Hunting with Splunk

Hunting with Splunk

Basic Search

The most fundamental aspect of SPL is searching. By default, a search returns all events, but it can be narrowed down with keywords, boolean operators, comparison operators, and wildcard characters. For instance, a search for error would return all events containing that word.

search index="main" "UNKNOWN"

Wilcards

index="main" "*UNKNOWN*"

comparison operators (=, !=, <, >, <=, >=)

index="main" EventCode!=1

Specify fields

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | fields - User

Use table command

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | table _time, host, Image

Custom name

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | rename Image as Process

Dedup to remove duplicates

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | dedup Image

Sort 

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | sort - _time

Statistical operations with stat

index="main" sourcetype="WinEventLog:Sysmon" EventCode=3 | stats count by _time, Image

Create chart visualizaton

index="main" sourcetype="WinEventLog:Sysmon" EventCode=3 | chart count by _time, Image

The eval command creates or redefines fields. Example:

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | eval Process_Path=lower(Image)

This command creates a new field Process_Path which contains the lowercase version of the Image field. It doesn't change the actual Image field, but creates a new field that can be used in subsequent operations or for display purposes.

The rex command extracts new fields from existing ones using regular expressions. Example:

index="main" EventCode=4662 | rex max_match=0 "[^%](?<guid>{.*})" | table guid

Time Range

index="main" earliest=-7d EventCode!=1

Transaction to track across events

index="main" sourcetype="WinEventLog:Sysmon" (EventCode=1 OR EventCode=3) | transaction Image startswith=eval(EventCode=1) endswith=eval(EventCode=3) maxspan=1m | table Image |  dedup Image

Subsearch

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 NOT [ search index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | top limit=100 Image | fields Image ] | table _time, Image, CommandLine, User, ComputerName

Identify Available Data

sourcetype="WinEventLog:Security" | table *
sourcetype="WinEventLog:Security" | fields Account_Name, EventCode | table Account_Name, EventCode

See fieldnames only

sourcetype="WinEventLog:Security" | fieldsummary