More than 3 years have passed since last update.

Splunk BOSS of the SOC ver3について(Short notice)

Splunk

Last updated at 2020-06-06Posted at 2020-03-28

https://github.com/splunk/botsv3
出てました。
以後のSPLは、全時間検索でお願いします。

ここらも、頑張ろう

sourcetype

index=botsv3

sourcetype,count
"access_combined",3907
alternatives,4
"amazon-ssm-agent",905
"amazon-ssm-agent-too_small",1408
"apache_error",63
"aws:cloudtrail",6571
"aws:cloudwatch",4936
"aws:cloudwatch:guardduty",1
"aws:cloudwatchlogs",115145
"aws:cloudwatchlogs:vpcflow",97448
"aws:config:rule",255
"aws:description",522
"aws:elb:accesslogs",2051
"aws:rds:audit",35192
"aws:rds:error",5
"aws:s3:accesslogs",1274
bandwidth,297
"bash_history",100
bootstrap,10
"cisco:asa",80192
"cloud-init",1344
"cloud-init-output",23
"code42:api",88
"code42:computer",51
"code42:org",17
"code42:security",30
"code42:user",192
"config_file",9
cpu,596
"cron-too_small",44
df,209
dmesg,1164
dpkg,23
"error-too_small",1
errors,437
"errors-too_small",635
"ess_content_importer",2
hardware,3
"history-2",2
interfaces,1038
iostat,297
lastlog,209
"linux_audit",112
"linux_secure",350
"localhost-5",30
lsof,103
"maillog-too_small",6
"ms:aad:audit",31
"ms:aad:signin",220
"ms:o365:management",1073
"ms:o365:reporting:messagetrace",711
netstat,1037
"o365:management:activity",977
openports,4246
"osquery:info",83961
"osquery:results",219997
"osquery:warning",110
"out-3",17
package,19
"perfmonmk:process",864
protocol,1038
ps,2073
"script:getendpointinfo",3
"script:installedapps",9
"script:listeningports",867
"stream:arp",14432
"stream:dhcp",382
"stream:dns",218456
"stream:http",24191
"stream:icmp",2506
"stream:igmp",852
"stream:ip",227872
"stream:mysql",42541
"stream:smb",153
"stream:smtp",879
"stream:tcp",84031
"stream:udp",157960
"symantec:ep:agent:file",504
"symantec:ep:agt_system:file",94
"symantec:ep:behavior:file",2192
"symantec:ep:packet:file",11550
"symantec:ep:risk:file",1
"symantec:ep:scm_system:file",46
"symantec:ep:security:file",46
"symantec:ep:traffic:file",5811
syslog,283976
time,3
top,1038
"unix:listeningports",490
"unix:service",1137
"unix:sshdconfig",19
"unix:update",12
"unix:uptime",3
"unix:useraccounts",571
"unix:version",3
userswithloginprivs,19
vmstat,296
who,417
"wineventlog:application",719
"wineventlog:microsoft-windows-applocker/exe and dll",187
"wineventlog:microsoft-windows-applocker/packaged app-execution",152
"wineventlog:microsoft-windows-powershell/operational",92
"wineventlog:security",46469
"wineventlog:system",482
winhostmon,129679
"xmlwineventlog:microsoft-windows-sysmon/operational",9212
"yum-too_small",63

aws多いな、linux command結果やSymantecのウィルス対策ソフトのログもあって、botsv2とはかなり違うかも

hosts

firstTime	host	lastTime	recentTime	totalCount	type
2018-08-20 13:00:03	MKRAEUS-L	2018-08-21 00:17:28	2018-08-30 05:53:01	59425	hosts
2018-08-20 13:22:31	BSTOLL-L	2018-08-21 00:17:59	2018-08-29 23:41:57	101918	hosts
2018-08-20 18:00:00	splunk.froth.ly	2018-08-21 00:17:53	2018-08-21 00:27:56	17549	hosts
2018-08-20 18:00:13	serverless	2018-08-21 00:26:46	2018-08-21 00:27:51	247791	hosts
2018-08-20 18:01:10	matar	2018-08-21 00:19:35	2018-08-21 00:20:58	84337	hosts
2018-08-20 18:02:14	gacrux.i-06fea586f3d3c8ce8	2018-08-21 00:27:09	2018-08-21 00:27:22	43523	hosts
2018-08-20 18:02:34	SEPM	2018-08-21 00:17:25	2018-08-21 00:23:07	20383	hosts
2018-08-20 18:02:45	mars.i-08e52f8b5a034012d	2018-08-21 00:18:00	2018-08-21 00:18:20	158512	hosts
2018-08-20 18:03:38	BTUN-L	2018-08-21 00:17:56	2018-08-21 00:24:27	76371	hosts
2018-08-20 18:03:43	FYODOR-L	2018-08-21 00:18:00	2018-08-21 00:18:00	65138	hosts
2018-08-20 18:03:46	JWORTOS-L	2018-08-21 00:18:00	2018-08-21 00:18:17	55550	hosts
2018-08-20 18:03:51	gacrux.i-09cbc261e84259b54	2018-08-21 00:17:08	2018-08-21 00:17:09	42000	hosts
2018-08-20 18:03:51	ip-172-16-0-109.ec2.internal	2018-08-21 00:18:00	2018-08-21 00:18:21	83673	hosts
2018-08-20 18:03:52	BGIST-L	2018-08-21 00:18:00	2018-08-21 00:18:02	18314	hosts
2018-08-20 18:04:08	hoth	2018-08-21 00:17:58	2018-08-21 00:18:32	382718	hosts
2018-08-20 18:04:13	FROTHLY-FW1	2018-08-21 00:18:00	2018-08-21 00:18:00	80192	hosts
2018-08-20 18:04:14	splunkhwf.froth.ly	2018-08-21 00:17:59	2018-08-21 00:17:59	78478	hosts
2018-08-20 18:04:19	console.us.code42.com:443	2018-08-21 00:16:48	2018-08-21 00:22:47	378	hosts
2018-08-20 18:04:28	ip-172-16-0-127	2018-08-20 23:47:53	2018-08-20 23:47:53	413	hosts
2018-08-20 18:05:27	ip-172-31-12-76	2018-08-21 00:17:28	2018-08-21 00:17:29	222	hosts
2018-08-20 18:05:59	ip-172-16-0-13	2018-08-20 23:47:52	2018-08-20 23:47:53	418	hosts
:--	:--	:--	:--	--:	:--
2018-08-20 18:09:32	ABUNGST-L	2018-08-20 23:42:30	2018-08-20 23:42:31	52335	hosts
2018-08-20 18:11:11	PCERF-L	2018-08-21 00:18:00	2018-08-21 00:22:32	65184	hosts
2018-08-20 18:45:00	gacrux.i-0920036c8ca91e501	2018-08-21 00:18:00	2018-08-21 00:18:18	175345	hosts
2018-08-20 18:45:44	ip-172-16-0-178	2018-08-21 00:16:12	2018-08-21 00:16:13	173	hosts
2018-08-20 18:50:10	ip-172-31-36-235	2018-08-20 23:47:15	2018-08-21 00:14:34	1073	hosts
2018-08-20 19:33:04	ntesla	2018-08-20 19:33:05	2018-08-20 19:33:56	2	hosts
2018-08-20 22:33:16	gacrux.i-0cc93bade2b3cba63	2018-08-20 23:19:51	2018-08-20 23:19:51	32261	hosts
2018-08-20 22:33:18	ip-172-16-0-145	2018-08-20 23:19:49	2018-08-20 23:19:49	415	hosts
2019-09-20 03:10:50	OD-FM-NA-i-0ad2d665d4bdace22.amazonaws.com	2019-09-20 03:10:50	2019-09-20 03:10:50	1	hosts

metadata_hosts.spl

| metadata type=hosts index=botsv3
| sort 0 firstTime
| foreach *Time [ eval <<FIELD>> = strftime('<<FIELD>>',"%F %T")]

30ホスト。ざっとみてみると2018-08-20と2018-08-21に集まっていて、８月いっぱいのログがあったり、2019-09-20のログがポツンとある。

ホスト毎のソースタイプ一覧

| tstats count where index=botsv3 by sourcetype host
| xyseries host sourcetype count
| rename host as _host
| foreach * [ eval sourcetypes = mvappend(sourcetypes,"<<FIELD>>")]
| rename _host as host
| table host sourcetypes
| transpose 0 header_field=host

流石に表を貼り付けられなかったので、クエリーだけ。
awsのログが各ホストに紐づけられている。
AWSか〜勉強しないと

ここまでとします。

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up