Detect Credit Card Numbers using Luhn Algorithm

  Description Detect if any log file in Splunk contains Credit Card numbers.

Continue Reading →

Zerologon Detection (CVE-2020-1472)

Primary Search for Local Domain Controller Exploitation by Zerologon

You can also modify this search to only look at your Active Directory DCs. If you have common naming schemas, you can use that as well. Please see the report linked to get more info about the CVE itself.

Continue Reading →

Groundspeed Violation/Improbable Access

Oftentimes we are required to determine impossible or improbably access events. Typically, this is a relatively simple thing to do in a modern SIEM, however Splunk, without ESS, does not have a “great” way to handle this type of temporal correlation aside from appends or joins back to the original data. I constructed the following […]

Continue Reading →

Significant Data Ingress/Egress

Generally, one expects a client-server conversation to be greater on the download side rather than more data uploaded.  This search can detect greater upload than download over a time period, like a client sending significantly more data than it receives from a server (e.g. data ex-filtration). For the best search results, query on a sourcetype […]

Continue Reading →

Nessus Security Center Dashboard

Description: This dashboard is intended make it easier to search the results from Nessus Security Center. It doesn’t require any additional addons.

Continue Reading →

Successful Logons to WordPress Admin Area

Ever want more detailed information on authentications to your WordPress Admin Area? This Splunk Query will show detailed information on successful authentications to the wp-admin section of your site:

Screenshot: Notes: Please comment if this is successful or unsuccessful for you, I have limited access to WordPress data. That said this worked for me.

Continue Reading →

High Level Windows Dashboard

Part 1 – User Logon Activity The following Splunk Dashboard provides a high level view of windows user logon activity. It should be emphasized that the focus of this dashboard is fairly high level, has a time picker (defaulting to 7 days) and shows both successful and failed user logons (table and timechart) as well […]

Continue Reading →

Failed Logon Attempts – Windows

The following Splunk query will show a timechart of failed logon attempts per host:

The following Splunk query will show a detailed table of failed logon attempts per host and user with 5 minute chunks/blocks of time, as well as show a sparkline (mini timechart) within the table itself.

#Admin Notes – This […]

Continue Reading →

Active Directory Password change attempts

Use the following search to create a stacked barchart of AD Password change attempts:

Continue Reading →

Find success login after 10 failures with streamstats

If you have the Authentication data model configured you can use the following search to quickly find successful logins after 10 failed attempts!

Continue Reading →

Compare Successful Internal Vs External Connections

This query will display a bar chart of all successful Internal vs External SSH connections. Useful for identifying any spikes in connectivity coming from within your network remit or outside of it. Simply change the CIDR matches to match your required LANs.


Continue Reading →

IIS: Indicators of directory traversal, RFI and LFI

The following shows IoC for directory traversal, RFI and LFI within IIS logging:

Continue Reading →