Dashboards

Splunk Dashboards

IPS High Risk Alert Not Blocked. Below is an example using Palo Alto Networks (PAN) IPS

index=pan sourcetype="pan:threat" ",threat," (critical OR high) (severity=critical OR severity=high) action!="blocked" action!="dropped" | bucket span=1h _time | stats values(signature) as signature mode(dest) as dest values(dest_port) as dest_port values(file_name) as file_name values(file_hash) as file_hash count by _time, src, severity, action | eval signature=mvjoin(signature," , ") | eval dest_port=mvjoin(dest_port," , ") | eval file_name=mvjoin(file_name," , ") | eval file_hash=mvjoin(file_hash," , ")

DOS- Firewall Large number of DENIED Connections by Firewall

| tstats summariesonly=1 allow_old_summaries=1 count from datamodel=Network_Traffic.All_Traffic where All_Traffic.action="blocked" sourcetype=* AND host=* by All_Traffic.dvc host _time span=1h | rename All_Traffic.dvc AS dvc | eval dvc=if(dvc="unknown",host,dvc) | timechart span=1h sum(count) by dvc

Detect Many Unauthorized Access Attempts

| `Load_Sample_Log_Data(Windows Logons with Failure Codes)` | search Failure_Reason=* Status=0xC000015B

Data Exfiltration - Suspicious Destinations

| tstats summariesonly=1 allow_old_summaries=1 sum(All_Traffic.bytes) as bytes dc(All_Traffic.src) as "Unique Sources" from datamodel=Network_Traffic.All_Traffic where host=* by _time span=1h All_Traffic.dest
| rename All_Traffic.* as *
| eval MBytes=round(bytes/1024/1024,2)
| eventstats dc(_time) as Frequency by dest
| eval Risk=round(MBytes/(pow(Frequency,Frequency))/'Unique Sources')
| sort - Risk
| head 250
| iplocation dest
| fillnull value="" Country
| table _time, Risk, dest, "Unique Sources", MBytes, Country

Detects when the number of successful Windows logon events are more than the daily average for a user account

index=windows EventCode=4624 | eval user=lower(Account_Name) | timechart span=1d avg(count) as daily_avg by user | where count > daily_avg

Unusual Traffic by Volume

index=firewall sourcetype=access_combined | bucket span=1h _time | stats sum(bytes_out) as sum_bytes by _time, src_ip | streamstats avg(sum_bytes) as avg stdev(sum_bytes) as stdev by src_ip | eval isOutlier=if(sum_bytes > (avg + (4*stdev)), 1, 0) | search isOutlier=1

Suspiciously High Process Creation

index=os_logs sourcetype=WinEventLog:Security EventCode=4688 | timechart span=1h count as process_start by host | where process_start > avg(process_start)*2

Network Traffic from Rare Countries

index=firewall | iplocation src_ip | stats count by Country | eventstats sum(count) as total | eval percentage=(count/total)*100 | where percentage < 1

Failed Login Attempts from a Single Source

index=authentication sourcetype="linux_secure" | search failed password | stats count by src_ip | eventstats avg(count), stdev(count) | where count > avg(count) + 4*stdev(count)

Frequency of Rare Windows Events

index=wineventlog | stats count by EventCode | eventstats sum(count) as total | eval percentage=(count/total)*100 | where percentage < 1 | sort - percentage

Detection of SQL Injection

index=web sourcetype=access_combined action=200 uri="*.php*" | rex field=uri "(?i)(union select|select(.+)from|waitfor delay|' OR ')" | search uri=* | table _time, clientip, uri

Top Accessed Internal Systems

index=firewall action=success | top limit=20 src_ip | table _time, src_ip, count

Anomaly in Number of Connections to a Host

index=network sourcetype=cisco:asa dest_ip=* | bucket _time span=1h | stats count by _time, dest_ip | eventstats avg(count) as avg stdev(count) as stdev by dest_ip | eval isOutlier=if(count > (avg + (4*stdev)), 1, 0) | search isOutlier=1

Unique Domains Requested by Host

index=dns_logs | stats dc(query) as unique_domains by src_ip | eventstats avg(unique_domains) as avg stdev(unique_domains) as stdev | where unique_domains > avg + 4*stdevspl

Suspicious Executables Downloaded

index=proxy_logs action=download status=200 | rex field=file_path "\.(?<file_extension>\w+)$" | where file_extension IN ("exe", "dll", "bat", "ps1") | stats count by src_ip, file_path

Unusual Increase in Network Traffic

index=network_logs | bucket _time span=1h | stats sum(bytes) as sum_bytes by _time | streamstats avg(sum_bytes) as avg stdev(sum_bytes) as stdev | eval isOutlier=if(sum_bytes > (avg + (4*stdev)), 1, 0) | search isOutlier=1

Unexpected System Changes

index=syslog_changes sourcetype=syslog | stats values(change) as changes by host, user | search changes=* AND changes!=expected_value

Unknown Processes Running on Critical Servers

index=server_logs server=critical_server | stats values(process_name) as process_list by user | search process_name NOT IN (list_of_known_processes)spl

Unusual Database Activities

index=db_logs action=insert OR action=delete | timechart span=1h count by action | where count > avg(count)*2

Failed Connections to Important Services

index=network_logs sourcetype=cisco:asa action=failure service=important_service | stats count by src_ip, dest_ip | sort - count

High Traffic on Non-Standard Ports

index=network_logs | where NOT (port IN (80, 443, 21, 22)) | stats sum(bytes) as total_bytes by port | sort - total_bytes

Connections to Blacklisted IPs

index=firewall_logs | lookup ip_blacklist.csv ip as dest_ip OUTPUT description as threat_type | where isnotnull(threat_type)

Multiple VPN Logins from Same User but Different Locations

index=vpn_logs | iplocation src_ip | stats count by user, Country | where count > 1

File Access Patterns

index=filesystem_logs action=accessed | stats count by user, file_path | eventstats avg(count) as avg, stdev(count) as stdev by file_path | where count > avg + 4*stdev

Attempts to Access Unusual URLs

index=web_logs sourcetype=access_combined status=404 | top limit=10 uri | table _time, uri, count

Outgoing Traffic To Blacklisted Domains

index=proxy_logs NOT [inputlookup domain_blacklist.csv] | top limit=20 src_ip | table _time, src_ip, count

Unique Connections by Non-Standard Ports

index=network_logs NOT (port IN (80, 443, 21, 22)) | stats dc(dest_ip) as unique_connections by src_ip, port | where unique_connections > 20

Spike in Error Logs

index=system_logs level=error | timechart span=1h count as error_count | where error_count > avg(error_count) + 4*stdev(error_count)

Longest Running User Sessions

index=system_logs level=error | timechart span=1h count as error_count | where error_count > avg(error_count) + 4*stdev(error_count)

Suspicious Database Transactions

index=db_logs action=transaction | stats sum(amount) as total_amount by user | where total_amount > avg(total_amount) + 4*stdev(total_amount)

Unknown USB Device Connections

index=device_logs sourcetype=usb:* | search NOT [inputlookup known_devices.csv] | table _time, device_id, host

Multiple Failed SSH Attempts

index=ssh_logs eventtype=ssh_failure | stats count by src_ip | where count > 5

Most Common Firewall Deny Events

index=firewall_logs action=deny | top limit=10 src_ip | table _time, src_ip, count

Processes Consuming High CPU

index=system_logs sourcetype=top:CPU | where percent_cpu > 80 | table _time, process_name, percent_cpu

Rarely Accessed File Shares

index=sharepoint_logs | stats count by file_path | where count < 5 | table _time, file_path, count

DNS Tunneling Detection

index=dns_logs | stats count by src_ip, query | where count > 100 | table _time, src_ip, query, count

Malware Detection Based on User Agent Strings

index=proxy_logs | search [inputlookup malware_user_agents.csv] | table _time, src_ip, user_agent

File Changes on Critical Systems

index=filesystem_logs host=critical_system | stats count by file_path | where count > 10 | table _time, file_path, count

Abnormal Account Lockouts

index=authentication_logs eventtype=account_lockout | stats count by user | where count > avg(count) + 4*stdev(count)

Excessive Data Sent to External IPs

index=firewall_logs direction=outbound | stats sum(bytes) as total_bytes by dest_ip | where total_bytes > 1000000 | table _time, dest_ip, total_bytes

Unusual Server Reboot

index=system_logs eventtype=system_reboot | stats count by host | where count > avg(count) + 4*stdev(count)

Suspicious PowerShell Commands

index=powershell_logs | search [inputlookup suspicious_powershell_commands.csv] | table _time, user, command

Multiple File Changes by a User

index=file_change_logs | stats count by user, file_path | where count > 5 | table _time, user, file_path, count

Inbound Connections from TOR Network

index=firewall_logs direction=inbound | lookup tor_exit_nodes.csv src_ip OUTPUT description as threat_type | where isnotnull(threat_type)

Unusual Print Activities

index=printer_logs | stats count by user, printer_name | where count > avg(count) + 4*stdev(count) | table _time, user, printer_name, countlu

User Account Anomalies

index=authentication_logs | stats count by user | eventstats avg(count) as avg stdev(count) as stdev by user | where count > avg + 3*stdev | table _time, user, count

Unusual Command Execution

index=command_logs | stats count by user, command | where count > 10 | table _time, user, command, count

Outbound Traffic to High-Risk Countries

index=network_logs direction=outbound | iplocation dest_ip | stats count by dest_country | where count > 100 | table _time, dest_country, count

Large Number of Failed Database Queries

index=database_logs status=failed | stats count by user, query | where count > 50 | table _time, user, query, count

Unusual System Service Behavior

index=system_logs sourcetype=service_logs | stats count by service_name | where count > 100 | table _time, service_name, count

Uncommon Firewall Rule Modifications

index=firewall_logs eventtype=rule_change | stats count by user, rule_name | where count > 5 | table _time, user, rule_name, count

Large Number of Login Failures from Single IP

index=authentication_logs | stats count by src_ip | where count > 20 | table _time, src_ip, count

Suspicious File Access Patterns

index=file_access_logs | stats count by user, file_path | where count > 10 | table _time, user, file_path, count

Abnormal Process Behavior

index=process_logs | stats count by process_name | where count > 100 | table _time, process_name, count

Outliers in Network Bandwidth Usage

index=network_logs | timechart span=1h sum(bytes) as total_bytes by src_ip | eventstats avg(total_bytes) as avg stdev(total_bytes) as stdev by src_ip | eval isOutlier=if(total_bytes > (avg + (3*stdev)), 1, 0) | search isOutlier=1 | table _time, src_ip, total_bytes
PreviousBasic QueriesNextForensics

Last updated