Local IPs count by blocked out going connections. (click for details)

├── Truvis-Host Linux Security Overview [MAIN] ├── Truvis-Blocked Out Going Connections BY IP [MAIN] ├── Truvis-Threat Intelligence Windows Accounts [MAIN] ├── Truvis-Host Linux Dashboard by ENDPOINT [SUB] ├── Truvis-Suricata Categories Overview [SUB] ├── Truvis-Suricata Signature Overview [SUB] ├── Truvis-Blocked Out Going Connections by ENDPOINT [SUB] ├── Truvis-Network Intelligence by ENDPOINT [SUB] ├── Truvis-User Windows Security Overview [MAIN] ├── readme.md ├── Truvis-Network Intelligence Overview [MAIN] ├── Truvis-Suricata Host Overview [SUB] Time Frame Last 24 hours Hide Filters ├── Truvis-User Linux Security Overview [MAIN] ├── Truvis-Threat Intelligence Network [MAIN] ├── Truvis-Host Windows Security Overview [MAIN] └── Truvis-Suricata Network Overview [MAIN] /Truvis-Host Linux Security Overview [MAIN]: -------------------------------------------------------------------------------- 1 | 39 | -------------------------------------------------------------------------------- /Truvis-Blocked Out Going Connections BY IP [MAIN]: -------------------------------------------------------------------------------- 1 |

2 | Truvis-Blocked Out Going Connections BY IP [MAIN] 3 | Blocked Out Going Connections BY IP 4 |

5 | 6 | 7 | 8 | -24h@h 9 | now 10 | 11 | 12 |

13 | 14 | 15 | Local IPs count by blocked out going connections. (click for details) 16 | 17 | 18 | sourcetype="opnsense:filterlog" action=blocked src_ip="192.168.2.*" | stats count(src_ip) as TotalBlockConnctions by src_ip | sort TotalBlockConnctions desc 19 | $field1.earliest$ 20 | $field1.latest$ 21 | 1 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | /app/search/blocked_out_going_connections_by_ip_and_port?clickedIP=$click.value$ 35 | 36 | 37 | 38 | 39 | 40 | 41 | BLOCKED PORTS BY IP WITH COUNT 42 | 43 | 44 | sourcetype="opnsense:filterlog" action=blocked src_ip="192.168.2.*" 45 | |stats count by src_ip dest_port, transport 46 | |stats list(dest_port) as port list(transport) as transport list(count) as count by src_ip 47 | |rename src_ip as "SOURCE HOST" port as "DEST PORT" transport as "TRANSPORT" 48 | $field1.earliest$ 49 | $field1.latest$ 50 | 1 51 | 52 | 53 | 54 |

55 | 56 | 57 |

58 | -------------------------------------------------------------------------------- /Truvis-Threat Intelligence Windows Accounts [MAIN]: -------------------------------------------------------------------------------- 1 |

2 | Truvis-Threat Intelligence Windows Accounts [MAIN] 3 |

4 | 5 | 6 | 7 | -24h@h 8 | now 9 | 10 | 11 |

12 | 13 | 14 | 15 | Accounts that were created and then deleted in under an hour 16 | 17 | source="WinEventLog:Security" (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) | eval status=case(EventCode=630, "Account Deletion", EventCode=4726, "Account Deletion", EventCode=624, "Account Creation", EventCode=4720, "Account Creation") |transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2 | where duration < 3600 | table host, src_user, user, Account_Domain, _time 18 | $field1.earliest$ 19 | $field1.latest$ 20 | 21 | 22 | 23 |

24 | 25 | 26 | 27 | 28 | 29 | Accounts added/removed to Domain Admins and other sensitive groups. 30 | 31 | source=WinEventLog:Security (EventCode=4728 OR EventCode=4729) (Group_Name="*Domain Admins*" OR Group_Name="*OtherGroup*") 32 | | rename src_user AS "Actioned By", name as "Action Taken" 33 | | table host "Actioned By" user "Action Taken" Group_Name Account_Domain _time 34 | | sort - _time 35 | $field1.earliest$ 36 | $field1.latest$ 37 | 38 | 39 | 40 |

41 | 42 | 43 | 44 | 45 | 46 | Accounts that had their password's changed not by themselves 47 | 48 | source="WinEventLog:Security" (EventCode IN ("628","627","4723","4724")) 49 | | eval s_username = mvindex(Account_Name, 0), t_username = mvindex(Account_Name, 1), s_domain = mvindex(Account_Domain, 0), t_domain = mvindex(Account_Domain, 1) 50 | | eval s_output = s_username."@".s_domain, t_output = t_username."@".t_domain 51 | | where s_username!=t_username 52 | | table host, s_output, t_output, _time 53 | $field1.earliest$ 54 | $field1.latest$ 55 | 56 | 57 | 58 |

59 | 60 | 61 |

62 | -------------------------------------------------------------------------------- /Truvis-Host Linux Dashboard by ENDPOINT [SUB]: -------------------------------------------------------------------------------- 1 |

2 | Truvis-Host Linux Dashboard by ENDPOINT [SUB] 3 |

4 | 5 | Host 6 | $clickedHOST$ 7 | 8 | 9 | Time Frame 10 | 11 | -24h@h 12 | now 13 | 14 | 15 |

16 | 17 | 18 | 19 | Current Open Sessions (including improperly closed) 20 | 21 | source=secure host="$field1$" | transaction pid startswith="session opened" | regex _raw!="session closed" | table _time user 22 | $field2.earliest$ 23 | $field2.latest$ 24 | 1 25 | 26 | 27 | 28 | 29 | 30 | 31 |

32 | 33 | 34 | 35 | Login Sessions 36 | 37 | source=secure host="$field1$" | transaction pid maxevents=3 endswith="session closed" | eval HHMMSS=tostring(duration, "duration") | table _time user src_ip HHMMSS 38 | $field2.earliest$ 39 | $field2.latest$ 40 | 1 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 |

52 | 53 | 54 | 55 | 56 | 57 | Commands 58 | 59 | source=bash_history host="$field1$" | table _time, user_name, bash_command | sort - _time 60 | $field2.earliest$ 61 | $field2.latest$ 62 | 1 63 | 64 | 65 | 66 | 67 | 68 | 69 |

70 | 71 | 72 | 73 | 74 | 75 | Execute Command Events 76 | 77 | source=bash_history host="$field1$" bash_command="./*" OR bash_command="sh *" 78 | $field2.earliest$ 79 | $field2.latest$ 80 | 1 81 | 82 | 83 | 84 | 85 | 86 | 87 | Successful Logon Events 88 | 89 | source=secure host="$field1$" action=success vendor_action=Accepted 90 | $field2.earliest$ 91 | $field2.latest$ 92 | 1 93 | 94 | 95 | 96 | 97 | 98 | 99 |

100 | -------------------------------------------------------------------------------- /Truvis-Suricata Categories Overview [SUB]: -------------------------------------------------------------------------------- 1 |

2 | Truvis-Suricata Categories Overview [SUB] 3 |

4 | 5 | Time Frame 6 | 7 | -24h@h 8 | now 9 | 10 | 11 | 12 | Category 13 | category 14 | category 15 | 16 | index="suricata" sourcetype="suricata:alert" | fields category | dedup category | table category 17 | $field1.earliest$ 18 | $field1.latest$ 19 | 30s 20 | delay 21 | 22 | $cat$ 23 | 24 |

25 | 26 | 27 | 28 | SRC IPS 29 | 30 | index="suricata" sourcetype="suricata:alert" category="$category$" | stats count by src_ip 31 | $field1.earliest$ 32 | $field1.latest$ 33 | 30s 34 | delay 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | DEST IPS 43 | 44 | index="suricata" sourcetype="suricata:alert" category="$category$" | stats count by dest_ip 45 | $field1.earliest$ 46 | $field1.latest$ 47 | 30s 48 | delay 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | PROTOCOL 57 | 58 | index="suricata" sourcetype="suricata:alert" category="$category$" | stats count by proto 59 | $field1.earliest$ 60 | $field1.latest$ 61 | 30s 62 | delay 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | Action 71 | 72 | index="suricata" sourcetype="suricata:alert" category="$category$" | stats count by action 73 | $field1.earliest$ 74 | $field1.latest$ 75 | 30s 76 | delay 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | Connections 87 | 88 | index="suricata" sourcetype="suricata:alert" category="$category$" 89 | | stats count by src_ip dest_ip dest_port transport 90 | | stats list(dest_ip) as dest_ip list(dest_port) as dest_port list(transport) as transport list(count) as count by src_ip 91 | $field1.earliest$ 92 | $field1.latest$ 93 | 30s 94 | delay 95 | 96 | 97 | 98 |

99 | 100 | 101 | 102 | 103 | 104 | Raw Logs 105 | 106 | index="suricata" sourcetype="suricata:alert" category="$category$" 107 | $field1.earliest$ 108 | $field1.latest$ 109 | 30s 110 | delay 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 |

122 | -------------------------------------------------------------------------------- /Truvis-Suricata Signature Overview [SUB]: -------------------------------------------------------------------------------- 1 |

2 | Truvis-Suricata Signature Overview [SUB] 3 |

4 | 5 | Time Frame 6 | 7 | -24h@h 8 | now 9 | 10 | 11 | 12 | Signatures 13 | signature 14 | signature 15 | 16 | index="suricata" sourcetype="suricata:alert" | stats count by signature | table signature 17 | $field1.earliest$ 18 | $field1.latest$ 19 | 30s 20 | delay 21 | 22 | $sig$ 23 | 24 |

25 | 26 | 27 | 28 | SRC IPS 29 | 30 | index="suricata" sourcetype="suricata:alert" signature="$multi_select$" | stats count by src_ip 31 | $field1.earliest$ 32 | $field1.latest$ 33 | 30s 34 | delay 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | DEST IPS 43 | 44 | index="suricata" sourcetype="suricata:alert" signature="$multi_select$" | stats count by dest_ip 45 | $field1.earliest$ 46 | $field1.latest$ 47 | 30s 48 | delay 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | PROTOCOL 57 | 58 | index="suricata" sourcetype="suricata:alert" signature="$multi_select$" | stats count by proto 59 | $field1.earliest$ 60 | $field1.latest$ 61 | 30s 62 | delay 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | Action 71 | 72 | index="suricata" sourcetype="suricata:alert" signature="$multi_select$" | stats count by action 73 | $field1.earliest$ 74 | $field1.latest$ 75 | 30s 76 | delay 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | Connections 87 | 88 | index="suricata" sourcetype="suricata:alert" signature="$multi_select$" 89 | | stats count by src_ip dest_ip dest_port transport 90 | | stats list(dest_ip) as dest_ip list(dest_port) as dest_port list(transport) as transport list(count) as count by src_ip 91 | $field1.earliest$ 92 | $field1.latest$ 93 | 30s 94 | delay 95 | 96 | 97 | 98 |

99 | 100 | 101 | 102 | 103 | 104 | Raw Logs 105 | 106 | index="suricata" sourcetype="suricata:alert" signature="$multi_select$" 107 | $field1.earliest$ 108 | $field1.latest$ 109 | 30s 110 | delay 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 |

122 | -------------------------------------------------------------------------------- /Truvis-Blocked Out Going Connections by ENDPOINT [SUB]: -------------------------------------------------------------------------------- 1 | 2 | Truvis-Blocked Out Going Connections by ENDPOINT [SUB] 3 |

4 | 5 | Select Timeframe 6 | 7 | -24h@h 8 | now 9 | 10 | 11 | 12 | Select Port 13 | 14 | sourcetype="opnsense:filterlog" action=blocked src_ip="$clickedIP$" | stats values(dest_port) as dport | mvexpand dport | sort dport 15 | 16 | dport 17 | dport 18 | 19 | 20 | All 21 | * 22 | 23 | 24 | Select Protocol 25 | 26 | sourcetype="opnsense:filterlog" action=blocked src_ip="$clickedIP$" | stats values(transport) as proto | mvexpand proto | sort proto 27 | 28 | proto 29 | proto 30 | 31 | 32 | All 33 | * 34 | 35 |

36 | 37 | 38 | Local IPs count by blocked out going connections. (click for details) 39 | 40 | 41 | sourcetype="opnsense:filterlog" action=blocked src_ip="$clickedIP$" dest_port="$dport$" transport="$proto$" | stats count(dest_port) as TotalBlockPorts by dest_port | sort TotalBlockPorts desc 42 | $field1.earliest$ 43 | $field1.latest$ 44 | 1 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | IPs to PORT 63 | 64 | 65 | sourcetype="opnsense:filterlog" action=blocked src_ip="$clickedIP$" dest_port="$dport$" transport="$proto$" | stats count(dest_port) as COUNT by dest_port, transport, dest_ip | table dest_port, transport, dest_ip, COUNT 66 | $field1.earliest$ 67 | $field1.latest$ 68 | 1 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 |

89 | 90 | 91 | 92 | 93 | sourcetype="opnsense:filterlog" action=blocked src_ip="$clickedIP$" dest_port="$dport$" transport="$proto$" 94 | $field1.earliest$ 95 | $field1.latest$ 96 | 1 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | -------------------------------------------------------------------------------- /Truvis-Network Intelligence by ENDPOINT [SUB]: -------------------------------------------------------------------------------- 1 |

2 | Truvis-Network Intelligence by ENDPOINT [SUB] 3 |

4 | 5 | 6 | 7 | -24h@h 8 | now 9 | 10 | 11 | 12 | Host IP/Hostname 13 | 14 |

15 | 16 | 17 | 18 | DNS Queries over time 19 | 20 | index="suricata" sourcetype="suricata:dns" src_ip="$field2$" | timechart count by src_ip 21 | $field1.earliest$ 22 | $field1.latest$ 23 | 1 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | Connections to Risky Domains 34 | 35 | index="suricata" sourcetype="suricata:dns" src_ip="$field2$" 36 | [ | inputlookup domains.csv 37 | | rename bad_domain as dns.answers{}.rrname | fields dns.answers{}.rrname ] | table _time, src_ip, dns.answers{}.rrname | sort _time desc 38 | $field1.earliest$ 39 | $field1.latest$ 40 | 1 41 | 42 | 43 |

44 | 45 | 46 | 47 | Connections to Risky IPs 48 | 49 | index="suricata" sourcetype="suricata:dns" src_ip="$field2$" 50 | [ | inputlookup domains.csv 51 | | rename bad_domain as dns.answers{}.rrname | fields dns.answers{}.rrname ] | table _time, src_ip, dns.answers{}.rrname | sort _time desc 52 | $field1.earliest$ 53 | $field1.latest$ 54 | 1 55 | 56 | 57 |

58 | 59 | 60 | 61 | 62 | 63 | Risky User-Agents 64 | 65 | index="suricata" sourcetype="suricata:dns" 66 | [ | inputlookup domains.csv 67 | | rename bad_domain as dns.answers{}.rrname | fields dns.answers{}.rrname ] | table _time, src_ip, dns.answers{}.rrname | sort _time desc 68 | -24h@h 69 | now 70 | 71 | 72 |

73 | 74 | 75 | 76 | Uncommon User-Agents 77 | 78 | index="suricata" sourcetype="suricata:dns" 79 | [ | inputlookup domains.csv 80 | | rename bad_domain as dns.answers{}.rrname | fields dns.answers{}.rrname ] | table _time, src_ip, dns.answers{}.rrname | sort _time desc 81 | -24h@h 82 | now 83 | 84 | 85 |

86 | 87 | 88 | 89 | 90 | 91 | User-Agents Seen 92 | 93 | index="suricata" sourcetype="suricata:fileinfo" src_ip="$field2$" | stats count by http.http_user_agent | sort count desc 94 | -24h@h 95 | now 96 | 97 | 98 |

99 | 100 | 101 | 102 | Most Active DNS Connections 103 | 104 | index="suricata" sourcetype="suricata:dns" src_ip="$field2$"| stats count by dns.answers{}.rrname | sort count desc 105 | $field1.earliest$ 106 | $field1.latest$ 107 | 1 108 | 109 | 110 |

111 | 112 | 113 | 114 | 115 | 116 | Flow | Proto 117 | 118 | index="suricata" sourcetype="suricata:flow" src_ip="$field2$" | stats count by app_proto 119 | $field1.earliest$ 120 | $field1.latest$ 121 | 1 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | Annomalies | Events 130 | 131 | index="suricata" sourcetype="suricata:anomaly" src_ip="$field2$" | stats count by anomaly.event 132 | $field1.earliest$ 133 | $field1.latest$ 134 | 1 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | Anomalies | Protot 143 | 144 | index="suricata" sourcetype="suricata:anomaly" src_ip="$field2$" | stats count by app_proto 145 | $field1.earliest$ 146 | $field1.latest$ 147 | 1 148 | 149 | 150 | 151 | 152 | 153 | 154 |

155 | -------------------------------------------------------------------------------- /Truvis-User Windows Security Overview [MAIN]: -------------------------------------------------------------------------------- 1 |

2 | Truvis-User Windows Security Overview [MAIN] 3 |

4 | 5 | Filter: 6 | * 7 | 8 |

9 | 10 | 11 | Failed Login Events 12 | 13 | 14 | 15 | -24h@h 16 | now 17 | 18 | 19 | 20 | Field Section: 21 | _time 22 | host 23 | user 24 | src_ip 25 | EventCode 26 | signature 27 | Logon_Type 28 | Logon_Process 29 | user 30 | , 31 | 32 | 33 | 34 | source="WinEventLog:Security" $filter1$ TaskCategory=Logon Keywords="Audit Failure" | fillnull value=* src_ip EventCode | stats count by $multi_select1$ 35 | | sort -count 36 | $time1.earliest$ 37 | $time1.latest$ 38 | 1 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 |

49 | 50 | 51 | Successful Login Events 52 | 53 | 54 | 55 | -24h@h 56 | now 57 | 58 | 59 | 60 | Field Section: 61 | _time 62 | host 63 | user 64 | src_ip 65 | EventCode 66 | signature 67 | Logon_Type 68 | Logon_Process 69 | Process_Name 70 | user 71 | , 72 | 73 | 74 | 75 | source="WinEventLog:Security" $filter1$ TaskCategory=Logon Keywords="Audit Success" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!="LOCAL SERVICE" user!="NETWORK SERVICE" user!="*$$" user!="ANONYMOUS LOGON" user!="IUSR" | fillnull value=* src_ip EventCode Logon_Type, Logon_Process, Process_Name | stats count by $multi_select2$ 76 | | sort -count 77 | $time2.earliest$ 78 | $time2.latest$ 79 | 1 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 |

90 | 91 | 92 | 93 | 94 | Privileged Account Events 95 | 96 | 97 | 98 | -24h@h 99 | now 100 | 101 | 102 | 103 | Field Section: 104 | _time 105 | host 106 | user 107 | signature 108 | vendor_privilege 109 | member_id 110 | Keywords 111 | user 112 | , 113 | 114 | 115 | 116 | source="WinEventLog:Security" $filter1$ TaskCategory="Special Logon" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!="LOCAL SERVICE" user!="NETWORK SERVICE" user!="*$" user!="ANONYMOUS LOGON" user!="IUSR" | stats count by $multi_select3$ | sort -count 117 | $time3.earliest$ 118 | $time3.latest$ 119 | 1 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 |

130 | 131 | 132 |

133 | -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | *be sure to star and follow this project if you like it. By doing so it lets me know which of my works people enjoy the most so development can be prioritized* 2 | 3 | # Dashboards 4 | When I started teaching myself Splunk and saw that you could create dashboards, I quickly became addicited and started building out as many ideas as I possibly could. The goal is to figure out how to package these into an app that can be quickly deployed and configured to any splunk instance. 5 | 6 | The other part that inspired this was to build out a Threat Hunting envirnment for trying to detect attacks and also learning how to not get noticed when doing red team engagments. 7 | 8 | Be sure to drop ideas and improvements! I'm still learning and would enjoy other's viewpoints! 9 | 10 | - *TODO: Add colors across all dashboards* 11 | - *TODO: Standardize naming of fields* 12 | - *TODO: Add summary of what each dashboard does* 13 | - *TODO: List configuration settings and requirements on hosts such as index, sourcetype, source* 14 | 15 | ## Windows 16 | ### Configuration 17 | 18 | ### Dashboards 19 | #### User Windows Security Overview [MAIN] 20 | ![2020_09_22_06_11_24_Truvis_User_Windows_Security_Overview_MAIN_Splunk_8 0 5](https://user-images.githubusercontent.com/23244379/93869920-7f5a2a00-fc9a-11ea-8aa3-b91faf7f3d0a.png) 21 | 22 | #### Host Windows Security Overview [MAIN] 23 | ![2020_09_22_06_13_32_Truvis_Host_Windows_Security_Overview_MAIN_Splunk_8 0 5](https://user-images.githubusercontent.com/23244379/93870172-ca743d00-fc9a-11ea-943e-1483ada2b8b8.png) 24 | 25 | ## Linux 26 | ### Configuration 27 | - Uses a custom history configuration on the host machines 28 | - Uses PLUGIN https://github.com/Truvis/Splunk_TA_Truvis_Linux_History 29 | 30 | ### Dashboards 31 | #### User Linux Security Overview [MAIN] 32 | ![2020_09_22_05_54_26_What_is_Penetration_Testing_Step_By_Step_Process_Methods_Imperva](https://user-images.githubusercontent.com/23244379/93868232-2a1d1900-fc98-11ea-9d05-9d91bd429e0c.png) 33 | 34 | #### Host Linux Security Overview [MAIN] 35 | *TODO: Update to use the new linux history TA to get src_ip* 36 | ![2020_09_22_06_06_47_What_is_Penetration_Testing_Step_By_Step_Process_Methods_Imperva](https://user-images.githubusercontent.com/23244379/93869508-df9c9c00-fc99-11ea-83d6-17792cb43410.png) 37 | 38 | #### Host Linux Dashboard by ENDPOINT [SUB] 39 | *TODO: Still under development and needs to be update to pull from new sources* 40 | ![2020_09_22_06_07_52_Truvis_Host_Linux_Dashboard_by_ENDPOINT_SUB_Splunk_8 0 5](https://user-images.githubusercontent.com/23244379/93869580-fc38d400-fc99-11ea-8a0f-157eec74de97.png) 41 | 42 | 43 | ## Suricata 44 | ### Configuration 45 | - Uses PLUGIN https://github.com/Truvis/Splunk_TA_Truvis_Suricata5 46 | - Uses a server configured with port mirror running suricata* 47 | 48 | ### Dashboards 49 | #### Suricata Network Overview [MAIN] 50 | *TODO: Add the ability to exclude in filter* 51 | ![2020_09_22_06_15_56_What_is_Penetration_Testing_Step_By_Step_Process_Methods_Imperva](https://user-images.githubusercontent.com/23244379/93870366-1fb04e80-fc9b-11ea-9ca5-6b66e0cfabde.png) 52 | 53 | #### Suricata Host Overview [SUB] 54 | *TODO: Needs HOST input added for host control* 55 | ![2020_09_22_06_17_09_Truvis_Suricata_Host_Overview_SUB_Splunk_8 0 5](https://user-images.githubusercontent.com/23244379/93870480-4a9aa280-fc9b-11ea-94de-04027dfd9ff7.png) 56 | 57 | #### Suricata Categories Overview [SUB] 58 | ![2020_09_22_06_18_25_Truvis_Suricata_Categories_Overview_SUB_Splunk_8 0 5](https://user-images.githubusercontent.com/23244379/93870605-76b62380-fc9b-11ea-9906-d4f5b311b474.png) 59 | 60 | #### Suricata Signature Overview [SUB] 61 | ![2020_09_22_06_19_14_Truvis_Suricata_Signature_Overview_SUB_Splunk_8 0 5](https://user-images.githubusercontent.com/23244379/93870680-93eaf200-fc9b-11ea-8e6c-e09c58047f92.png) 62 | 63 | 64 | ## Network 65 | ### Configuration 66 | 67 | ### Dashboards 68 | #### Network Intelligence Overview [MAIN] 69 | *TODO: Need threatintel list for refference* 70 | ![2020_09_22_06_20_59_Truvis_Network_Intelligence_Overview_MAIN_Splunk_8 0 5](https://user-images.githubusercontent.com/23244379/93870863-d280ac80-fc9b-11ea-8a31-d9d37a479de0.png) 71 | 72 | #### Network Intelligence by ENDPOINT [SUB] 73 | *TODO: Need threatintel list for refference* 74 | ![2020_09_22_06_22_06_Truvis_Network_Intelligence_by_ENDPOINT_SUB_Splunk_8 0 5](https://user-images.githubusercontent.com/23244379/93870988-fa701000-fc9b-11ea-9671-c21d2a9209ad.png) 75 | 76 | #### Blocked Out Going Connections BY IP [MAIN] 77 | ![2020_09_22_06_23_31_Truvis_Blocked_Out_Going_Connections_BY_IP_MAIN_Splunk_8 0 5](https://user-images.githubusercontent.com/23244379/93871130-2be8db80-fc9c-11ea-8f1d-ecce7c70bfd2.png) 78 | 79 | #### Blocked Out Going Connections by ENDPOINT [SUB] 80 | *TODO: Needs host control* 81 | ![2020_09_22_06_24_54_Truvis_Blocked_Out_Going_Connections_by_ENDPOINT_SUB_Splunk_8 0 5](https://user-images.githubusercontent.com/23244379/93871266-5d61a700-fc9c-11ea-875d-5905d7f472c6.png) 82 | 83 | 84 | ## Threat Hutning 85 | ### Configuration 86 | - Uses PLUGIN https://github.com/Truvis/Splunk_TA_Truvis_Suricata5 87 | - Uses PLUGIN https://github.com/Truvis/Splunk_TA_Truvis_Linux_History 88 | - Uses PLUGIN https://github.com/Truvis/Splunk_TA_Truvis_Opnsense-20.1.X 89 | - Uses PLUGIN https://github.com/Truvis/Splunk_TA_Truvis_Zeek 90 | - Uses a server configured with port mirror running suricata/zeek* 91 | - *TODO: Breakout the bigger dashes to subs based on services for example* 92 | 93 | ### Dashboards 94 | #### Truvis-Threat Intelligence Windows Accounts [MAIN] 95 | ![2020-10-17 12_34_22-Truvis-Threat Intelligence Windows Accounts MAIN _ Splunk 8 0 5](https://user-images.githubusercontent.com/23244379/96348204-22714a00-1075-11eb-8872-83e50f9b2442.png) 96 | 97 | #### Truvis-Threat Intelligence Network [MAIN] 98 | ![2020-10-17 12_33_38-root@splunk_~](https://user-images.githubusercontent.com/23244379/96348196-0a012f80-1075-11eb-978f-4ca5fbf37065.png) 99 | 100 | 101 | ## Zeek 102 | ### Configuration 103 | - Uses PLUGIN https://github.com/Truvis/Splunk_TA_Truvis_Zeek 104 | - Uses a server configured with port mirror running zeek* 105 | 106 | ### Dashboards 107 | -------------------------------------------------------------------------------- /Truvis-Network Intelligence Overview [MAIN]: -------------------------------------------------------------------------------- 1 |

2 | Truvis-Network Intelligence Overview [MAIN] 3 |

4 | 5 | 6 | 7 | -24h@h 8 | now 9 | 10 | 11 |

12 | 13 | 14 | 15 | DNS Queries per host 16 | 17 | index="suricata" sourcetype="suricata:dns" | stats count by src_ip 18 | $field1.earliest$ 19 | $field1.latest$ 20 | 1 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | Connections to Risky Domains 31 | 32 | index="suricata" sourcetype="suricata:dns" 33 | [ | inputlookup domains.csv 34 | | rename bad_domain as dns.answers{}.rrname | fields dns.answers{}.rrname ] | table _time, src_ip, dns.answers{}.rrname | sort _time desc 35 | $field1.earliest$ 36 | $field1.latest$ 37 | 1 38 | 39 | 40 |

41 | 42 | 43 | 44 | Connections to Risky IPs 45 | 46 | index="suricata" sourcetype="suricata:dns" 47 | [ | inputlookup domains.csv 48 | | rename bad_domain as dns.answers{}.rrname | fields dns.answers{}.rrname ] | table _time, src_ip, dns.answers{}.rrname | sort _time desc 49 | $field1.earliest$ 50 | $field1.latest$ 51 | 1 52 | 53 | 54 |

55 | 56 | 57 | 58 | 59 | 60 | Risky User-Agents 61 | 62 | index="suricata" sourcetype="suricata:dns" 63 | [ | inputlookup domains.csv 64 | | rename bad_domain as dns.answers{}.rrname | fields dns.answers{}.rrname ] | table _time, src_ip, dns.answers{}.rrname | sort _time desc 65 | -24h@h 66 | now 67 | 68 | 69 |

70 | 71 | 72 | 73 | Uncommon User-Agents 74 | 75 | index="suricata" sourcetype="suricata:dns" 76 | [ | inputlookup domains.csv 77 | | rename bad_domain as dns.answers{}.rrname | fields dns.answers{}.rrname ] | table _time, src_ip, dns.answers{}.rrname | sort _time desc 78 | -24h@h 79 | now 80 | 81 | 82 |

83 | 84 | 85 | 86 | 87 | 88 | User-Agents Seen 89 | 90 | index="suricata" sourcetype="suricata:fileinfo" | stats count by http.http_user_agent | sort count desc 91 | -24h@h 92 | now 93 | 94 | 95 |

96 | 97 | 98 | 99 | Most Active DNS Connections 100 | 101 | index="suricata" sourcetype="suricata:dns" | stats count by dns.answers{}.rrname | table count, dns.answers{}.rrname | sort count desc 102 | $field1.earliest$ 103 | $field1.latest$ 104 | 1 105 | 106 | 107 | 108 |

109 | 110 | 111 | 112 | 113 | 114 | Flow | Proto 115 | 116 | index="suricata" sourcetype="suricata:flow" | stats count by app_proto 117 | $field1.earliest$ 118 | $field1.latest$ 119 | 1 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | Annomalies | Events 129 | 130 | index="suricata" sourcetype="suricata:anomaly" | stats count by anomaly.event 131 | $field1.earliest$ 132 | $field1.latest$ 133 | 1 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | Anomalies | Protot 143 | 144 | index="suricata" sourcetype="suricata:anomaly" | stats count by app_proto 145 | $field1.earliest$ 146 | $field1.latest$ 147 | 1 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 |

156 | -------------------------------------------------------------------------------- /Truvis-Suricata Host Overview [SUB] Time Frame Last 24 hours Hide Filters: -------------------------------------------------------------------------------- 1 |

2 | Truvis-Suricata Host Overview [SUB] 3 |

4 | 5 | Time Frame 6 | 7 | -24h@h 8 | now 9 | 10 | 11 |

12 | 13 | 14 | 15 | Signatures 16 | 17 | index=suricata src_ip="192.168.2.77" | stats count by alert.signature 18 | $field1.earliest$ 19 | $field1.latest$ 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | Categories 29 | 30 | index=suricata src_ip="192.168.2.77" | stats count by alert.category 31 | $field1.earliest$ 32 | $field1.latest$ 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | Event Type 42 | 43 | index=suricata src_ip="192.168.2.77" | stats count by event_type 44 | $field1.earliest$ 45 | $field1.latest$ 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | Anomalies 55 | 56 | index=suricata sourcetype="suricata:anomaly" src_ip="192.168.2.77" | stats count by anomaly.event 57 | $field1.earliest$ 58 | $field1.latest$ 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | Dest IPS 70 | 71 | index=suricata sourcetype="suricata:flow" src_ip="192.168.2.77" | stats count by dest_ip | table dest_ip count | sort - count 72 | $field1.earliest$ 73 | $field1.latest$ 74 | 75 | 76 | 77 |

78 | 79 | 80 | 81 | Dest Ports 82 | 83 | index=suricata sourcetype="suricata:flow" src_ip="192.168.2.77" | stats count by dest_port 84 | $field1.earliest$ 85 | $field1.latest$ 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | Connections out to IPs 98 | 99 | index=suricata sourcetype="suricata:flow" src_ip="192.168.2.77" 100 | |stats count by dest_ip dest_port proto 101 | |stats list(dest_port) as port list(proto) as proto list(count) as count by dest_ip | sort - count 102 | $field1.earliest$ 103 | $field1.latest$ 104 | 105 | 106 | 107 |

108 | 109 | 110 | 111 | 112 | 113 | URIs Called 114 | 115 | index=suricata sourcetype="suricata:http" src_ip="192.168.2.77" | stats count by url | table url count | sort - count 116 | $field1.earliest$ 117 | $field1.latest$ 118 | 119 | 120 | 121 |

122 | 123 | 124 | 125 | 126 | 127 | Top DNS calls 128 | 129 | index=suricata sourcetype="suricata:dns" src_ip="192.168.2.77" | stats count by dns.answers{}.rrname | table dns.answers{}.rrname count | sort - count 130 | $field1.earliest$ 131 | $field1.latest$ 132 | 133 | 134 | 135 |

136 | 137 | 138 | 139 | URI Queries 140 | 141 | index=suricata sourcetype="suricata:http" src_ip="192.168.2.77" | stats count by http.http_user_agent | table http.http_user_agent count | sort - count 142 | $field1.earliest$ 143 | $field1.latest$ 144 | 145 | 146 | 147 |

148 | 149 | 150 | 151 | 152 | 153 | Anomaly Raw Logs 154 | 155 | index=suricata sourcetype="suricata:anomaly" src_ip="192.168.2.77" 156 | $field1.earliest$ 157 | $field1.latest$ 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | Alert Raw Lows 171 | 172 | index=suricata sourcetype="suricata:alert" src_ip="192.168.2.77" 173 | $field1.earliest$ 174 | $field1.latest$ 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 |

184 | -------------------------------------------------------------------------------- /Truvis-User Linux Security Overview [MAIN]: -------------------------------------------------------------------------------- 1 |

2 | Truvis-User Linux Security Overview [MAIN] 3 |

4 | 5 | 6 | 7 | $field1.earliest$ 8 | $field1.latest$ 9 | 30s 10 | 11 | 12 |

13 | 14 | 15 | CURRENT SSH Sessions 16 | 17 | 18 | source=secure | transaction pid startswith="session opened" | eval TimeLoggedIn=tostring(now() - _time, "duration") | regex _raw!="session closed" | table _time TimeLoggedIn host user src_ip | appendpipe [stats count| eval error="No Active Sessions" | where count==0 |table error] 19 | $field1.earliest$ 20 | $field1.latest$ 21 | 30s 22 | delay 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 |

39 | 40 | 41 | 42 | 43 | Login Success by USER 44 | 45 | Is a user possibly logging in to several machines? 46 | 47 | source=secure action=success | stats count by user 48 | $field1.earliest$ 49 | $field1.latest$ 50 | 30s 51 | delay 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | Login Failures by USER 61 | 62 | Is any host being targeted out of the normal? 63 | 64 | source=secure action=failure | stats count by user 65 | $field1.earliest$ 66 | $field1.latest$ 67 | 30s 68 | delay 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | Total Commands Executed by USER 78 | 79 | How many commands per machine by USER 80 | 81 | source=history_log | stats count(COMMAND) by USER HOST 82 | $field1.earliest$ 83 | $field1.latest$ 84 | 30s 85 | delay 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 |

98 | 99 | 100 | 101 | 102 | Login Failures by Host 103 | 104 | 105 | source=secure action=failure | stats count by host, user, src | table host user src count | stats list(user) as user list(src) as from list(count) as count by host 106 | $field1.earliest$ 107 | $field1.latest$ 108 | 30s 109 | delay 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 |

130 | 131 | 132 | Timechart of Failed Logins 133 | 134 | 135 | source=secure action=failure | timechart count by host 136 | $field1.earliest$ 137 | $field1.latest$ 138 | 30s 139 | delay 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | Successful Logins by Host 150 | 151 | 152 | source=secure | transaction pid maxevents=3 endswith="session closed" | eval HHMMSS=tostring(duration, "duration") | table _time user dest src_ip HHMMSS | sort - _time 153 | $field1.earliest$ 154 | $field1.latest$ 155 | 30s 156 | delay 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 |

172 | 173 | 174 | Timechart of Successful Logins 175 | 176 | 177 | source=secure action=success | timechart count by host 178 | $field1.earliest$ 179 | $field1.latest$ 180 | 30s 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | Risky Commands Executed 191 | 192 | 193 | source=history_log (sh OR ./) | table _time USER SRC_IP PWD HOST COMMAND | sort - _time 194 | $field1.earliest$ 195 | $field1.latest$ 196 | 30s 197 | delay 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 |

214 | 215 | 216 |

217 | -------------------------------------------------------------------------------- /Truvis-Threat Intelligence Network [MAIN]: -------------------------------------------------------------------------------- 1 |

2 | Truvis-Threat Intelligence Network [MAIN] 3 |

4 | 5 | 6 | 7 | -24h@h 8 | now 9 | 10 | 11 |

12 | 13 | 14 | Top hosts making DNS queries 15 | 16 | Capturing spikes or changes in client volumes may show early signs of data exfiltration. 17 | 18 | index="suricata" message_type=Query 19 | | timechart limit=10 usenull=f useother=f count AS Requests by src 20 | $field1.earliest$ 21 | $field1.latest$ 22 | 23 | 24 | 25 | 26 | 27 | 28 | Requests by Resource Record Over Time 29 | 30 | Changes in resource type behaviour for a client may point toward potential C&C or exfiltration activity. Both A records and TXT records should be observed carefully as these are common techniques. However, don’t be blind-sided into just these two resource types! 31 | 32 | index="suricata" message_type=Query 33 | | timechart span=1h count BY record_type 34 | $field1.earliest$ 35 | $field1.latest$ 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | Connections to Unencrypted Ports (Allowed/Blocked) 45 | 46 | These connections could contain credentials and as older protocols should be retired and blocked. (click to find hosts and raw logs) 47 | 48 | host="edge.internal.truvis.cat" src="192.168.2.*" dest_port="20" OR dest_port="21" OR dest_port="23" OR dest_port="25" OR dest_port="110" OR dest_port="143" OR dest_port="1521" | stats count by dest_port 49 | $field1.earliest$ 50 | $field1.latest$ 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | Connections to Unencrypted Ports 139(Allowed/Blocked) 60 | 61 | Hosts making connections with NetBIOS on 139. 62 | 63 | host="edge.internal.truvis.cat" src="192.168.2.*" dest_port="139" | stats count by host 64 | $field1.earliest$ 65 | $field1.latest$ 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Top IPs going out to unauthorized DNS servers 76 | 77 | 78 | sourcetype="opnsense:filterlog" dest_port="53" src_ip!="192.168.2.15" AND src_ip!="96.58.127.84" AND src_ip!="127.0.0.1" AND dest_ip!="96.58.127.84" AND ip_version="4" | stats count by src_ip 79 | $field1.earliest$ 80 | $field1.latest$ 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | Devices not using local DNS server 90 | 91 | 92 | sourcetype="opnsense:filterlog" dest_port="53" src_ip!="192.168.2.15" AND src_ip!="96.58.127.84" AND src_ip!="127.0.0.1" AND dest_ip!="96.58.127.84" AND ip_version="4" | stats count by src_ip, dest_ip | stats list(dest_ip) list(count) by src_ip 93 | $field1.earliest$ 94 | $field1.latest$ 95 | 96 | 97 |

98 | 99 | 100 | 101 | 102 | Hosts with big queries 103 | 104 | 105 | index="suricata" message_type=Query 106 | | mvexpand query 107 | | eval queryLength=len(query) 108 | | where queryLength > 90 109 | | stats count by src 110 | $field1.earliest$ 111 | $field1.latest$ 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | Big Queries 121 | 122 | 123 | index="suricata" message_type=Query 124 | | mvexpand query 125 | | eval queryLength=len(query) 126 | | stats count by queryLength, src, query 127 | | sort -queryLength, count 128 | | table src query queryLength count 129 | | where queryLength > 90 130 | $field1.earliest$ 131 | $field1.latest$ 132 | 133 | 134 | 135 |

136 | 137 | 138 | 139 | 140 | Clients connecting to multiple DNS servers 141 | 142 | 143 | index="suricata" message_type=Query 144 | | mvexpand query 145 | | bucket _time span=1s 146 | | stats VALUES(dest_ip) AS IP_List dc(dest_ip) AS distinct by _time src_ip 147 | | search distinct > 2 148 | | table src_ip IP_List distinct 149 | $field1.earliest$ 150 | $field1.latest$ 151 | 152 | 153 | 154 |

177 | 178 | 179 | 180 | 181 | Packet Size & Volume Distribution 182 | 183 | Events that have significant packet size and high volumes may identify signs of exfiltration activity. 184 | 185 | index="suricata" message_type=Query 186 | | mvexpand query 187 | | eval queryLength=len(query) 188 | | stats count by queryLength, src 189 | | sort -queryLength, count 190 | | table src queryLength count 191 | | head 1000 192 | $field1.earliest$ 193 | $field1.latest$ 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | Number of Hosts Talking to Beaconing Domains 204 | 205 | index="suricata" message_type=Query 206 | | fields _time, src, query 207 | | streamstats current=f last(_time) as last_time by query 208 | | eval gap=last_time - _time 209 | | stats count dc(src) AS NumHosts avg(gap) AS AverageBeaconTime var(gap) AS VarianceBeaconTime BY query 210 | | eval AverageBeaconTime=round(AverageBeaconTime,3), VarianceBeaconTime=round(VarianceBeaconTime,3) 211 | | sort –count 212 | | where VarianceBeaconTime < 60 AND AverageBeaconTime > 0 213 | $field1.earliest$ 214 | $field1.latest$ 215 | 216 | 217 | 218 | 219 | 220 | 221 | Beaconing Activity 222 | 223 | Beaconing activity may occur when a compromised host ‘checks in’ with the command infrastructure, possibly waiting for new instructions or updates to the malicious software itself. 224 | 225 | index="suricata" message_type=Query 226 | | fields _time, query 227 | | streamstats current=f last(_time) as last_time by query 228 | | eval gap=last_time - _time 229 | | stats count avg(gap) AS AverageBeaconTime var(gap) AS VarianceBeaconTime BY query 230 | | eval AverageBeaconTime=round(AverageBeaconTime,3), VarianceBeaconTime=round(VarianceBeaconTime,3) 231 | | sort -count 232 | | where VarianceBeaconTime < 60 AND count > 2 AND AverageBeaconTime>1.000 233 | | table query VarianceBeaconTime count AverageBeaconTime 234 | $field1.earliest$ 235 | $field1.latest$ 236 | 237 | 238 | 239 | 240 | 241 | 242 |

243 | -------------------------------------------------------------------------------- /Truvis-Host Windows Security Overview [MAIN]: -------------------------------------------------------------------------------- 1 |

2 | Truvis-Host Windows Security Overview [MAIN] 3 | 4 |

5 | 6 | 7 | 8 | -7d@h 9 | now 10 | 11 | 12 |

13 | 14 | 15 | Failed Logon Attempts 16 | 17 | 18 | source="WinEventLog:security" EventCode=4625 19 | | eval hammer=_time 20 | | eval Workstation_Name=lower(Workstation_Name) 21 | | eval host=lower(host) 22 | | bucket span=5m hammer 23 | | stats count sparkline by user host, hammer, Workstation_Name 24 | | rename hammer as "5 minute blocks" host as "Target Host" Workstation_Name as "Source Host" 25 | | convert ctime("5 minute blocks") 26 | $timepicker.earliest$ 27 | $timepicker.latest$ 28 | 1 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 |

51 | 52 | 53 | Timechart of Failed Attempts to Logon 54 | 55 | 56 | source="WinEventLog:security" EventCode=4625 57 | | timechart span=1h count by host 58 | $timepicker.earliest$ 59 | $timepicker.latest$ 60 | 1 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | Successful Logons 100 | 101 | 102 | source="WinEventLog:security" EventCode=4624 (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10 OR Logon_Type=11) user!="DWM-*" user!="UMFD-*" 103 | | eval Workstation_Name=lower(Workstation_Name) 104 | | eval host=lower(host) 105 | | eval hammer=_time 106 | | bucket span=1d@d hammer 107 | | stats values(Logon_Type) as "Logon Type" count sparkline by user host, hammer, Workstation_Name 108 | | rename hammer as "Start of Day" host as "Target Host" Workstation_Name as "Source Host" 109 | | convert ctime("Start of Day") 110 | | sort - "Start of Day" 111 | $timepicker.earliest$ 112 | $timepicker.latest$ 113 | 1 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 |

131 | 132 | 133 | Timechart of Successful Logons 134 | 135 | 136 | source="WinEventLog:security" EventCode=4624 (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10 OR Logon_Type=11) user!="DWM-*" user!="UMFD-*" 137 | | timechart span=1h count by host 138 | $timepicker.earliest$ 139 | $timepicker.latest$ 140 | 1 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | Windows Authentication events 179 | 180 | 181 | source="wineventlog:security" action=success (EventCode=4624 OR EventCode=4634 ) user!="anonymous logon" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!=*$ (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) 182 | | convert timeformat="%a %B %d %Y" ctime(_time) AS Date 183 | | streamstats earliest(_time) AS login, latest(_time) AS logout by Date, host, user 184 | | eval session_duration=logout-login 185 | | where session_duration > 5 186 | | eval h=floor(session_duration/3600) 187 | | eval m=floor((session_duration-(h*3600))/60) 188 | | eval SessionDuration=h."h ".m."m " 189 | | convert timeformat=" %m/%d/%y - %I:%M %P" ctime(login) AS login 190 | | convert timeformat=" %m/%d/%y - %I:%M %P" ctime(logout) AS logout 191 | | stats count AS auth_event_count, earliest(login) as login, max(SessionDuration) AS sesion_duration, latest(logout) as logout, values(Logon_Type) AS logon_types by Date, host, user 192 | | sort + login 193 | $timepicker.earliest$ 194 | $timepicker.latest$ 195 | 1 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 |

214 | 215 | 216 | 217 | 218 | Common Event Codes - 10,000 foot view 219 | 220 | 221 | source="wineventlog:security" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!="LOCAL SERVICE" user!="NETWORK SERVICE" user!="*$$" user!="ANONYMOUS LOGON" user!="IUSR" 222 | | eval Trigger=case(EventCode=516, "Audit Logs Modified",EventCode=517, "Audit Logs Modified",EventCode=612, "Audit Logs Modified",EventCode=623, "Audit Logs Modified",EventCode=806, "Audit Logs Modified",EventCode=807, "Audit Logs Modified",EventCode=1101, "Audit Logs Modified",EventCode=1102, "Audit Logs Modified",EventCode=4612, "Audit Logs Modified",EventCode=4621, "Audit Logs Modified",EventCode=4694, "Audit Logs Modified",EventCode=4695, "Audit Logs Modified",EventCode=4715, "Audit Logs Modified",EventCode=4719, "Audit Logs Modified",EventCode=4817, "Audit Logs Modified",EventCode=4885, "Audit Logs Modified",EventCode=4902, "Audit Logs Modified",EventCode=4906, "Audit Logs Modified",EventCode=4907, "Audit Logs Modified",EventCode=4912, "Audit Logs Modified", EventCode=642, "Account Modification",EventCode=646, "Account Modification",EventCode=685, "Account Modification",EventCode=4738, "Account Modification",EventCode=4742, "Account Modification",EventCode=4781, "Account Modification", EventCode=1102, "Audit Logs Cleared/Deleted",EventCode=517, "Audit Logs Cleared/Deleted", EventCode=628, "Passwords Changed",EventCode=627, "Passwords Changed",EventCode=4723, "Passwords Changed",EventCode=4724, "Passwords Changed", EventCode=528, "Successful Logons",EventCode=540, "Successful Logons",EventCode=4624, "Successful Logons", EventCode=4625, "Failed Logons",EventCode=529, "Failed Logons",EventCode=530, "Failed Logons",EventCode=531, "Failed Logons",EventCode=532, "Failed Logons",EventCode=533, "Failed Logons",EventCode=534, "Failed Logons",EventCode=535, "Failed Logons",EventCode=536, "Failed Logons",EventCode=537, "Failed Logons",EventCode=539, "Failed Logons", EventCode=576, "Escalation of Privileges",EventCode=4672, "Escalation of Privileges",EventCode=577, "Escalation of Privileges",EventCode=4673, "Escalation of Privileges",EventCode=578, "Escalation of Privileges",EventCode=4674, "Escalation of Privileges") 223 | | stats earliest(_time) as Initial_Occurrence latest(_time) as Latest_Occurrence values(user) as Users values(host) as Hosts count sparkline by Trigger 224 | | sort - count 225 | | convert ctime(Initial_Occurrence) ctime(Latest_Occurrence) 226 | -7d@h 227 | now 228 | 1 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 |

242 | 243 | 244 |

245 | -------------------------------------------------------------------------------- /Truvis-Suricata Network Overview [MAIN]: -------------------------------------------------------------------------------- 1 |

2 | Truvis-Suricata Network Overview [MAIN] 3 |

4 | 5 | Time Frame 6 | 7 | -24h@h 8 | now 9 | 10 | 11 | 12 | SRC IP to Search 13 | * 14 | * 15 | 16 | 17 | DEST IP to Search 18 | * 19 | * 20 | 21 | 22 | Events Organized Field Section: 23 | _time 24 | severity 25 | category 26 | alert.signature_id 27 | signature 28 | src_ip 29 | src_port 30 | dest_ip 31 | dest_port 32 | proto 33 | action 34 | _time,severity,category,alert.signature_id,signature,src_ip,src_port,dest_ip,dest_port,proto,action 35 | , 36 | column 37 | column 38 | 39 | index="suricata" sourcetype="suricata:alert" | stats values(*) AS * | transpose | table column 40 | 41 | 42 | 43 | # Rows 44 | 5 45 | 5 46 | 47 | 48 | SRC IP to Exclude 49 | 50 | 51 | DEST IP to Exclude 52 | 53 |

54 | 55 | 56 | 57 | 58 | index="suricata" sourcetype="suricata:alert" severity_id=1 src_ip="$field2$" dest_ip="$field3$" | stats count 59 | $field1.earliest$ 60 | $field1.latest$ 61 | 1 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | index="suricata" sourcetype="suricata:alert" severity_id=2 src_ip="$field2$" dest_ip="$field3$" | stats count(severity_id) 76 | $field1.earliest$ 77 | $field1.latest$ 78 | 1 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | index="suricata" sourcetype="suricata:alert" severity_id=3 src_ip="$field2$" dest_ip="$field3$" | stats count(severity_id) 94 | $field1.earliest$ 95 | $field1.latest$ 96 | 1 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | index="suricata" sourcetype="suricata:alert" severity_id=4 src_ip="$field2$" dest_ip="$field3$" | stats count(severity_id) 111 | $field1.earliest$ 112 | $field1.latest$ 113 | 1 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | index="suricata" sourcetype="suricata:alert" severity_id=5 src_ip="$field2$" dest_ip="$field3$" | stats count(severity_id) 129 | $field1.earliest$ 130 | $field1.latest$ 131 | 1 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | Alerts over time 147 | 148 | index="suricata" sourcetype="suricata:alert" src_ip="$field2$" dest_ip="$field3$" | timechart count by severity 149 | $field1.earliest$ 150 | $field1.latest$ 151 | 1 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | Signatures 191 | 192 | click for details 193 | 194 | index="suricata" sourcetype="suricata:alert" src_ip="$field2$" dest_ip="$field3$" | stats count by signature 195 | $field1.earliest$ 196 | $field1.latest$ 197 | 1 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | /app/search/truvissuricata_severity_overview_sub?sig=$click.value$ 213 | 214 | 215 | 216 | 217 | Categories 218 | 219 | click for details 220 | 221 | index="suricata" sourcetype="suricata:alert" src_ip="$field2$" dest_ip="$field3$" | stats count by category 222 | $field1.earliest$ 223 | $field1.latest$ 224 | 1 225 | 226 | 227 | 228 | 229 | 230 | /app/search/truvissuricata_categories_overview_sub?cat=$click.value$ 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | Hits on ports 239 | 240 | index="suricata" sourcetype="suricata:alert" src_ip="$field2$" dest_ip="$field3$" | stats count by dest_port 241 | $field1.earliest$ 242 | $field1.latest$ 243 | 1 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | Actions 255 | 256 | index="suricata" sourcetype="suricata:alert" src_ip="$field2$" dest_ip="$field3$" | stats count by action 257 | $field1.earliest$ 258 | $field1.latest$ 259 | 1 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | Hits from SRC_IPs 271 | 272 | index="suricata" sourcetype="suricata:alert" | stats count by src_ip 273 | -24h@h 274 | now 275 | 276 | 277 | 278 | 279 | 280 | 281 | 282 | 283 | Hits to DEST_IPs 284 | 285 | index="suricata" sourcetype="suricata:alert" | stats count by dest_ip 286 | -24h@h 287 | now 288 | 289 | 290 | 291 | 292 | 293 | 294 | 295 | 296 | 297 | 298 | Suricata Events Organized 299 | 300 | index="suricata" sourcetype="suricata:alert" src_ip="$field2$" dest_ip="$field3$" | table $multi_select2$ | sort _time desc 301 | $field1.earliest$ 302 | $field1.latest$ 303 | 1 304 | 305 | 306 | 307 | 308 | 309 | 310 | 311 |

312 | 313 | 314 | 315 | 316 | 317 | Signatures Fire Rate (false positive hunting) 318 | 319 | index="suricata" | fillnull value=NULL alert.metadata.created_at{} alert.category alert.signature | stats count by alert.metadata.created_at{} alert.category alert.signature alert.signature_id | sort - count 320 | $field1.earliest$ 321 | $field1.latest$ 322 | 1 323 | 324 | 325 | 326 |

327 | 328 | 329 | 330 | 331 | 332 | Raw Events 333 | 334 | index="suricata" sourcetype="suricata:alert" src_ip="$field2$" dest_ip="$field3$" 335 | $field1.earliest$ 336 | $field1.latest$ 337 | 1 338 | 339 | 340 | 341 | 342 | 343 | 344 | 345 | 346 | 347 | 348 | 349 | 350 | 351 |

352 | --------------------------------------------------------------------------------