killchain-compendium/misc/threat_intelligence/splunk.md

Splunk

Splunk Bar

* Messages
* Settings
* Activity
* Help
* Find 

Architectural Components

* __Forwarder__, as an agent
* __Indexer__, receives data from forwarder, normalizes it
* __Search Head__, look into indices 

Search & Reporting

The bread and butter of Splunk. Events can be found and searched here.

• Tip: If you want to land into the Search app upon login automatically, you can do so by editing the user-prefs.conf file.

C:\Program Files\Splunk\etc\apps\user-prefs\default\user-prefs.conf
/opt/splunk/etc/apps/user-pref/default/user-prefs.conf

• Docs

• Start searching

• Time range picker

• Field to search

• Use field lookups

• Search field lookups

• Splunk Regex

• Tabs

  • Event
  • Patterns
  • Statistics
  • Visualization

Adding Data

Multiple different log sources can be added as events.

• Adding Data Docs

• Settings > Data > Data Inputs contains further sources

• Add data after that via Add Data

Queries

• Metadata
• Metalore

| metadata type=sourcetypes index=botsv2 | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S") | eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | sort - totalCount

• Examples
  • Filtering HTTP sites visited for found IP

  index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" | dedup site | table site
  

Sigma

• Sigma Repo
• TA-Sigma-Searches
• Conversion
  • E.g. : sigma: APT29 as input

Dashboard

Create visualizations and group them.

source="<source>" | top limit=5 EventID

• Visualization > choose Chart > "Save As" (top right) > DashboardName

Alerting

• Workflow