-
-
Save byinarie/092d558591dff434668b038d956c789c to your computer and use it in GitHub Desktop.
Splunk Query Examples SPL (Reference / Cheat Sheet) for CIS-264
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| References | |
| https://splunkbase.splunk.com/apps | |
| https://docs.splunk.com/Documentation | |
| https://docs.splunk.com/Documentation/SCS/current/SearchReference/Introduction | |
| https://www.splunk.com/en_us/blog/security.html | |
| https://www.splunk.com/en_us/blog/security/threat-hunting-sysmon-event-codes.html | |
| Comparison operators (=, !=, <, >, <=, >=) | |
| Boolean operators AND, OR, and NOT | |
| | |
| index="windows" | |
| Return anything in the "windows" index | |
| index="windows" "seatbelt*" | |
| Return results containing seatbelt*ANYTHING from the "windows" index | |
| index="windows" "seatbelt*" NOT "seatbelt" | |
| Returns results matching seatbelt*ANYTHING but not the string "seatbelt" | |
| index="windows" "seatbelt*" NOT "seatbelt" | stats count | |
| Count how many events have the pattern | |
| index="windows" "seatbelt*" NOT "seatbelt" | stats count by host | |
| Hosts containing the pattern | |
| index="windows" "seatbelt*" NOT "seatbelt" | table _time, host, user, source | |
| Piping is using the pipe symbol "|" is taking standard output and piping it or [redirecting it] into another | |
| Also commonly called command chaining | |
| Successful Account Logon: | |
| index="windows" sourcetype=WinEventLog:Security EventCode=4624 | dedup | |
| Don’t show duplicates | |
| Failed Logon Attempt: | |
| index="windows" sourcetype=WinEventLog:Security EventCode=4625 | |
| New Process Started: | |
| index="windows" sourcetype=WinEventLog:Security EventCode=4688 | |
| Image Loaded (Spotting DLL Hijacking): | |
| index="windows" sourcetype=sysmon EventCode=7 ImageLoaded=*\\Users\\* NOT ImageLoaded=*\\System32\\* | |
| Network Connection: | |
| index="windows" sourcetype=sysmon EventCode=3 | |
| stats | |
| Counts the occurrences of each input, in this case "EventCode". | |
| index="windows" sourcetype="WinEventLog:Security" | stats count by EventCode | |
| Table | |
| Display in tabular format "tables" | |
| index="windows" EventCode=4624 | table _time, ComputerName, AccountName | |
| Top | |
| Return the most common values in a field | |
| index="windows" sourcetype="sysmon" | top Image | |
| Sort | |
| Order by a specific field | |
| index="windows" sourcetype="WinEventLog:Security" | sort -_time | |
| rex extracts new fields from existing ones using regular expressions | |
| index="network_logs" | rex "(?i)[A-Za-z0-9+/]{30,}(={1,2})?" | |
| index="network_logs" | |
| We're searching within the "network_logs" index. | |
| rex "(?i)[A-Za-z0-9+/]{30,}(={1,2})?" | |
| This regex pattern aims to find potential Base64 encoded strings. | |
| (?i) | |
| Makes the regex case-insensitive. | |
| [A-Za-z0-9+/]{30,} | |
| Matches a sequence of Base64 characters. The {30,} requires the sequence to be at least 30 characters long (this length can be adjusted based on your specific context). | |
| (={1,2})?: | |
| Matches one or two equal signs at the end, which are common in Base64 padding. The ? means this part is optional. | |
| Lookup | |
| Used external sources for enrichment | |
| index="windows" "seatbelt.exe" | lookup IOCs.txt | |
| IOCs.txt may contain hashes | |
| index="network_logs" | lookup bad_domains.txt | |
| index="web_logs" | lookup suspicious_user_agents.txt | |
| index="endpoint_logs" | lookup malicious_processes.txt | |
| transaction | |
| Group related events together | |
| Grouping Process Creation and Termination by Process ID | |
| index="sysmon" (EventCode=1 OR EventCode=5) | transaction ProcessId maxspan=5m startswith=EventCode=1 endswith=EventCode=5 | table _time, host, ProcessId, Image, CommandLine, ParentImage, ParentCommandLine ` | |
| | |
| Network Connection Correlation with Process Creation: | |
| index="sysmon" (EventCode=1 OR EventCode=3) | transaction ProcessId maxspan=1m startswith=EventCode=1 endswith=EventCode=3 | table _time, host, Image, DestinationIp, DestinationPort, Protocol | |
| Specify the Date/Time as usual then; | |
| eventcount summarize=false index=* | table index | |
| List available indexes | |
| Find the 10 rarest Sysmon event codes (types). | |
| This can help identify abnormal Sysmon events that do not occur often. | |
| index="sysmon" | rare limit=10 EventCode | |
| | |
| Rare Image Executions in Sysmon | |
| index="sysmon" EventCode=1 | rare limit=10 Image | |
| | |
| Least common network destinations. | |
| Could help spot slow c2 channel callbacks | |
| index="sysmon" EventCode=3 | rare limit=10 $ipv4 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment