Splunk

Splunk Bar

* Messages
* Settings
* Activity
* Help
* Find

Search & Reporting

• Tip: If you want to land into the Search app upon login automatically, you can do so by editing the user-prefs.conf file.

C:\Program Files\Splunk\etc\apps\user-prefs\default\user-prefs.conf
/opt/splunk/etc/apps/user-pref/default/user-prefs.conf

• Docs
• Start searching
• Time range picker
• Field to search
• Use field lookups
• Search field lookups

• Splunk Regex

• Tabs

  • Event
  • Patterns
  • Statistics
  • Visualization

Adding Data

• Adding Data Docs

• Settings > Data > Data Inputs contains further sources

• Add data after that via Add Data

Queries

• Metadata
• Metalore

| metadata type=sourcetypes index=botsv2 | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S") | eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | sort - totalCount

• Examples
  • Filtering HTTP sites visited for found IP sh index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" | dedup site | table site

Sigma

• Sigma Repo
• TA-Sigma-Searches
• Conversion
  • E.g. : sigma: APT29 as input

Dashboard

source="<source>" | top limit=5 EventID

• Visualization > choose Chart > "Save As" (top right) > DashboardName

Alerting

• Workflow