faststeak’s gists

faststeak / gist:66768507a3c2f7833ca3aad0f6d6b557

Last active January 4, 2018 16:20

Splunk search for Cisco ACS data, shows users/device connections to APs

	index=firewall sourcetype="cisco:acs" eventtype=cisco_acs_auth_events
	\| streamstats values(message) as message by message_id
	\| eval message=mvjoin(message, ",")
	\| stats values(UserName) as UserName values(User_Name) as User_Name values(Called_Station_ID) as Called_Station_ID by Calling_Station_ID

faststeak / gist:00329232e83943a8a5074e3b2c44d936

Created December 11, 2017 16:20

Splunk - quick search to get a list of deployment server apps with corresponding server classes

	\| rest splunk_server=local /services/deployment/server/applications
	\| fields title id serverclasses
	\| where isnotnull(serverclasses)
	\| mvexpand serverclasses

faststeak / gist:e17915132f4d364d627764204c74e36c

Last active December 11, 2017 18:18

Splunk search for determining which apps are being managed from a deployment server, and which server class is associated with the app

	\| rest splunk_server=local /services/deployment/client/config
	\| fields serverClasses
	\| mvexpand serverClasses
	\| rex field=serverClasses "(?<serverClass>[^:]+):(?<app>\S+)"
	\| fields serverClass app

faststeak / gist:dd55c43dbf047ea56ab892701cb79d3a

Created November 15, 2017 00:01

Splunk - Correlation Search starter for user authenticating to multiple hosts in a short time period

	\| tstats summariesonly=t dc(Authentication.dest) from datamodel=Authentication.Authentication by Authentication.user,_time span=5m
	\| `drop_auth_dm`
	\| eventstats avg("dc(Authentication.dest)") as avg stdev("dc(Authentication.dest)") as stdev by "user"
	\| eval lowerBound=(avg-stdevexact(2)), upperBound=(avg+stdevexact(4))
	\| eval isOutlier=if('dc(Authentication.dest)' < lowerBound OR 'dc(Authentication.dest)' > upperBound, 1, 0)
	\| search isOutlier=1
	\| eval myTime=relative_time(now(), "-15m@m")
	\| eval time=_time
	\| where time>=myTime
	\| fields - avg,lowerBound,myTime,time

faststeak / gist:be0e26aeca07143c32d230dc2b71b637

Last active November 15, 2017 18:19

Splunk Correlation Search - User authenticates to more than 20 unique systems (select an appropriate time period)

	\| tstats summariesonly=t dc(Authentication.dest) AS Unique_Destinations from datamodel=Authentication.Authentication WHERE NOT [\|inputlookup high_volume_auth_whitelist.csv \| rename user AS Authentication.user] by Authentication.user
	\| `drop_auth_dm`
	\| search Unique_Destinations>20

faststeak / gist:b75aca9770e7096a8e09eb47e12b984d

Created November 9, 2017 17:16

Splunk Deployment Server - Search to find server class, app, and client info

	\| rest splunk_server=local /services/deployment/server/clients
	\| fields applications.*, title,clientName, dns, ip, instanceName
	\| foreach applications.*.archive
	[ eval apps=mvappend(apps, '<<FIELD>>')]
	\| foreach applications.*.serverclasses
	[ eval serverClass=mvappend(serverClass, '<<FIELD>>')]
	\| fields apps, serverClass, title, clientName, dns, ip, instanceName
	\| rex field=apps max_match=100 "(?<app_name>[^\/]+)-\d+\.bundle"
	\| fields - apps
	\| stats dc(app_name) values() AS by title

faststeak / gist:a2a0a74fe22343cc7d7c0a778f1df824

Created November 6, 2017 21:47

Splunk ML Toolkit - Preliminary search to look for missing or low event sourcetypes

	\| tstats count where index=* AND source="/data/syslog/raw/*" by _time sourcetype host span=1m
	\| streamstats avg(count) as events_avg time_window=1m
	\| eventstats median("events_avg") as median p25("events_avg") as p25 p75("events_avg") as p75 by "host", "sourcetype"
	\| eval IQR=(p75-p25)
	\| eval lowerBound=(median-IQRexact(3)), upperBound=(median+IQRexact(3))
	\| eval isOutlier=if('events_avg' < lowerBound, 1, 0)
	\| `splitby("host", "sourcetype")`
	\| fields _time, "events_avg", lowerBound, upperBound, isOutlier, *
	\| search isOutlier=1
	\| stats latest(isOutlier) as isOutlier by _time host sourcetype

faststeak / gist:f86839f54b8cd6b0423773b7960f6cf8

Created November 3, 2017 19:45

Splunk search for deleted systems from Active Directory data

	index=msad earliest=-1y sourcetype=activedirectory Computer
	\| makemv delim="\|" objectClass
	\| search objectClass=computer
	\| makemv delim="\|" memberOf
	\| makemv delim="\|" servicePrincipalName
	\| stats last(objectClass) as objectClass last(distinguishedName) as distinguishedName last(sAMAccountName) as sAMAccountName last(cn) as cn last(userAccountControl) as userAccountControl last(isDisabled) as isDisabled last(isDeleted) as isDeleted last(whenChanged) as whenChanged last(whenCreated) as whenCreated last(dNSHostName) as dNSHostName last(operatingSystem) as operatingSystem by objectSid
	\| search isDeleted=True
	\| eval nt_host=if(like(operatingSystem,"Windows%"), (upper(substr(sAMAccountName, 1, len(sAMAccountName)-1))), null)

faststeak / gist:6446828b64688d8aad211703024d619c

Created November 3, 2017 16:37

Splunk osquery search to get a list of ip to mac pairs

index=osquery sourcetype=osquery:interface* NOT address=127.0.0.1 NOT address="::1" NOT mac=00:00:00:00:00:00 | stats values(address) as address values(mac) as mac by host interface | mvexpand mac |

faststeak / gist:6da3d1e4c28215599a2826670a12dcb2

Last active November 1, 2017 19:42

Splunk - Average events per second for a specific host

	index=_internal source=*metrics.log earliest=-1h group=per_host_thruput series="<your_host>" component=Metrics
	\| timechart span=1m avg(eps) as avg_eps

	# Another try:

	\| metasearch index=<your_index> host=<your host> \| streamstats count as s_count time_window=1m \| timechart span=1m@m avg(s_count) as avg_count