faststeak
faststeak
/ gist:e5c777e5610606286f4d66507f0f7e8b
Created
October 31, 2017 18:11
Splunk - Search to generate host|interface|ip|mac table with osquery data
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index=osquery sourcetype="osquery:interface*" NOT interface=lo | |
| | rename address AS ip | |
| | stats values(*) as * by host | |
| | stats count by host interface ip mac |
faststeak
/ gist:00fe3e2819d9a99cd20155f10ca3dc10
Last active
October 31, 2017 16:26
Splunk - Create a list of host to mac pairs and output to a csv
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index=windows sourcetype=WinHostMon source=networkadapter | |
| | stats count by host MACAddress | |
| | rename MACAddress as mac host as hostname | |
| | outputlookup windows_mac_addresses.csv |
faststeak
/ gist:5cf00f17cc1aeeb2c86fdc8392d44b4f
Last active
November 3, 2017 18:45
A nice DNS search for Splunk
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| | tstats `summariesonly` count from datamodel=Network_Resolution.DNS where DNS.record_type="A*" NOT DNS.query="SomeHostNames*" NOT DNS.query="*.arpa" NOT DNS.query="_ldap*" NOT DNS.query="_gc*" NOT DNS.query="_kerberos*" by DNS.query DNS.src | |
| | rename DNS.query as query DNS.src as src | |
| | eval query_punct=query | |
| | rex mode=sed field=query_punct "s/\w+//g" | |
| | search NOT query_punct="--.-.----" | |
| | `ut_shannon(query)` | |
| | stats sum(ut_shannon) as ut_shannon_sum values(query) as query by src | |
| | where ut_shannon_sum<1000 | |
| | sort - ut_shannon_sum |
NewerOlder