killchain-compendium/misc/threat_intelligence/splunk.md

# Splunk


## Splunk Bar
    * Messages
    * Settings
    * Activity
    * Help
    * Find 

## Search & Reporting
* Tip: If you want to land into the Search app upon login automatically, you can do so by editing the user-prefs.conf file. 
```sh
C:\Program Files\Splunk\etc\apps\user-prefs\default\user-prefs.conf
/opt/splunk/etc/apps/user-pref/default/user-prefs.conf
```
* [Docs](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Aboutthesearchapp)
* [Start searching](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Startsearching)
* [Time range picker](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Aboutthetimerangepicker)
* [Field to search](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Usefieldstosearch)
* [Use field lookups](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Usefieldlookups)
* [Search field lookups](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Searchwithfieldlookups)
* [Splunk Regex](https://docs.splunk.com/Documentation/Splunk/8.1.2/Knowledge/AboutSplunkregularexpressions)

* Tabs
    * Event
    * Patterns
    * Statistics
    * Visualization
 
## Adding Data
* [Adding Data Docs](https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/Getstartedwithgettingdatain#Use_apps_to_get_data_in)

* `Settings > Data > Data Inputs` contains further sources
* Add data after that via `Add Data`

## Queries
* [Metadata](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata)
* [Metalore](https://www.splunk.com/blog/2017/07/31/metadata-metalore.html)
```sh
| metadata type=sourcetypes index=botsv2 | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S") | eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | sort - totalCount
```

* Examples
    * Filtering HTTP sites visited for found IP
    ```sh
    index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" | dedup site | table site
    ```

## Sigma 
* [Sigma Repo](https://github.com/Neo23x0/sigma)
* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches)
* [Conversion](https://uncoder.io/)
    * E.g. : `sigma: APT29` as input

## Dashboard
```sh 
source="<source>" | top limit=5 EventID
```
* Visualization > choose Chart > "Save As" (top right) > DashboardName 

## Alerting
* [Workflow](https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Alert/AlertWorkflowOverview)
second commit 2021-08-23 01:13:54 +02:00			`# Splunk`


			`## Splunk Bar`
			`* Messages`
			`* Settings`
			`* Activity`
			`* Help`
			`* Find`

			`## Search & Reporting`
			`* Tip: If you want to land into the Search app upon login automatically, you can do so by editing the user-prefs.conf file.`
			```sh
			`C:\Program Files\Splunk\etc\apps\user-prefs\default\user-prefs.conf`
			`/opt/splunk/etc/apps/user-pref/default/user-prefs.conf`
			```
			`* [Docs](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Aboutthesearchapp)`
			`* [Start searching](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Startsearching)`
			`* [Time range picker](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Aboutthetimerangepicker)`
			`* [Field to search](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Usefieldstosearch)`
			`* [Use field lookups](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Usefieldlookups)`
			`* [Search field lookups](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Searchwithfieldlookups)`
			`* [Splunk Regex](https://docs.splunk.com/Documentation/Splunk/8.1.2/Knowledge/AboutSplunkregularexpressions)`

			`* Tabs`
			`* Event`
			`* Patterns`
			`* Statistics`
			`* Visualization`

			`## Adding Data`
			`* [Adding Data Docs](https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/Getstartedwithgettingdatain#Use_apps_to_get_data_in)`

			* `Settings > Data > Data Inputs` contains further sources
			* Add data after that via `Add Data`

			`## Queries`
			`* [Metadata](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata)`
			`* [Metalore](https://www.splunk.com/blog/2017/07/31/metadata-metalore.html)`
			```sh
			`\| metadata type=sourcetypes index=botsv2 \| eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") \| eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S") \| eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") \| sort - totalCount`
			```

			`* Examples`
			`* Filtering HTTP sites visited for found IP`
			```sh
			`index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" \| dedup site \| table site`
			```

			`## Sigma`
			`* [Sigma Repo](https://github.com/Neo23x0/sigma)`
			`* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches)`
			`* [Conversion](https://uncoder.io/)`
			* E.g. : `sigma: APT29` as input

			`## Dashboard`
			```sh
			`source="<source>" \| top limit=5 EventID`
			```
			`* Visualization > choose Chart > "Save As" (top right) > DashboardName`

			`## Alerting`
			`* [Workflow](https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Alert/AlertWorkflowOverview)`