Dashboards
Splunk Dashboards
IPS High Risk Alert Not Blocked. Below is an example using Palo Alto Networks (PAN) IPS
index=pan sourcetype="pan:threat" ",threat," (critical OR high) (severity=critical OR severity=high) action!="blocked" action!="dropped" | bucket span=1h _time | stats values(signature) as signature mode(dest) as dest values(dest_port) as dest_port values(file_name) as file_name values(file_hash) as file_hash count by _time, src, severity, action | eval signature=mvjoin(signature," , ") | eval dest_port=mvjoin(dest_port," , ") | eval file_name=mvjoin(file_name," , ") | eval file_hash=mvjoin(file_hash," , ")
DOS- Firewall Large number of DENIED Connections by Firewall
| tstats summariesonly=1 allow_old_summaries=1 count from datamodel=Network_Traffic.All_Traffic where All_Traffic.action="blocked" sourcetype=* AND host=* by All_Traffic.dvc host _time span=1h | rename All_Traffic.dvc AS dvc | eval dvc=if(dvc="unknown",host,dvc) | timechart span=1h sum(count) by dvc
Detect Many Unauthorized Access Attempts
| `Load_Sample_Log_Data(Windows Logons with Failure Codes)` | search Failure_Reason=* Status=0xC000015B
Data Exfiltration - Suspicious Destinations
| tstats summariesonly=1 allow_old_summaries=1 sum(All_Traffic.bytes) as bytes dc(All_Traffic.src) as "Unique Sources" from datamodel=Network_Traffic.All_Traffic where host=* by _time span=1h All_Traffic.dest
| rename All_Traffic.* as *
| eval MBytes=round(bytes/1024/1024,2)
| eventstats dc(_time) as Frequency by dest
| eval Risk=round(MBytes/(pow(Frequency,Frequency))/'Unique Sources')
| sort - Risk
| head 250
| iplocation dest
| fillnull value="" Country
| table _time, Risk, dest, "Unique Sources", MBytes, Country
Detects when the number of successful Windows logon events are more than the daily average for a user account
index=windows EventCode=4624 | eval user=lower(Account_Name) | timechart span=1d avg(count) as daily_avg by user | where count > daily_avg
Unusual Traffic by Volume
index=firewall sourcetype=access_combined | bucket span=1h _time | stats sum(bytes_out) as sum_bytes by _time, src_ip | streamstats avg(sum_bytes) as avg stdev(sum_bytes) as stdev by src_ip | eval isOutlier=if(sum_bytes > (avg + (4*stdev)), 1, 0) | search isOutlier=1
Suspiciously High Process Creation
index=os_logs sourcetype=WinEventLog:Security EventCode=4688 | timechart span=1h count as process_start by host | where process_start > avg(process_start)*2
Network Traffic from Rare Countries
index=firewall | iplocation src_ip | stats count by Country | eventstats sum(count) as total | eval percentage=(count/total)*100 | where percentage < 1
Failed Login Attempts from a Single Source
index=authentication sourcetype="linux_secure" | search failed password | stats count by src_ip | eventstats avg(count), stdev(count) | where count > avg(count) + 4*stdev(count)
Frequency of Rare Windows Events
index=wineventlog | stats count by EventCode | eventstats sum(count) as total | eval percentage=(count/total)*100 | where percentage < 1 | sort - percentage
Detection of SQL Injection
index=web sourcetype=access_combined action=200 uri="*.php*" | rex field=uri "(?i)(union select|select(.+)from|waitfor delay|' OR ')" | search uri=* | table _time, clientip, uri
Top Accessed Internal Systems
index=firewall action=success | top limit=20 src_ip | table _time, src_ip, count
Anomaly in Number of Connections to a Host
index=network sourcetype=cisco:asa dest_ip=* | bucket _time span=1h | stats count by _time, dest_ip | eventstats avg(count) as avg stdev(count) as stdev by dest_ip | eval isOutlier=if(count > (avg + (4*stdev)), 1, 0) | search isOutlier=1
Unique Domains Requested by Host
index=dns_logs | stats dc(query) as unique_domains by src_ip | eventstats avg(unique_domains) as avg stdev(unique_domains) as stdev | where unique_domains > avg + 4*stdevspl
Suspicious Executables Downloaded
index=proxy_logs action=download status=200 | rex field=file_path "\.(?<file_extension>\w+)$" | where file_extension IN ("exe", "dll", "bat", "ps1") | stats count by src_ip, file_path
Unusual Increase in Network Traffic
index=network_logs | bucket _time span=1h | stats sum(bytes) as sum_bytes by _time | streamstats avg(sum_bytes) as avg stdev(sum_bytes) as stdev | eval isOutlier=if(sum_bytes > (avg + (4*stdev)), 1, 0) | search isOutlier=1
Unexpected System Changes
index=syslog_changes sourcetype=syslog | stats values(change) as changes by host, user | search changes=* AND changes!=expected_value
Unknown Processes Running on Critical Servers
index=server_logs server=critical_server | stats values(process_name) as process_list by user | search process_name NOT IN (list_of_known_processes)spl
Unusual Database Activities
index=db_logs action=insert OR action=delete | timechart span=1h count by action | where count > avg(count)*2
Failed Connections to Important Services
index=network_logs sourcetype=cisco:asa action=failure service=important_service | stats count by src_ip, dest_ip | sort - count
High Traffic on Non-Standard Ports
index=network_logs | where NOT (port IN (80, 443, 21, 22)) | stats sum(bytes) as total_bytes by port | sort - total_bytes
Connections to Blacklisted IPs
index=firewall_logs | lookup ip_blacklist.csv ip as dest_ip OUTPUT description as threat_type | where isnotnull(threat_type)
Multiple VPN Logins from Same User but Different Locations
index=vpn_logs | iplocation src_ip | stats count by user, Country | where count > 1
File Access Patterns
index=filesystem_logs action=accessed | stats count by user, file_path | eventstats avg(count) as avg, stdev(count) as stdev by file_path | where count > avg + 4*stdev
Attempts to Access Unusual URLs
index=web_logs sourcetype=access_combined status=404 | top limit=10 uri | table _time, uri, count
Outgoing Traffic To Blacklisted Domains
index=proxy_logs NOT [inputlookup domain_blacklist.csv] | top limit=20 src_ip | table _time, src_ip, count
Unique Connections by Non-Standard Ports
index=network_logs NOT (port IN (80, 443, 21, 22)) | stats dc(dest_ip) as unique_connections by src_ip, port | where unique_connections > 20
Spike in Error Logs
index=system_logs level=error | timechart span=1h count as error_count | where error_count > avg(error_count) + 4*stdev(error_count)
Longest Running User Sessions
index=system_logs level=error | timechart span=1h count as error_count | where error_count > avg(error_count) + 4*stdev(error_count)
Suspicious Database Transactions
index=db_logs action=transaction | stats sum(amount) as total_amount by user | where total_amount > avg(total_amount) + 4*stdev(total_amount)
Unknown USB Device Connections
index=device_logs sourcetype=usb:* | search NOT [inputlookup known_devices.csv] | table _time, device_id, host
Multiple Failed SSH Attempts
index=ssh_logs eventtype=ssh_failure | stats count by src_ip | where count > 5
Most Common Firewall Deny Events
index=firewall_logs action=deny | top limit=10 src_ip | table _time, src_ip, count
Processes Consuming High CPU
index=system_logs sourcetype=top:CPU | where percent_cpu > 80 | table _time, process_name, percent_cpu
Rarely Accessed File Shares
index=sharepoint_logs | stats count by file_path | where count < 5 | table _time, file_path, count
DNS Tunneling Detection
index=dns_logs | stats count by src_ip, query | where count > 100 | table _time, src_ip, query, count
Malware Detection Based on User Agent Strings
index=proxy_logs | search [inputlookup malware_user_agents.csv] | table _time, src_ip, user_agent
File Changes on Critical Systems
index=filesystem_logs host=critical_system | stats count by file_path | where count > 10 | table _time, file_path, count
Abnormal Account Lockouts
index=authentication_logs eventtype=account_lockout | stats count by user | where count > avg(count) + 4*stdev(count)
Excessive Data Sent to External IPs
index=firewall_logs direction=outbound | stats sum(bytes) as total_bytes by dest_ip | where total_bytes > 1000000 | table _time, dest_ip, total_bytes
Unusual Server Reboot
index=system_logs eventtype=system_reboot | stats count by host | where count > avg(count) + 4*stdev(count)
Suspicious PowerShell Commands
index=powershell_logs | search [inputlookup suspicious_powershell_commands.csv] | table _time, user, command
Multiple File Changes by a User
index=file_change_logs | stats count by user, file_path | where count > 5 | table _time, user, file_path, count
Inbound Connections from TOR Network
index=firewall_logs direction=inbound | lookup tor_exit_nodes.csv src_ip OUTPUT description as threat_type | where isnotnull(threat_type)
Unusual Print Activities
index=printer_logs | stats count by user, printer_name | where count > avg(count) + 4*stdev(count) | table _time, user, printer_name, countlu
User Account Anomalies
index=authentication_logs | stats count by user | eventstats avg(count) as avg stdev(count) as stdev by user | where count > avg + 3*stdev | table _time, user, count
Unusual Command Execution
index=command_logs | stats count by user, command | where count > 10 | table _time, user, command, count
Outbound Traffic to High-Risk Countries
index=network_logs direction=outbound | iplocation dest_ip | stats count by dest_country | where count > 100 | table _time, dest_country, count
Large Number of Failed Database Queries
index=database_logs status=failed | stats count by user, query | where count > 50 | table _time, user, query, count
Unusual System Service Behavior
index=system_logs sourcetype=service_logs | stats count by service_name | where count > 100 | table _time, service_name, count
Uncommon Firewall Rule Modifications
index=firewall_logs eventtype=rule_change | stats count by user, rule_name | where count > 5 | table _time, user, rule_name, count
Large Number of Login Failures from Single IP
index=authentication_logs | stats count by src_ip | where count > 20 | table _time, src_ip, count
Suspicious File Access Patterns
index=file_access_logs | stats count by user, file_path | where count > 10 | table _time, user, file_path, count
Abnormal Process Behavior
index=process_logs | stats count by process_name | where count > 100 | table _time, process_name, count
Outliers in Network Bandwidth Usage
index=network_logs | timechart span=1h sum(bytes) as total_bytes by src_ip | eventstats avg(total_bytes) as avg stdev(total_bytes) as stdev by src_ip | eval isOutlier=if(total_bytes > (avg + (3*stdev)), 1, 0) | search isOutlier=1 | table _time, src_ip, total_bytes
Last updated