emoji bonanza

Have you ever wanted to truly express your emotions related to your search results but wasn’t sure how? Why not use an emoji?  But how, you ask?  Well, problem solved. Welcome to the emoji bonanza!

 

Continue Reading →

Identifying Hosts not sending data for more than 6 hours

Continue Reading →

Get unexpected shutdown date with downtime duration

Mainly saving you the headache of handling hidden characters which made field extraction harder than it needed to be.

Continue Reading →

Zerologon Detection (CVE-2020-1472)

Primary Search for Local Domain Controller Exploitation by Zerologon

You can also modify this search to only look at your Active Directory DCs. If you have common naming schemas, you can use that as well. Please see the report linked to get more info about the CVE itself.

Continue Reading →

Splunk dashboard that displays User searches

Built this dashboard to give a high level overview of user search activity.  The search powering the dashboard is looking that the _audit index and you will need to ensure that you have proper access to the internal Splunk indexes. The dashboard includes a TimeRange picker, radio button to include or exclude Splunk’s system user, […]

Continue Reading →

Windows Software Matrix

Description: This query will generate a software matrix or viewing the versions and names of all software installed on windows hosts reporting to Splunk.  It requires the Stanza [script://.\bin\win_installed_apps.bat] enabled in the Splunk_TA_Windows Add-on.  We run this once a day and have a dashboard for viewing the data that’s hard set for the past 24 […]

Continue Reading →

ProofPoint TAP Dashboard

Continue Reading →

Bucket Status Dashboard

Shows status of buckets per indexer host, when they rolled from warm to cold, and cold to frozen. Gives a timechart and table of each, as well as detailed bucket names per index & host.

Continue Reading →

Detect Dying Sourcetypes

This alert is used for looking at a prior dataset of indexes and sourcetypes reporting over time, and then involves pairing to a closer, temporal dataset. Appending the results allows you to view sourcetypes that have stopped reporting, but existed in the prior period.  

Continue Reading →

Alerts in a Panel with Drilldown

A quick dashboard panel you can plop anywhere and get a view of alerts that have recently fired, including a drilldown based on the SID of the fired alert.

Continue Reading →

Triggered Alert Analytics

Primary Dashboards Contains alert analytics for both triggered alerts and saved searches. Please replace $name$ with the saved search naming convention you utilize (ie. 0001 – AlertName). You will need an outputlookup to generate the bottom two tables; it will be based on the query that generates the second table in the dashboard.

Report […]

Continue Reading →

F5 SL ASM iRule Parser for Hosted Deployments

Continue Reading →

Groundspeed Violation/Improbable Access

Oftentimes we are required to determine impossible or improbably access events. Typically, this is a relatively simple thing to do in a modern SIEM, however Splunk, without ESS, does not have a “great” way to handle this type of temporal correlation aside from appends or joins back to the original data. I constructed the following […]

Continue Reading →

F5 BigIP Brute Force and Session Abuse

Multiple Users with Authentications from Singular, non-Whitelisted IP Basically I needed a way to determine if a series of users are connecting from a singular IP. This is particular useful during COVID-19 WFH constraints. The search is intended to look at the VPN index for a new session initiation, excluding all RFC1918 traffic as a […]

Continue Reading →

Listing incident review and the closing comments

Continue Reading →

Investigate by MAC, IP all VPN authentications through CISCO_ISE

Helps to investigate authentications through CISCO_ISE device. This identifies who logs in, the MAC address and IP for any use cases

Continue Reading →

Investigate an IP through Palo Alto Logs

Continue Reading →

List Deployment Client

Continue Reading →