Martian Defense NoteBook
  • Martian Defense Notebook
  • Training and Career
    • Keeping it Real for Beginners
    • Reading and Repos
    • Media
    • Guides
      • Cybersecurity Roadmaps
      • Cybersecurity Training Topics
      • AppSec Training Pathway
      • Interview Checklist
    • Platforms
      • General
      • Offensive Security
      • Defensive Security
      • CTF Sites
      • Live Vulnerable Sites
    • Entrepreneurship Roadmaps
      • Consulting
      • Starting a Business
  • Technical Resources
    • Offensive-Cybersecurity
      • Application Security
      • General
      • Recon + OSINT
      • Infrastructure Pentesting
      • Cloud Pentesting
      • Wordlists
      • Social Engineering
      • Mobile Pentesting
      • Container Security
      • Blockchain
    • Defensive-Cybersecurity
    • General Cybersecurity
      • Cybersecurity Operating Systems
    • Coding/Programming
    • Reverse Engineering
    • AI and ML
  • Notes
    • Product Security Engineering
      • DevSecOps
        • Docker
          • How to Dockerize Applications with Docker Compose (Using SQLite and Flask)
      • SAST/SCA
        • How to setup a GitHub Action for Code Security analysis
        • JavaScript Security Analysis
        • Java Security 101
        • Tools
        • CodeQL for Beginners
      • Product Security Hardening
      • Threat Modeling
      • PHP Security
    • AppSec Testing
      • Checklists
        • WEB APP PENTESTING CHECKLIST
        • API Testing Checklist
        • Android Pentesting Checklist
        • IoS Pentesting Checklist
        • Thick Client Pentesting Checklist
        • Secure Code Review Checklist
      • Targeted Test Cases
        • Part 1
        • Part 2
      • Common Web Attack and Prevention List
      • Ports and associated Vectors
      • DNS
      • Web Tools
      • Command Injection Testing
      • JWTs and JSON
    • Security Research
      • Publishing CVEs
      • Threat Intelligence
      • Shodan Dork Cheatsheet
      • Github Dorks
      • Bug Bounty
        • Bug Bounty Programs
      • Forums
    • Coding/Programming
      • Secure Coding Practices Checklist
      • JavaScript
      • Python
        • Quick Notes
        • Python Basics for Pentesters
        • Python Snippets
        • XML Basics with Python
      • Golang
        • Theory
        • Security
        • Modules
        • Entry Points
        • File Forensics
        • Cryptography and Encoding
        • Golang Snippets
      • PHP
        • Setup
        • Syntax
        • Variables and Data Types
        • Control Structures
        • Arrays
        • Functions
        • OOP Concepts
        • Database Integration
        • Handling HTTP Methods
        • Session Management
        • File Uploads
        • Email Function
        • Error Handling
        • Advanced Topics and Best Practices
    • Network Security
      • Domain Trust Enumeration
      • Bleeding Edge Vulnerabilities
      • Post-Exploitation
      • Access Control Lists and Entries (ACL & ACE)
      • Credentialed Enumeration
      • Password Attacks
        • Internal Password Spraying
        • Remote Password Attacks
        • Linux Local Password Attacks
        • Windows Local Password Attacks
        • Windows Lateral Movement
      • PowerView
      • Pivoting, Tunneling and Forwarding
        • Advanced Tunneling Methods
        • Dynamic Port Forwarding (SSH + Socks)
        • Port Forwarding Tools
        • SoCat
      • Linux Privilege Escalation
      • Windows Privesc
        • OS Attacks
        • Windows User Privileges
        • Windows Group Privileges
        • Manual Enumeration
        • Credential Theft
      • Kerberos Attacks
        • Kerberos Quick Reference Sheet
    • Cloud Security Testing
    • Defensive Security
      • Splunk
        • Basic Queries
        • Dashboards
      • Forensics
        • Volatility
      • WireShark filters
    • Governance, Risk, Compliance
      • Vulnerability Management Lifecycle
    • Capture-the-Flag Training
      • Vulnerable Machine Checklist
      • Reverse Engineering Checklist
      • Mobile Checklist
      • Forensics Checklist
      • Binary Exploitation
      • Cryptography Checklist
    • Reporting
    • PowerShell
    • Linux Basics
    • Basic IT Tasks
  • Digital Privacy and Hygiene
    • Personal Information Removal Services
    • De-Googling Android
    • DNS Services
    • Privacy References
    • Opsec
  • RedPlanet Labs
    • PyGOAT
    • OWASP Juice Shop
Powered by GitBook
On this page
  1. Notes
  2. Defensive Security
  3. Splunk

Dashboards

Splunk Dashboards

IPS High Risk Alert Not Blocked. Below is an example using Palo Alto Networks (PAN) IPS

index=pan sourcetype="pan:threat" ",threat," (critical OR high) (severity=critical OR severity=high) action!="blocked" action!="dropped" | bucket span=1h _time | stats values(signature) as signature mode(dest) as dest values(dest_port) as dest_port values(file_name) as file_name values(file_hash) as file_hash count by _time, src, severity, action | eval signature=mvjoin(signature," , ") | eval dest_port=mvjoin(dest_port," , ") | eval file_name=mvjoin(file_name," , ") | eval file_hash=mvjoin(file_hash," , ")

DOS- Firewall Large number of DENIED Connections by Firewall

| tstats summariesonly=1 allow_old_summaries=1 count from datamodel=Network_Traffic.All_Traffic where All_Traffic.action="blocked" sourcetype=* AND host=* by All_Traffic.dvc host _time span=1h | rename All_Traffic.dvc AS dvc | eval dvc=if(dvc="unknown",host,dvc) | timechart span=1h sum(count) by dvc

Detect Many Unauthorized Access Attempts

| `Load_Sample_Log_Data(Windows Logons with Failure Codes)` | search Failure_Reason=* Status=0xC000015B

Data Exfiltration - Suspicious Destinations

| tstats summariesonly=1 allow_old_summaries=1 sum(All_Traffic.bytes) as bytes dc(All_Traffic.src) as "Unique Sources" from datamodel=Network_Traffic.All_Traffic where host=* by _time span=1h All_Traffic.dest
| rename All_Traffic.* as *
| eval MBytes=round(bytes/1024/1024,2)
| eventstats dc(_time) as Frequency by dest
| eval Risk=round(MBytes/(pow(Frequency,Frequency))/'Unique Sources')
| sort - Risk
| head 250
| iplocation dest
| fillnull value="" Country
| table _time, Risk, dest, "Unique Sources", MBytes, Country

Detects when the number of successful Windows logon events are more than the daily average for a user account

index=windows EventCode=4624 | eval user=lower(Account_Name) | timechart span=1d avg(count) as daily_avg by user | where count > daily_avg

Unusual Traffic by Volume

index=firewall sourcetype=access_combined | bucket span=1h _time | stats sum(bytes_out) as sum_bytes by _time, src_ip | streamstats avg(sum_bytes) as avg stdev(sum_bytes) as stdev by src_ip | eval isOutlier=if(sum_bytes > (avg + (4*stdev)), 1, 0) | search isOutlier=1

Suspiciously High Process Creation

index=os_logs sourcetype=WinEventLog:Security EventCode=4688 | timechart span=1h count as process_start by host | where process_start > avg(process_start)*2

Network Traffic from Rare Countries

index=firewall | iplocation src_ip | stats count by Country | eventstats sum(count) as total | eval percentage=(count/total)*100 | where percentage < 1

Failed Login Attempts from a Single Source

index=authentication sourcetype="linux_secure" | search failed password | stats count by src_ip | eventstats avg(count), stdev(count) | where count > avg(count) + 4*stdev(count)

Frequency of Rare Windows Events

index=wineventlog | stats count by EventCode | eventstats sum(count) as total | eval percentage=(count/total)*100 | where percentage < 1 | sort - percentage

Detection of SQL Injection

index=web sourcetype=access_combined action=200 uri="*.php*" | rex field=uri "(?i)(union select|select(.+)from|waitfor delay|' OR ')" | search uri=* | table _time, clientip, uri

Top Accessed Internal Systems

index=firewall action=success | top limit=20 src_ip | table _time, src_ip, count

Anomaly in Number of Connections to a Host

index=network sourcetype=cisco:asa dest_ip=* | bucket _time span=1h | stats count by _time, dest_ip | eventstats avg(count) as avg stdev(count) as stdev by dest_ip | eval isOutlier=if(count > (avg + (4*stdev)), 1, 0) | search isOutlier=1

Unique Domains Requested by Host

index=dns_logs | stats dc(query) as unique_domains by src_ip | eventstats avg(unique_domains) as avg stdev(unique_domains) as stdev | where unique_domains > avg + 4*stdevspl

Suspicious Executables Downloaded

index=proxy_logs action=download status=200 | rex field=file_path "\.(?<file_extension>\w+)$" | where file_extension IN ("exe", "dll", "bat", "ps1") | stats count by src_ip, file_path

Unusual Increase in Network Traffic

index=network_logs | bucket _time span=1h | stats sum(bytes) as sum_bytes by _time | streamstats avg(sum_bytes) as avg stdev(sum_bytes) as stdev | eval isOutlier=if(sum_bytes > (avg + (4*stdev)), 1, 0) | search isOutlier=1

Unexpected System Changes

index=syslog_changes sourcetype=syslog | stats values(change) as changes by host, user | search changes=* AND changes!=expected_value

Unknown Processes Running on Critical Servers

index=server_logs server=critical_server | stats values(process_name) as process_list by user | search process_name NOT IN (list_of_known_processes)spl

Unusual Database Activities

index=db_logs action=insert OR action=delete | timechart span=1h count by action | where count > avg(count)*2

Failed Connections to Important Services

index=network_logs sourcetype=cisco:asa action=failure service=important_service | stats count by src_ip, dest_ip | sort - count

High Traffic on Non-Standard Ports

index=network_logs | where NOT (port IN (80, 443, 21, 22)) | stats sum(bytes) as total_bytes by port | sort - total_bytes

Connections to Blacklisted IPs

index=firewall_logs | lookup ip_blacklist.csv ip as dest_ip OUTPUT description as threat_type | where isnotnull(threat_type)

Multiple VPN Logins from Same User but Different Locations

index=vpn_logs | iplocation src_ip | stats count by user, Country | where count > 1

File Access Patterns

index=filesystem_logs action=accessed | stats count by user, file_path | eventstats avg(count) as avg, stdev(count) as stdev by file_path | where count > avg + 4*stdev

Attempts to Access Unusual URLs

index=web_logs sourcetype=access_combined status=404 | top limit=10 uri | table _time, uri, count

Outgoing Traffic To Blacklisted Domains

index=proxy_logs NOT [inputlookup domain_blacklist.csv] | top limit=20 src_ip | table _time, src_ip, count

Unique Connections by Non-Standard Ports

index=network_logs NOT (port IN (80, 443, 21, 22)) | stats dc(dest_ip) as unique_connections by src_ip, port | where unique_connections > 20

Spike in Error Logs

index=system_logs level=error | timechart span=1h count as error_count | where error_count > avg(error_count) + 4*stdev(error_count)

Longest Running User Sessions

index=system_logs level=error | timechart span=1h count as error_count | where error_count > avg(error_count) + 4*stdev(error_count)

Suspicious Database Transactions

index=db_logs action=transaction | stats sum(amount) as total_amount by user | where total_amount > avg(total_amount) + 4*stdev(total_amount)

Unknown USB Device Connections

index=device_logs sourcetype=usb:* | search NOT [inputlookup known_devices.csv] | table _time, device_id, host

Multiple Failed SSH Attempts

index=ssh_logs eventtype=ssh_failure | stats count by src_ip | where count > 5

Most Common Firewall Deny Events

index=firewall_logs action=deny | top limit=10 src_ip | table _time, src_ip, count

Processes Consuming High CPU

index=system_logs sourcetype=top:CPU | where percent_cpu > 80 | table _time, process_name, percent_cpu

Rarely Accessed File Shares

index=sharepoint_logs | stats count by file_path | where count < 5 | table _time, file_path, count

DNS Tunneling Detection

index=dns_logs | stats count by src_ip, query | where count > 100 | table _time, src_ip, query, count

Malware Detection Based on User Agent Strings

index=proxy_logs | search [inputlookup malware_user_agents.csv] | table _time, src_ip, user_agent

File Changes on Critical Systems

index=filesystem_logs host=critical_system | stats count by file_path | where count > 10 | table _time, file_path, count

Abnormal Account Lockouts

index=authentication_logs eventtype=account_lockout | stats count by user | where count > avg(count) + 4*stdev(count)

Excessive Data Sent to External IPs

index=firewall_logs direction=outbound | stats sum(bytes) as total_bytes by dest_ip | where total_bytes > 1000000 | table _time, dest_ip, total_bytes

Unusual Server Reboot

index=system_logs eventtype=system_reboot | stats count by host | where count > avg(count) + 4*stdev(count)

Suspicious PowerShell Commands

index=powershell_logs | search [inputlookup suspicious_powershell_commands.csv] | table _time, user, command

Multiple File Changes by a User

index=file_change_logs | stats count by user, file_path | where count > 5 | table _time, user, file_path, count

Inbound Connections from TOR Network

index=firewall_logs direction=inbound | lookup tor_exit_nodes.csv src_ip OUTPUT description as threat_type | where isnotnull(threat_type)

Unusual Print Activities

index=printer_logs | stats count by user, printer_name | where count > avg(count) + 4*stdev(count) | table _time, user, printer_name, countlu

User Account Anomalies

index=authentication_logs | stats count by user | eventstats avg(count) as avg stdev(count) as stdev by user | where count > avg + 3*stdev | table _time, user, count

Unusual Command Execution

index=command_logs | stats count by user, command | where count > 10 | table _time, user, command, count

Outbound Traffic to High-Risk Countries

index=network_logs direction=outbound | iplocation dest_ip | stats count by dest_country | where count > 100 | table _time, dest_country, count

Large Number of Failed Database Queries

index=database_logs status=failed | stats count by user, query | where count > 50 | table _time, user, query, count

Unusual System Service Behavior

index=system_logs sourcetype=service_logs | stats count by service_name | where count > 100 | table _time, service_name, count

Uncommon Firewall Rule Modifications

index=firewall_logs eventtype=rule_change | stats count by user, rule_name | where count > 5 | table _time, user, rule_name, count

Large Number of Login Failures from Single IP

index=authentication_logs | stats count by src_ip | where count > 20 | table _time, src_ip, count

Suspicious File Access Patterns

index=file_access_logs | stats count by user, file_path | where count > 10 | table _time, user, file_path, count

Abnormal Process Behavior

index=process_logs | stats count by process_name | where count > 100 | table _time, process_name, count

Outliers in Network Bandwidth Usage

index=network_logs | timechart span=1h sum(bytes) as total_bytes by src_ip | eventstats avg(total_bytes) as avg stdev(total_bytes) as stdev by src_ip | eval isOutlier=if(total_bytes > (avg + (3*stdev)), 1, 0) | search isOutlier=1 | table _time, src_ip, total_bytes
PreviousBasic QueriesNextForensics

Last updated 5 months ago