Correlation Search Audit Search

 Use this search to audit your correlation searches. It includes various information like who is the author of the correlation search, who modified it, etc. In addition to that, the search also gives you an brief info on whether the correlation search has been triggered in past 30 days or not considering it has notable […]

Continue Reading →

NIX Debian Package (dpkg.log) Dashboard

Description: Wanted a dashboard that would provide information around package information across my Ubuntu servers.  At this time I have only built this dashboard to review the “dpkg.log”. In an attempt to help people understand how I build dashboard, posted a video on YouTube where you can follow along while I build this dashboard out: […]

Continue Reading →

Reflected DDoS Attack

(in reflected attacks a lotof external benign src’s send a lotof packets toward our servers, because our server’s IP spoofed before in request packets and were sent by attacker toward trusted servers and those trusted servers replied us instead of attacker !  )

Continue Reading →

Linux Deletion of SSL Certificate (mitre : T1485 , T1070.004 , T1070)

Continue Reading →

port scan attack (by juniper)

Continue Reading →

DLL Serach Oreder Hijacking (mitre : T1574.001)

Continue Reading →

1st time connection between servers (FTD CISCO)

Description: This query helps you to see all new connections between servers. Still work in progress and can be extended further. “White-listing” happens through the lookup files. Query:

Continue Reading →

Show all successful splunk configuration changes by user

Continue Reading →

Truncated Data Issues

Displays sourcetypes being truncated on ingest, then on selection, shows the related _internal message & the an event that caused it to trigger.

Continue Reading →

List the size of lookup files with an SPL search.

Continue Reading →

Detect Credit Card Numbers using Luhn Algorithm

  Description Detect if any log file in Splunk contains Credit Card numbers.

Continue Reading →

Indexes size and EPS

Description: SPL request to display by index : Index name Index size Events sum, min, avg, max, perc95 Events sum, min, avg, max, perc95 to work hours (8am-6pm) Required: Splunk license Query:

Continue Reading →

Software inventory

I’ve been looking a while for something like this, and decided to make it myself. This relies on the tinv_software _inventory add-on found on Splunkbase, but you can do it without, if you feel like it.

Hope this helps. Let me know if you have any suggestions.

Continue Reading →