Bucket Status Dashboard

Shows status of buckets per indexer host, when they rolled from warm to cold, and cold to frozen. Gives a timechart and table of each, as well as detailed bucket names per index & host.

Continue Reading →

Detect Dying Sourcetypes

This alert is used for looking at a prior dataset of indexes and sourcetypes reporting over time, and then involves pairing to a closer, temporal dataset. Appending the results allows you to view sourcetypes that have stopped reporting, but existed in the prior period.  

Continue Reading →

Alerts in a Panel with Drilldown

A quick dashboard panel you can plop anywhere and get a view of alerts that have recently fired, including a drilldown based on the SID of the fired alert.

Continue Reading →

Triggered Alert Analytics

Primary Dashboards Contains alert analytics for both triggered alerts and saved searches. Please replace $name$ with the saved search naming convention you utilize (ie. 0001 – AlertName). You will need an outputlookup to generate the bottom two tables; it will be based on the query that generates the second table in the dashboard.

Report […]

Continue Reading →

F5 SL ASM iRule Parser for Hosted Deployments

Continue Reading →

Groundspeed Violation/Improbable Access

Oftentimes we are required to determine impossible or improbably access events. Typically, this is a relatively simple thing to do in a modern SIEM, however Splunk, without ESS, does not have a “great” way to handle this type of temporal correlation aside from appends or joins back to the original data. I constructed the following […]

Continue Reading →

F5 BigIP Brute Force and Session Abuse

Multiple Users with Authentications from Singular, non-Whitelisted IP Basically I needed a way to determine if a series of users are connecting from a singular IP. This is particular useful during COVID-19 WFH constraints. The search is intended to look at the VPN index for a new session initiation, excluding all RFC1918 traffic as a […]

Continue Reading →

Listing incident review and the closing comments

Continue Reading →

Investigate by MAC, IP all VPN authentications through CISCO_ISE

Helps to investigate authentications through CISCO_ISE device. This identifies who logs in, the MAC address and IP for any use cases

Continue Reading →

Investigate an IP through Palo Alto Logs

Continue Reading →

List Deployment Client

Continue Reading →

List Reports and Wrap the text

Continue Reading →

Timestamps from the future.

Shows all hosts that are sending events with timestamps greater than 5 mins (300 seconds) from the current time.

Continue Reading →

Search All Traffic by src / action – Creates Table

This is a magical query for tracking down all internal resources connecting to or from external IPs and Countries

Continue Reading →

List Notable events with closing history details

Continue Reading →

Datamodel Search Performance

See how well your DM searches are running. Run this search using the Line Chart visualization:

Continue Reading →

Listing Data models

Continue Reading →

Significant Data Ingress/Egress

Generally, one expects a client-server conversation to be greater on the download side rather than more data uploaded.  This search can detect greater upload than download over a time period, like a client sending significantly more data than it receives from a server (e.g. data ex-filtration). For the best search results, query on a sourcetype […]

Continue Reading →