Nifty Splunk Tips

-


 Just some Splunk Tips and tricks I've found super helpful to have on hand.


Concatenate field1 and 2 as a new field named test.

• | eval test=field1.field2

• | eval test=field1. "optional static text to concatenate" .field2


Using regex to strip the file extension from a URL. Can use this to search for suspicious file types like xap and swf.

• index=au_proxy | rex field=url "\/[\(\)a-zA-Z0-9_-]*?\.(?<ext>[a-z0-9]{2,5})(\?|$)" | search ext=*


Perform a DNS lookup on input domain and output as domainIP.

• | lookup dnslookup clienthost as inputdomain OUTPUT clientip as domainIP


Check the raw events

• | table _raw, source


Ultra Toolbox thingy for parsing subdomain, extensions and filenames from URLs

• | eval list="mozilla" | `ut_parse_extended(url,list)` |


Sexy time formatting

• eval c_time=strftime(_time,"%m/%d/%y%H:%M:%S")


Use the results of one search and pipe it to another

• index=wineventlog EventCode=4624

[search index=firewall dest_port=3389 dest_category=domain_controller src_category!=known_scanner

    | table src] 

| stats values(user) count by src


Join stuff together

• index=firewall dest_port=3389 src_category!="known_scanner" dest_category="domain_controller"

| table src dest_port dest Users

| join type=left src

[search index=wineventlog_sec user!="*$" | stats values(user) AS Users count by src]

| table src dest_port dest Users

| dedup src,dest,Users


Where all the indexes at

•  | tstats count where index=* by index


Include or exclude stuff in a csv

•  NOT [| inputlookup exclusions.csv | fields Web.dest, Web.category, Web.url]


Quick bytes to MB

• |  eval TransferredMB=round((TransferredBytes/1024/1024),3)


Using IN to save time, money, space, and sanity

• Your search here … AND NOT (All_Traffic.dest_port IN (0,7,20,21,22,23,25,53,80,110,123,135,137,139,143,389,443,445,853,993,995,1433,3478,3481,5060,5061,8080,8081,8801,8888,9025))


Append results from different sources

• index=proxy dest="*https://t.co/ERSKjAyW0n" 

| append [search index=firewall subtype=DNS qname="*https://t.co/ERSKjAyW0n" | rename qname AS dest]

| table _time src_ip dest dest_ip action status user transport http_method url useragent filetype threatname refererURL urlclass urlsupercategory urlcategory pagerisk




Popular posts from this blog

Tools and Resources

-
Image
Here's a dump of some my favourite places! Not everything is here but hopefully I can add to it fairly frequently so that it may help you folk passing by! IOC Sites and Breakdowns: https://malware-traffic-analysis.net – EK Blog https://broadanalysis.com – EK Blog https://malwarebreakdown.com – EK Blog https://otx.alienvault.com – Sig sharing https://exchange.xforce.ibmcloud.com – IBMs intel platform https://zerophagemalware.com – EK Blog https://ransomwaretracker.abuse.ch/tracker – Ransomware domain tracker http://blog.dynamoo.com – Spam/phishing blog https://bleepingcomputer.com – Blogs https://blog.malwarebytes.com – Blogs https://any.run - Run samples in browser Hunting Rules and Sigs: https://github.com/Neo23x0/signature-base – Florian Roth's Yara goodies @cyb3rops Guides, Techniques and Learning: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - Reverse shell cheat sheet https://cybrary.it - Free Security courses https://dca.imme...
Read more

Fractional Slash Domains

-
Image
@SighSec and I recently discovered there are more types of homograph symbols you are allowed to use when registering an IDN (Internationalised Domain Name) than expected. These symbols could potentially be used to trick unwary users into following malicious links by making a domain appear as though it were referencing a local file or one on a mapped drive. Background on IDNs IDN Homograph attacks most recently entered mainstream news back in Q2 2017. It was shown that domains could be registered using regular ASCII characters alongside characters from other languages, a feature used to support domain names for countries with different character sets. This presented an issue as it meant that domains could be registered and characters could be swapped out for their doppelgangers (homographs), allowing anyone to register xn--80ak6aa92e.com which when converted almost certainly looks like apple.com! This becomes particularly dangerous when using ASCII characters with diacritics an...
Read more