlook. […]

Continue Reading →

Bucket Status Dashboard

Shows status of buckets per indexer host, when they rolled from warm to cold, and cold to frozen. Gives a timechart and table of each, as well as detailed bucket names per index & host.

<form>
  <label>Bucket Status</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="multiselect" token="hostpicker" searchWhenChanged="true">
      <label>Which Host</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd component=BucketMover warm_to_cold idx!="_i*" idx!="_a*" Role=Indexer 
| stats count by host 
|  fields - count</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <delimiter>  OR host=</delimiter>
    </input>
    <input type="multiselect" token="idx_picker" searchWhenChanged="true">
      <label>Which Index</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <fieldForLabel>idx_name</fieldForLabel>
      <fieldForValue>idx_name</fieldForValue>
      <search>
        <query>index=_internal sourcetype=splunkd component=BucketMover "*starting warm_to_cold*" OR "*freeze succeeded*"
| rex field=event_message "indexes\/(?&lt;idx_name&gt;.+?(?=\/))"
| stats count by idx_name 
|  fields - count</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <delimiter>  OR idx_name=</delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Warm to Cold Timechart</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd component=BucketMover "*starting warm_to_cold*" host=$hostpicker$
| rex field=event_message "indexes\/(?&lt;idx_name&gt;.+?(?=\/))"
| search idx_name=$idx_picker$ NOT idx_name="_*"
| timechart count by  idx_name</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">log</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
    <panel>
      <title>Cold to Frozen Timechart</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd component=BucketMover "*will attempt to freeze*" host=$hostpicker$
| rex field=event_message "indexes\/(?&lt;idx_name&gt;.+?(?=\/))"
| search idx_name=$idx_picker$ NOT idx_name="_*"
| timechart count by  idx_name</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Buckets moving from warm to cold</title>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd component=BucketMover warm_to_cold idx!="_i*" idx!="_a*" host=$hostpicker$ 
| rex field=event_message "indexes\/(?&lt;idx_name&gt;.+?(?=\/))"
| search idx_name=$idx_picker$ NOT idx_name="_*"
| stats count by  idx_name
| sort - count</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <title>Buckets rolling to Frozen</title>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd component=BucketMover candidate!="*_i*" candidate!="*_a*" host=$hostpicker$ "*will attempt to freeze*"
| rex field=event_message "indexes\/(?&lt;idx_name&gt;.+?(?=\/))"
| search idx_name=$idx_picker$ NOT idx_name="_*"
| stats count by  idx_name
| sort - count</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Index, Host and Bucket</title>
      <table>
        <title>cold to frozen uses bkt, warm to cold uses bucket</title>
        <search>
          <query>index=_internal sourcetype=splunkd component=BucketMover "*starting warm_to_cold*" OR "*freeze succeeded*" host=$hostpicker$
| rex field=event_message "indexes\/(?&lt;idx_name&gt;.+?(?=\/))"
| fillnull value=NULL
| search idx_name=$idx_picker$ NOT idx_name="_*"
| eval Message=if(like(event_message, "%warm_to_cold%"), "Warm to Cold", "Cold to Frozen")
| stats count by idx_name bucket bkt host Message| fields - count</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">25</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

<form>

<label>Bucket Status</label>

</default>

</input>

<label>Which Host</label>

<query>index=_internal sourcetype=splunkd component=BucketMover warm_to_cold idx!="_i*" idx!="_a*" Role=Indexer

| stats count by host

| fields - count</query>

</search>

</input>

<label>Which Index</label>

<query>index=_internal sourcetype=splunkd component=BucketMover "*starting warm_to_cold*" OR "*freeze succeeded*"

| rex field=event_message "indexes\/(?<idx_name>.+?(?=\/))"

| stats count by idx_name

| fields - count</query>

</search>

</input>

</fieldset>

<row>

<panel>

<title>Warm to Cold Timechart</title>

<chart>

<query>index=_internal sourcetype=splunkd component=BucketMover "*starting warm_to_cold*" host=$hostpicker$

| rex field=event_message "indexes\/(?<idx_name>.+?(?=\/))"

| search idx_name=$idx_picker$ NOT idx_name="_*"

| timechart count by idx_name</query>

<earliest>$field1.earliest$</earliest>

<latest>$field1.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

<option name="charting.legend.mode">standard</option>

<option name="charting.legend.placement">right</option>

<option name="refresh.display">progressbar</option>

<option name="trellis.size">medium</option>

</chart>

</panel>

<panel>

<title>Cold to Frozen Timechart</title>

<chart>

<query>index=_internal sourcetype=splunkd component=BucketMover "*will attempt to freeze*" host=$hostpicker$

| rex field=event_message "indexes\/(?<idx_name>.+?(?=\/))"

| search idx_name=$idx_picker$ NOT idx_name="_*"

| timechart count by idx_name</query>

<earliest>$field1.earliest$</earliest>

<latest>$field1.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

<option name="charting.legend.mode">standard</option>

<option name="charting.legend.placement">right</option>

<option name="refresh.display">progressbar</option>

<option name="trellis.size">medium</option>

</chart>

</panel>

</row>

<row>

<panel>

<title>Buckets moving from warm to cold</title>

<table>

<query>index=_internal sourcetype=splunkd component=BucketMover warm_to_cold idx!="_i*" idx!="_a*" host=$hostpicker$

| rex field=event_message "indexes\/(?<idx_name>.+?(?=\/))"

| search idx_name=$idx_picker$ NOT idx_name="_*"

| stats count by idx_name

| sort - count</query>

<earliest>$field1.earliest$</earliest>

<latest>$field1.latest$</latest>

</search>

<option name="percentagesRow">false</option>

<option name="refresh.display">progressbar</option>

<option name="rowNumbers">false</option>

<option name="totalsRow">false</option>

</table>

</panel>

<panel>

<title>Buckets rolling to Frozen</title>

<table>

<query>index=_internal sourcetype=splunkd component=BucketMover candidate!="*_i*" candidate!="*_a*" host=$hostpicker$ "*will attempt to freeze*"

| rex field=event_message "indexes\/(?<idx_name>.+?(?=\/))"

| search idx_name=$idx_picker$ NOT idx_name="_*"

| stats count by idx_name

| sort - count</query>

<earliest>$field1.earliest$</earliest>

<latest>$field1.latest$</latest>

</search>

<option name="percentagesRow">false</option>

<option name="refresh.display">progressbar</option>

<option name="rowNumbers">false</option>

<option name="totalsRow">false</option>

</table>

</panel>

</row>

<row>

<panel>

<title>Index, Host and Bucket</title>

<table>

<title>cold to frozen uses bkt, warm to cold uses bucket</title>

<query>index=_internal sourcetype=splunkd component=BucketMover "*starting warm_to_cold*" OR "*freeze succeeded*" host=$hostpicker$

| rex field=event_message "indexes\/(?<idx_name>.+?(?=\/))"

| fillnull value=NULL

| search idx_name=$idx_picker$ NOT idx_name="_*"

| eval Message=if(like(event_message, "%warm_to_cold%"), "Warm to Cold", "Cold to Frozen")

| stats count by idx_name bucket bkt host Message| fields - count</query>

<earliest>$field1.earliest$</earliest>

<latest>$field1.latest$</latest>

</search>

<option name="percentagesRow">false</option>

<option name="rowNumbers">false</option>

<option name="totalsRow">false</option>

</table>

</panel>

</row>

</form>

Continue Reading →

Detect Dying Sourcetypes

This alert is used for looking at a prior dataset of indexes and sourcetypes reporting over time, and then involves pairing to a closer, temporal dataset. Appending the results allows you to view sourcetypes that have stopped reporting, but existed in the prior period.

| tstats count where earliest=-90d latest=-60d index=proxies_na by _time sourcetype span=1d
| append
[ | tstats count where earliest=-30d latest=now index=proxies_na by _time sourcetype span=1d | where count=0 ]
| timechart span=1d values(count) AS count by sourcetype
| streamstats avg(count) as avgCount by sourcetype

| tstats count where earliest=-90d latest=-60d index=proxies_na by _time sourcetype span=1d

| append

[ | tstats count where earliest=-30d latest=now index=proxies_na by _time sourcetype span=1d | where count=0 ]

| timechart span=1d values(count) AS count by sourcetype

| streamstats avg(count) as avgCount by sourcetype

Continue Reading →

Alerts in a Panel with Drilldown

A quick dashboard panel you can plop anywhere and get a view of alerts that have recently fired, including a drilldown based on the SID of the fired alert.

<row>
<panel>
<table>
<title>Alerts Fired</title>
<search>
<query>index=_audit action=alert_fired |rename ss_name AS Alert 
|stats latest(_time) AS "Last Fired" count AS "Times Fired" sparkline AS "Alerts in the Last 72 Hours" 
first(sid) AS sid by Alert 
|convert ctime("Last Fired")</query>
<earliest>-72h</earliest>
<latest>now</latest>
<refresh>90s</refresh>
</search>
<fields>Alert, "Last Fired", "Times Fired", "Alerts in the Last 72 Hours"</fields>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">heatmap</option>
<option name="count">10</option>
<option name="link.inspectSearch.visible">false</option>
<option name="link.openSearch.visible">false</option>
<format field="Alerts in the Last 72 Hours" type="sparkline">
<option name="type">bar</option>
<option name="barColor">green</option>
<option name="colorMap">
<option name="1:3">navy</option>
<option name="3:7">orange</option>
<option name="8:">red</option>
</option>
</format>
<drilldown target="_blank">
<link>search?sid=$row.sid$</link>
</drilldown>
<option name="drilldown">cell</option>
</table>
<html>
<p>
Location specific instructions in html

</p>
</html>
</panel>
</row>

<row>

<panel>

<table>

<title>Alerts Fired</title>

<query>index=_audit action=alert_fired |rename ss_name AS Alert

|stats latest(_time) AS "Last Fired" count AS "Times Fired" sparkline AS "Alerts in the Last 72 Hours"

first(sid) AS sid by Alert

|convert ctime("Last Fired")</query>

</search>

<fields>Alert, "Last Fired", "Times Fired", "Alerts in the Last 72 Hours"</fields>

<option name="rowNumbers">false</option>

<option name="dataOverlayMode">heatmap</option>

<option name="link.inspectSearch.visible">false</option>

<option name="link.openSearch.visible">false</option>

<option name="barColor">green</option>

<option name="3:7">orange</option>

</option>

</format>

</drilldown>

</table>

<html>

<p>

Location specific instructions in html

</p>

</html>

</panel>

</row>

Continue Reading →

Triggered Alert Analytics

Primary Dashboards Contains alert analytics for both triggered alerts and saved searches. Please replace $name$ with the saved search naming convention you utilize (ie. 0001 – AlertName). You will need an outputlookup to generate the bottom two tables; it will be based on the query that generates the second table in the dashboard.

<form theme="dark">
<label>Triggered Alert Analytics</label>
<description>Metrics tracker for triggered alerts.</description>
<fieldset submitButton="false"></fieldset>
<row>
<panel>
<title>alert_fired count for Triggered Alerts</title>
<input type="time" token="upperTime" searchWhenChanged="true">
<label></label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<chart>
<title>Dashboard for counting per-alert totals, contingent on alerts having the 'Alert Action: Add to Triggered Alerts'</title>
<search>
<query>index=_audit action=alert_fired ss_app=* ss_name="$name$" 
| timechart span=1d sum(triggered_alerts) by ss_name useother=f limit=0 
| sort -count</query>
<earliest>$upperTime.earliest$</earliest>
<latest>$upperTime.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">log</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trellis.splitBy">ss_name</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>All Modified Alerts (-7d)</title>
<input type="time" token="lowerTime" searchWhenChanged="true">
<label></label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<table>
<search>
<query>| rest /servicesNS/-/-/saved/searches 
| search title="$name$" 
| rename dispatch.earliest_time AS "frequency", title AS "title", eai:acl.app AS "app", next_scheduled_time AS "nextRunTime", search AS "query", updated AS "lastUpdated", action.email.to AS "emailTo", action.email.cc AS "emailCC", action.email.subject AS "emailSubject", alert.severity AS "SEV" 
| eval severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") 
| table title lastUpdated, nextRunTime, emailTo action.lookup.filename, query, severity
| fillnull value="" 
| sort -lastUpdated</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">preview</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">true</option>
<option name="wrap">false</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Daily Alert Modification Report</title>
<search ref="Daily Alert Modification Report"></search>
<option name="drilldown">none</option>
</table>
</panel>
<panel>
<table>
<title>From 'all_modified_alerts.csv'</title>
<search>
<query>| from lookup:all_modified_alerts.csv</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="count">1</option>
<option name="drilldown">cell</option>
<option name="totalsRow">true</option>
</table>
</panel>
</row>
</form>

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

<label>Triggered Alert Analytics</label>

<description>Metrics tracker for triggered alerts.</description>

<row>

<panel>

<title>alert_fired count for Triggered Alerts</title>

</default>

</input>

<chart>

<title>Dashboard for counting per-alert totals, contingent on alerts having the 'Alert Action: Add to Triggered Alerts'</title>

<query>index=_audit action=alert_fired ss_app=* ss_name="$name$"

| timechart span=1d sum(triggered_alerts) by ss_name useother=f limit=0

| sort -count</query>

<earliest>$upperTime.earliest$</earliest>

<latest>$upperTime.latest$</latest>

</search>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisX.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.chart.style">shiny</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

<option name="charting.legend.mode">standard</option>

<option name="charting.legend.placement">right</option>

<option name="refresh.display">preview</option>

<option name="trellis.size">medium</option>

</chart>

</panel>

</row>

<row>

<panel>

<title>All Modified Alerts (-7d)</title>

</default>

</input>

<table>

<query>| rest /servicesNS/-/-/saved/searches

| search title="$name$"

| rename dispatch.earliest_time AS "frequency", title AS "title", eai:acl.app AS "app", next_scheduled_time AS "nextRunTime", search AS "query", updated AS "lastUpdated", action.email.to AS "emailTo", action.email.cc AS "emailCC", action.email.subject AS "emailSubject", alert.severity AS "SEV"

| eval severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1")

| table title lastUpdated, nextRunTime, emailTo action.lookup.filename, query, severity

| fillnull value=""

| sort -lastUpdated</query>

</search>

<option name="percentagesRow">false</option>

<option name="refresh.display">preview</option>

<option name="rowNumbers">false</option>

<option name="wrap">false</option>

</table>

</panel>

</row>

<row>

<panel>

<table>

<title>Daily Alert Modification Report</title>

</table>

</panel>

<panel>

<table>

<title>From 'all_modified_alerts.csv'</title>

<query>| from lookup:all_modified_alerts.csv</query>

</search>

</table>

</panel>

</row>

</form>

Report […]

Continue Reading →

F5 SL ASM iRule Parser for Hosted Deployments

sourcetype=f5:silverline:asm irule=* vs_ip=*
| rex "(?<log>.*)"
| eval log_stripped = replace(log, "\\\\","")
| rex field=log_stripped "data=\"(?<data_section>.*?)\", irule="
| spath input=data_section

sourcetype=f5:silverline:asm irule=* vs_ip=*

| rex "(?<log>.*)"

| eval log_stripped = replace(log, "\\\\","")

| rex field=log_stripped "data=\"(?<data_section>.*?)\", irule="

| spath input=data_section

Continue Reading →

Groundspeed Violation/Improbable Access

Oftentimes we are required to determine impossible or improbably access events. Typically, this is a relatively simple thing to do in a modern SIEM, however Splunk, without ESS, does not have a “great” way to handle this type of temporal correlation aside from appends or joins back to the original data. I constructed the following […]

Continue Reading →

F5 BigIP Brute Force and Session Abuse

F5
riparino
2 2

Multiple Users with Authentications from Singular, non-Whitelisted IP Basically I needed a way to determine if a series of users are connecting from a singular IP. This is particular useful during COVID-19 WFH constraints. The search is intended to look at the VPN index for a new session initiation, excluding all RFC1918 traffic as a […]

Continue Reading →

CrowdStrike Audit Event Correlation

Summary CrowdStrike creates logs in JSON format and sends 2 different datasets to the same sourcetype; security events from their detection tools and audit events from their management tool. These audit tools contain analyst data about when they mark events as true positive, and withing CrowdStrike these are joined with the security event itself. To […]

Continue Reading →

Listing incident review and the closing comments

index=_audit sourcetype="incident_review"
| table rule_name comment status
| rename rule_name as "Notable Event" comment as "Closing Comment" status as Status
| eval Status=if(Status=5,"Closed",if(Status=2,"In Progress","Not assigned"))
| dedup "Closing Comment"

index=_audit sourcetype="incident_review"

| table rule_name comment status

| rename rule_name as "Notable Event" comment as "Closing Comment" status as Status

| eval Status=if(Status=5,"Closed",if(Status=2,"In Progress","Not assigned"))

| dedup "Closing Comment"

Continue Reading →

Investigate by MAC, IP all VPN authentications through CISCO_ISE

Helps to investigate authentications through CISCO_ISE device. This identifies who logs in, the MAC address and IP for any use cases

index=<your cisco index> "<your IP>"
|rex field="cisco_av_pair" "mdm-tlv=device-mac=(?<MAC_ID>\w+-\w+-\w+-\w+-\w+-\w+)" |rex field="cisco_av_pair" "mdm-tlv=device-platform=(?<OS>\w+)" 
|rex field=_raw "(?<IP><IP regex>)" 
|iplocation IP
|stats c sum(Acct_Input_Packets) as Packets_In sum(Acct_Output_Packets) as Packets_Out by _time User_Name Framed_Protocol src_mac City Country Region IP MAC_ID OS Acct_Status_Type
|rename _time as Time RequestLatency as LoadTime Acct_Status_Type as Status IP as <your choice> |convert ctime(Time)
|fields + Time User_Name MAC_ID OS "SourceIP - DestIP" City Country Region Framed_Protocol Status Packets_Out Packets_In

index=<your cisco index> "<your IP>"

|rex field="cisco_av_pair" "mdm-tlv=device-mac=(?<MAC_ID>\w+-\w+-\w+-\w+-\w+-\w+)" |rex field="cisco_av_pair" "mdm-tlv=device-platform=(?<OS>\w+)"

|rex field=_raw "(?<IP><IP regex>)"

|iplocation IP

|stats c sum(Acct_Input_Packets) as Packets_In sum(Acct_Output_Packets) as Packets_Out by _time User_Name Framed_Protocol src_mac City Country Region IP MAC_ID OS Acct_Status_Type

|rename _time as Time RequestLatency as LoadTime Acct_Status_Type as Status IP as <your choice> |convert ctime(Time)

|fields + Time User_Name MAC_ID OS "SourceIP - DestIP" City Country Region Framed_Protocol Status Packets_Out Packets_In

Continue Reading →

Investigate an IP through Palo Alto Logs

index=
<strong><your palo alto index> <IP you want to investigate></strong>
|stats c sum(bytes) as Bytes_Out by _time user application action dest_ip dest_location src_ip client_ip client_location session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive" |fields + _time user application action dest_ip dest_location client_ip client_location Bytes_Out session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive"
|rename client_ip as SourceIP |fields - user session_end_reason "app:prone_to_misuse" "app:used_by_malware" "app:evasive" dest_ip

index=

|stats c sum(bytes) as Bytes_Out by _time user application action dest_ip dest_location src_ip client_ip client_location session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive" |fields + _time user application action dest_ip dest_location client_ip client_location Bytes_Out session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive"

|rename client_ip as SourceIP |fields - user session_end_reason "app:prone_to_misuse" "app:used_by_malware" "app:evasive" dest_ip

Continue Reading →

List Deployment Client

index=_internal sourcetype=splunkd "deployment_client" 
|stats latest(_time) as LatestReportTime values(server_name) as Server_Name by host |convert ctime(LatestReportTime) |rename host as Host
|fields + Host Server_Name LatestReportTime

index=_internal sourcetype=splunkd "deployment_client"

|stats latest(_time) as LatestReportTime values(server_name) as Server_Name by host |convert ctime(LatestReportTime) |rename host as Host

|fields + Host Server_Name LatestReportTime

Continue Reading →

List Reports and Wrap the text

|rest /servicesNS/-/-/saved/searches |table search title description alert_type "alert.expires" "alert.suppress" "alert.suppress.fields" 
|search alert_type="always"
|fillnull value=0 triggered_alert_count
|sort "triggered_alert_count" desc
|rex max_match=100 field="search" "(?<split__regex>.{0,100}(?:\s|$)|.{100})" | rename split__regex as search

|rest /servicesNS/-/-/saved/searches |table search title description alert_type "alert.expires" "alert.suppress" "alert.suppress.fields"

|search alert_type="always"

|fillnull value=0 triggered_alert_count

|sort "triggered_alert_count" desc

|rex max_match=100 field="search" "(?<split__regex>.{0,100}(?:\s|$)|.{100})" | rename split__regex as search

Continue Reading →

Timestamps from the future.

Tensore
2 0

Shows all hosts that are sending events with timestamps greater than 5 mins (300 seconds) from the current time.

| metadata type=hosts 
| where lastTime>now()+300
| eval mins_in_future=(lastTime-now())/60
| eval years_in_future=mins_in_future/60/24/365
| fieldformat lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S %Z")
| table lastTime, host, mins_in_future, years_in_future
| sort - mins_in_future

| metadata type=hosts

| where lastTime>now()+300

| eval mins_in_future=(lastTime-now())/60

| eval years_in_future=mins_in_future/60/24/365

| fieldformat lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S %Z")

| table lastTime, host, mins_in_future, years_in_future

| sort - mins_in_future

Continue Reading →

Search All Traffic by src / action – Creates Table

This is a magical query for tracking down all internal resources connecting to or from external IPs and Countries

src!=10.0.0.0/8 AND src!=192.168.0.0/12 AND src!=192.168.0.0/16 action="allowed"
| iplocation src 
| search Country=*
| table Country, src, action, bytes_out, packets_out 
| dedup src
| sort Country

src!=10.0.0.0/8 AND src!=192.168.0.0/12 AND src!=192.168.0.0/16 action="allowed"

| iplocation src

| search Country=*

| table Country, src, action, bytes_out, packets_out

| dedup src

| sort Country

Continue Reading →

List Notable events with closing history details

Opeyemi Olatunji
2 0

`notable`
| stats latest(lastTime) as LastTimeSeen values(rule_name) as "Rule Name" values(comment) as "Historical Analysis" values(user) as User by _time event_id, urgency
| eval LastTimeSeen=strftime(LastTimeSeen,"%+")

`notable`

| stats latest(lastTime) as LastTimeSeen values(rule_name) as "Rule Name" values(comment) as "Historical Analysis" values(user) as User by _time event_id, urgency

| eval LastTimeSeen=strftime(LastTimeSeen,"%+")

Continue Reading →

Splunk Query Repository