Splunk Search cheat sheet

If you are not familiar with Splunk it is a popular big data platform used for everything from business analytics to Security information event management(SIEM) Below is a collection of useful Splunk search command examples for SIEM related tasks:

General Searches

Identify Avalible indexs in splunk
| eventcount summarize=false index=* index!=_* | dedup index | fields index

Search for IP device and action(firewalls)
index=* "IP" | table _time src src_port dest dest_port action

Windows Event Logs

Suspicious/admin Processes starting (event code 4688)
The following query searches for suspicious process launches and excludes a number of expected noisy processes :
index=* LogName=Security EventCode=4688 NOT (Account_Name=*$) (arp.exe OR at.exe OR bcdedit.exe OR bcp.exe OR chcp.exe OR cmd.exe OR cscript.exe OR csvde OR dsquery.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR netsh OR OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR qprocess.exe OR query.exe OR rar.exe OR reg.exe OR route.exe OR runas.exe OR rundll32 OR schtasks.exe OR sethc.exe OR sqlcmd.exe OR sc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR system32\\net.exe OR reg.exe OR tasklist.exe OR tracert.exe OR vssadmin.exe OR whoami.exe OR winrar.exe OR wscript.exe OR "winrm.*" OR "winrs.*" OR wmic.exe OR wsmprovhost.exe OR wusa.exe)| eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) | table _time, host, Account_Name, Process_Name, Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID, Creator_Process_ID, Short_Message

PowerShell bypass attempts(event code 4688)
This query looks for new process starts trying to use powershell to bypass activity:
index=* LogName=Security EventCode=4688 (powershell* AND (–ExecutionPolicy OR –Exp)) OR (powershell* AND bypass) OR (powershell* AND (-noprofile OR -nop)) | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) | table _time, host, Account_Name, Process_Name, Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID, Creator_Process_ID, Short_Message

Monitor for all processes excluding trusted/known processes(event code 4688)
index=* LogName=Security EventCode=4688 NOT (Account_Name=*$)NOT [ inputlookup Trusted_processes.csv | fields Process_Name] | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) | table _time, host, Account_Name, Process_Name, Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID, Creator_Process_ID, Short_Message

Windows succsesful Logins (event code 4624 & 4625)
looks for succsesful windows logins useful login types to look at are 1: console login 2:network basically accessing file shares etc, 6 network clear text login , 8 for an RDP login
index=* LogName=Security EventCode=4624 NOT (Account_Name=“*$”OR Account_Name=“ANONYMOUS LOGON”) NOT (Account_Name=“Service_Account”) Account_Name!="-" | eval Account_Domain=(mvindex(Account_Domain,1)) | stats count values(Account_Domain) AS Domain, values(host) AS Host, dc(host) AS Host_Count, values(Logon_Type) AS Logon_Type, values(Workstation_Name) AS WS_Name, values(Source_Network_Address) AS Source_IP, values(Process_Name) AS Process_Name by Account_Name | where Host_Count > 2

Windows Login Failures (event code 4624 & 4625)
Looks for windows login failure codes:
index=* LogName=Security EventCode=4625 | table _time, Workstation_Name, Source_Network_Address, host, Account_Name, signature

Login Failure Brute force check by account name (event code 4624 & 4625)
The query below can look for login failures where a user is been brute forced and is designed to search by account name and number of failures in this case it is set to 10 failure looking for account Administrator:
index=* LogName=Security EventCode=4625(Account_Name=administrator) | stats count values(Workstation_Name) AS Workstation_Name, Values(Source_Network_Address) AS Source_IP_Address, values(host) AS Host by Account_Name | where count > 10

New service Installations (event code 7045 & 7040)
The query below looks for new service installations:
index=* LogName=System EventCode=7045 NOT (Service_Name=mgmt_service) | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) | table _time host Service_Name, Service_Type, Service_Start_Type, Service_Account, Short_Message

Linux Logs

Linux secure brute force detection
index=* (sourcetype=linux_secure OR tag=authentication) user!=””
| stats count(eval(action=”success”)) as successes count(eval(action=”failure”)) as failures by src
| where successes>0 AND failures>100

Scroll Up