faststeak

IPAM and CMDB software

HaCi http://haci.larsux.de/ - 2015-03
- IPAM only, v4/v6, multiple POPs, uses templates, space visualization
GestioIP https://www.gestioip.net/ - 2019-10

	\| rest splunk_server_group=dmc_group_cluster_master /services/cluster/master/indexes
	\| fields title, is_searchable, replicated_copies_tracker, searchable_copies_tracker, num_buckets, index_size
	\| rename replicated_copies_tracker.. as rp*, searchable_copies_tracker..* as sb**
	\| eval replicated_data_copies = ""
	\| foreach rp*actual_copies_per_slot [eval replicated_data_copies = replicated_data_copies." ".rp<<MATCHSTR>>actual_copies_per_slot."/".rp<<MATCHSTR>>expected_total_per_slot]
	\| makemv replicated_data_copies
	\| eval searchable_data_copies = ""
	\| foreach sb*actual_copies_per_slot [eval searchable_data_copies = searchable_data_copies." ".sb<<MATCHSTR>>actual_copies_per_slot."/".sb<<MATCHSTR>>expected_total_per_slot]
	\| makemv searchable_data_copies
	\| eval is_searchable = if((is_searchable == 1) or (is_searchable == "1"), "Yes", "No")

	sourcetype=WinEventLog:Security OR sourcetype="wineventlog:forwardedevents" EventCode=4625 Failure_Reason="Unknown user name or bad password." Logon_Process=NTLMSSP
	\| rex field=_raw "Account For Which Logon Failed:(?:[\r\n].?)?Account Name:\s+(?<Failed_Account_Name>.+)\s+"
	\| bucket _time span=1min
	\| stats count values(EventCode) AS failed_login, dc(Failed_Account_Name) AS distinct_user, values(Logon_Process) AS Logon_Process values(Caller_Process_Name) AS Caller_Process_Name by _time,src_ip,src
	\| where distinct_user > 10s

	# Assumes the presence of SA-Netops (the normalize macro).
	# Configured for Stream data as written

	index=dhcp chaddr=* ciaddr=* NOT (ciaddr="0.0.0.0" OR ciaddr=169.254.*)
	\| streamstats earliest(_time) as earliest_time latest(_time) as latest_time latest(chaddr) as latest_mac latest(ciaddr) as latest_ip by chaddr ciaddr reset_on_change=true
	\| stats min(earliest_time) as start_time max(latest_time) as end_time by latest_mac latest_ip
	\| rename latest_mac AS mac latest_ip as ip
	\| `normalize_mac_address(mac)`
	\| inputlookup dhcp_lookup append=t
	\| stats dc(mac) as mac_count values() as by ip

	# Needs time and host components

	\| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Authentication by _time Authentication.src_user Authentication.user \| rename Authentication.* as * \| stats dc(user) as user_count values(user) as users by src_user

	# Base tstats search to get the initial data
	\| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Authentication by _time Authentication.action Authentication.src Authentication.dest Authentication.src_user Authentication.user Authentication.signature Authentication.signature_id

	SELECT p.pid, p.name, p.state, u.username, lp.*
	FROM processes p
	INNER JOIN listening_ports lp
	ON lp.pid = p.pid
	INNER JOIN users u
	ON u.uid = p.uid;

	SELECT u.username,
	g.groupname
	FROM users u

	## Any DMs returned are using a lookup, so those lookups need to be on the indexers.
	\| rest splunk_server=local /services/datamodel/acceleration\| fields title search \| eval contains_lookup=if(like(search, "%lookup%"),1,0) \| eval contains_lookup=case(contains_lookup=1,"yes",contains_lookup=0,"no")\| table title search contains_lookup \| search contains_lookup=yes

	index=winevents sourcetype=WinEventLog:Security EventCode=4625 NOT(user=*$ OR host="insert Domain Controllers here") Failure_Reason="Unknown user name or bad password."
	\| bin span=30m _time
	\| stats min(_time) as firstTime max(_time) as lastTime count dc(user) as user_count values(user) as user_logon_attempts values(Source_Network_Address) as Source_Network_Addresses by host Logon_Type Failure_Reason
	\| fields firstTime lastTime host Logon_Type Failure_Reason user_count user_logon_attempts Source_Network_Addresses
	\| convert ctime(firstTime), ctime(lastTime)

	\| where user_count>50

	\| eval user_logon_attempts=mvjoin(user_logon_attempts, ", ")
	\| eval user_logon_attempts=substr(user_logon_attempts, 0, 500)