2.7 KiB
2.7 KiB
Splunk
Splunk Bar
* Messages
* Settings
* Activity
* Help
* Find
Architectural Components
* __Forwarder__, as an agent
* __Indexer__, receives data from forwarder, normalizes it
* __Search Head__, look into indices
Search & Reporting
The bread and butter of Splunk. Events can be found and searched here.
- Tip: If you want to land into the Search app upon login automatically, you can do so by editing the user-prefs.conf file.
C:\Program Files\Splunk\etc\apps\user-prefs\default\user-prefs.conf
/opt/splunk/etc/apps/user-pref/default/user-prefs.conf
-
Tabs
- Event
- Patterns
- Statistics
- Visualization
Adding Data
Multiple different log sources can be added as events.
-
Settings > Data > Data Inputs
contains further sources -
Add data after that via
Add Data
Queries
| metadata type=sourcetypes index=botsv2 | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S") | eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | sort - totalCount
- Examples
- Filtering HTTP sites visited for found IP
index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" | dedup site | table site
Sigma
- Sigma Repo
- TA-Sigma-Searches
- Conversion
- E.g. :
sigma: APT29
as input
- E.g. :
Dashboard
Create visualizations and group them.
source="<source>" | top limit=5 EventID
- Visualization > choose Chart > "Save As" (top right) > DashboardName