1 2 3 4 |
index= <strong><your palo alto index> <IP you want to investigate></strong> |stats c sum(bytes) as Bytes_Out by _time user application action dest_ip dest_location src_ip client_ip client_location session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive" |fields + _time user application action dest_ip dest_location client_ip client_location Bytes_Out session_end_reason "app:able_to_transfer_file" "app:has_known_vulnerability" "app:prone_to_misuse" "app:used_by_malware" "app:evasive" |rename client_ip as SourceIP |fields - user session_end_reason "app:prone_to_misuse" "app:used_by_malware" "app:evasive" dest_ip |
Show Searches with Details (Who | When | What)
The following Splunk search will show a list of searches ran on a splunk server with the following details: Who ran the search What sourcetype was used What index was used What the search string was When the search was last ran
1 2 3 4 5 6 |
index=_audit action=search sourcetype=audittrail search_id=* NOT (user=splunk-system-user) search!="'typeahead*" | rex "search\=\'(search|\s+)\s(?P<search>[\n\S\s]+?(?=\'))" | rex field=search "sourcetype\s*=\s*\"*(?<SourcetypeUsed>[^\s\"]+)" | rex field=search "index\s*=\s*\"*(?<IndexUsed>[^\s\"]+)" | stats latest(_time) as Latest by user search SourcetypeUsed IndexUsed | convert ctime(Latest) |