Skip to content

Instantly share code, notes, and snippets.

View faststeak's full-sized avatar

faststeak

1 follower · 1 following
View GitHub Profile
@faststeak
faststeak / gist:5cf00f17cc1aeeb2c86fdc8392d44b4f
Last active November 3, 2017 18:45
A nice DNS search for Splunk
| tstats `summariesonly` count from datamodel=Network_Resolution.DNS where DNS.record_type="A*" NOT DNS.query="SomeHostNames*" NOT DNS.query="*.arpa" NOT DNS.query="_ldap*" NOT DNS.query="_gc*" NOT DNS.query="_kerberos*" by DNS.query DNS.src
| rename DNS.query as query DNS.src as src
| eval query_punct=query
| rex mode=sed field=query_punct "s/\w+//g"
| search NOT query_punct="--.-.----"
| `ut_shannon(query)`
| stats sum(ut_shannon) as ut_shannon_sum values(query) as query by src
| where ut_shannon_sum<1000
| sort - ut_shannon_sum
@faststeak
faststeak / gist:00fe3e2819d9a99cd20155f10ca3dc10
Last active October 31, 2017 16:26
Splunk - Create a list of host to mac pairs and output to a csv
index=windows sourcetype=WinHostMon source=networkadapter
| stats count by host MACAddress
| rename MACAddress as mac host as hostname
| outputlookup windows_mac_addresses.csv
@faststeak
faststeak / gist:e5c777e5610606286f4d66507f0f7e8b
Created October 31, 2017 18:11
Splunk - Search to generate host|interface|ip|mac table with osquery data
index=osquery sourcetype="osquery:interface*" NOT interface=lo
| rename address AS ip
| stats values(*) as * by host
| stats count by host interface ip mac
@faststeak
faststeak / gist:6da3d1e4c28215599a2826670a12dcb2
Last active November 1, 2017 19:42
Splunk - Average events per second for a specific host
index=_internal source=*metrics.log earliest=-1h group=per_host_thruput series="<your_host>" component=Metrics
| timechart span=1m avg(eps) as avg_eps
# Another try:
| metasearch index=<your_index> host=<your host> | streamstats count as s_count time_window=1m | timechart span=1m@m avg(s_count) as avg_count
@faststeak
faststeak / gist:6446828b64688d8aad211703024d619c
Created November 3, 2017 16:37
Splunk osquery search to get a list of ip to mac pairs
index=osquery sourcetype=osquery:interface* NOT address=127.0.0.1 NOT address="::1" NOT mac=00:00:00:00:00:00 | stats values(address) as address values(mac) as mac by host interface | mvexpand mac |
@faststeak
faststeak / gist:f86839f54b8cd6b0423773b7960f6cf8
Created November 3, 2017 19:45
Splunk search for deleted systems from Active Directory data
index=msad earliest=-1y sourcetype=activedirectory Computer
| makemv delim="|" objectClass
| search objectClass=computer
| makemv delim="|" memberOf
| makemv delim="|" servicePrincipalName
| stats last(objectClass) as objectClass last(distinguishedName) as distinguishedName last(sAMAccountName) as sAMAccountName last(cn) as cn last(userAccountControl) as userAccountControl last(isDisabled) as isDisabled last(isDeleted) as isDeleted last(whenChanged) as whenChanged last(whenCreated) as whenCreated last(dNSHostName) as dNSHostName last(operatingSystem) as operatingSystem by objectSid
| search isDeleted=True
| eval nt_host=if(like(operatingSystem,"Windows%"), (upper(substr(sAMAccountName, 1, len(sAMAccountName)-1))), null)
@faststeak
faststeak / gist:a2a0a74fe22343cc7d7c0a778f1df824
Created November 6, 2017 21:47
Splunk ML Toolkit - Preliminary search to look for missing or low event sourcetypes
| tstats count where index=* AND source="/data/syslog/raw/*" by _time sourcetype host span=1m
| streamstats avg(count) as events_avg time_window=1m
| eventstats median("events_avg") as median p25("events_avg") as p25 p75("events_avg") as p75 by "host", "sourcetype"
| eval IQR=(p75-p25)
| eval lowerBound=(median-IQR*exact(3)), upperBound=(median+IQR*exact(3))
| eval isOutlier=if('events_avg' < lowerBound, 1, 0)
| `splitby("host", "sourcetype")`
| fields _time, "events_avg", lowerBound, upperBound, isOutlier, *
| search isOutlier=1
| stats latest(isOutlier) as isOutlier by _time host sourcetype
@faststeak
faststeak / gist:b75aca9770e7096a8e09eb47e12b984d
Created November 9, 2017 17:16
Splunk Deployment Server - Search to find server class, app, and client info
| rest splunk_server=local /services/deployment/server/clients
| fields applications.*, title,clientName, dns, ip, instanceName
| foreach applications.*.archive
[ eval apps=mvappend(apps, '<<FIELD>>')]
| foreach applications.*.serverclasses
[ eval serverClass=mvappend(serverClass, '<<FIELD>>')]
| fields apps, serverClass, title, clientName, dns, ip, instanceName
| rex field=apps max_match=100 "(?<app_name>[^\/]+)-\d+\.bundle"
| fields - apps
| stats dc(app_name) values(*) AS * by title
@faststeak
faststeak / gist:be0e26aeca07143c32d230dc2b71b637
Last active November 15, 2017 18:19
Splunk Correlation Search - User authenticates to more than 20 unique systems (select an appropriate time period)
| tstats summariesonly=t dc(Authentication.dest) AS Unique_Destinations from datamodel=Authentication.Authentication WHERE NOT [|inputlookup high_volume_auth_whitelist.csv | rename user AS Authentication.user] by Authentication.user
| `drop_auth_dm`
| search Unique_Destinations>20
@faststeak
faststeak / gist:dd55c43dbf047ea56ab892701cb79d3a
Created November 15, 2017 00:01
Splunk - Correlation Search starter for user authenticating to multiple hosts in a short time period
| tstats summariesonly=t dc(Authentication.dest) from datamodel=Authentication.Authentication by Authentication.user,_time span=5m
| `drop_auth_dm`
| eventstats avg("dc(Authentication.dest)") as avg stdev("dc(Authentication.dest)") as stdev by "user"
| eval lowerBound=(avg-stdev*exact(2)), upperBound=(avg+stdev*exact(4))
| eval isOutlier=if('dc(Authentication.dest)' < lowerBound OR 'dc(Authentication.dest)' > upperBound, 1, 0)
| search isOutlier=1
| eval myTime=relative_time(now(), "-15m@m")
| eval time=_time
| where time>=myTime
| fields - avg,lowerBound,myTime,time