killchain-compendium/misc/threat_intelligence/splunk.md

78 lines
2.7 KiB
Markdown
Raw Normal View History

2021-08-23 01:13:54 +02:00
# Splunk
## Splunk Bar
* Messages
* Settings
* Activity
* Help
* Find
2022-11-04 19:45:49 +01:00
## Architectural Components
* __Forwarder__, as an agent
* __Indexer__, receives data from forwarder, normalizes it
* __Search Head__, look into indices
2021-08-23 01:13:54 +02:00
## Search & Reporting
2022-11-04 19:45:49 +01:00
The bread and butter of Splunk. Events can be found and searched here.
2021-08-23 01:13:54 +02:00
* Tip: If you want to land into the Search app upon login automatically, you can do so by editing the user-prefs.conf file.
```sh
C:\Program Files\Splunk\etc\apps\user-prefs\default\user-prefs.conf
/opt/splunk/etc/apps/user-pref/default/user-prefs.conf
```
* [Docs](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Aboutthesearchapp)
* [Start searching](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Startsearching)
* [Time range picker](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Aboutthetimerangepicker)
* [Field to search](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Usefieldstosearch)
* [Use field lookups](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Usefieldlookups)
* [Search field lookups](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Searchwithfieldlookups)
* [Splunk Regex](https://docs.splunk.com/Documentation/Splunk/8.1.2/Knowledge/AboutSplunkregularexpressions)
* Tabs
* Event
* Patterns
* Statistics
* Visualization
## Adding Data
2022-11-04 19:45:49 +01:00
Multiple different log sources can be added as events.
2021-08-23 01:13:54 +02:00
* [Adding Data Docs](https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/Getstartedwithgettingdatain#Use_apps_to_get_data_in)
* `Settings > Data > Data Inputs` contains further sources
* Add data after that via `Add Data`
## Queries
2022-11-04 19:45:49 +01:00
2021-08-23 01:13:54 +02:00
* [Metadata](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata)
* [Metalore](https://www.splunk.com/blog/2017/07/31/metadata-metalore.html)
```sh
| metadata type=sourcetypes index=botsv2 | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S") | eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | sort - totalCount
```
* Examples
* Filtering HTTP sites visited for found IP
```sh
index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" | dedup site | table site
```
## Sigma
2022-11-04 19:45:49 +01:00
2021-08-23 01:13:54 +02:00
* [Sigma Repo](https://github.com/Neo23x0/sigma)
* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches)
* [Conversion](https://uncoder.io/)
* E.g. : `sigma: APT29` as input
## Dashboard
2022-11-04 19:45:49 +01:00
Create visualizations and group them.
2021-08-23 01:13:54 +02:00
```sh
source="<source>" | top limit=5 EventID
```
* Visualization > choose Chart > "Save As" (top right) > DashboardName
## Alerting
2022-11-04 19:45:49 +01:00
2021-08-23 01:13:54 +02:00
* [Workflow](https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Alert/AlertWorkflowOverview)