-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathqueries.splunk
More file actions
86 lines (75 loc) · 4.95 KB
/
queries.splunk
File metadata and controls
86 lines (75 loc) · 4.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#Scan Summary
index="infocyte" sourcetype="infocytescan" type=ScanMetadata $dash_targetlist_tok$ $dash_scan_tok$
| eval "Scan Time"=strftime(_time, "%Y/%m/%d %H:%M %z"), nt=replace(scancompletedon,"^(.{16}).*","\1"), Scan=targetlist."-".nt
| sort - _time
| rename targetlist as "Target List", hostcount as Hosts, failedhosts as "Failures", totalobjectcount as "Total Objects", compromisedobjects as "Compromised Objects"
| table Scan, "Target List", "Scan Time", Hosts, "Failures", "Total Objects", "Compromised Objects"
# Global Calendar
index="infocyte" sourcetype="infocytescan" type=ScanMetadata
| eval weight=case(compromisedhosts > 0, 2, hostcount > 0,0)
| timechart span=1d max(weight) as Scans
#Operating System Statistics
index="infocyte" sourcetype= "infocytescan" type=Host $dash_scan_tok$
| rename osversion as "Operating System"
| stats values(servicepack) as "Service Packs", values(architecture) as Architectures, dc(id) as "Hosts" by "Operating System"
#Threat Status Distribution
index="infocyte" sourcetype="infocytescan" type=ScanMetadata $dash_targetlist_tok$ $dash_scan_tok$
| eval "Scan Time"=strftime(_time, "%Y/%m/%d %H:%M %z"), nt=replace(scancompletedon,"^(.{16}).*","\1"), Scan=targetlist."-".nt
| rename targetlist as "Target List", hostcount as Hosts, totalobjectcount as "Total Objects", compromisedobjects as "Compromised Objects",good as Good, lowrisk as "Low Risk", unknown as Unknown, suspicious as Suspicious, bad as Bad
| sort - _time
| table Scan, Hosts, Good, "Low Risk", Unknown, Suspicious, Bad
# Target List Summary
index="infocyte" sourcetype="infocytescan" type=ScanMetadata $dash_targetlist_tok$ $dash_scan_tok$
| sort -_time
| eval "Scan Time"=strftime(_time, "%Y/%m/%d %H:%M %z"), nt=replace(scancompletedon,"^(.{16}).*","\1"), Scan=targetlist."-".nt
| rename targetlist as "Target List"
| stats sparkline(avg(hostcount)) as "Sparkline(hosts)", dc(scanid) as Scans, avg(hostcount) as "Ave Hosts", avg(totalobjectcount) as "Ave Objects", latest("Scan Time") as "Last Scan", latest(failedhosts) as "Failures (last scan)", latest(compromisedobjects) as "Compromised Objects (last scan)" by "Target List"
# Scan Calendar
index="infocyte" sourcetype="infocytescan" type=ScanMetadata
| eval weight=case(compromisedhosts > 0, 2, hostcount > 0,0)
| timechart span=1d max(weight) as Scans by targetlist
#Memory
index="infocyte" sourcetype= "infocytescan" type=MemoryObject $dash_scan_tok$
| where (threatname="Bad" OR threatname="Suspicious" OR flagname="Verified Bad") AND (flagname!="Verified Good")
| search "*$analytics_search_tok$*"
| eval nt=replace(scancompletedon,"^(.{16}).*","\1"), "Scan"=targetlist."-".nt
| sort - Scan, - threatscore
| table Scan, hostname, ip, pid, processname, processpath, size, address, protection, avpositives, synapse, threatscore, threatname
| fieldformat path=replace(path,"^(.{40}).*","\1...")
| fieldformat size=size/1000
| rename avpositives as av
#Processes
index="infocyte" sourcetype="infocytescan" (type="Process" OR type="Module" OR type="Driver") $dash_scan_tok$
| where (threatname="Bad" OR threatname="Suspicious" OR flagname="Verified Bad") AND (flagname!="Verified Good")
| search "*$analytics_search_tok$*"
| eval nt=replace(scancompletedon,"^(.{16}).*","\1"), "Scan"=targetlist."-".nt
| sort - Scan, - threatscore
| table Scan, hostname, ip, type, name, path, sha1, size, account, accountpriv, occurrences, avpositives, synapse, threatscore, threatname
| fieldformat path=replace(path,"^(.{40}).*","\1...")
| fieldformat sha1=replace(sha1,".*(.{10})$","...\1")
| fieldformat size=size/1024
| rename avpositives as av
# Legitimate Tools Audit
index="infocyte" sourcetype="infocytescan" type="Process" $dash_scan_tok$ [ | inputlookup legittools | fields + toolname | rename toolname as search]
| search "*$analytics_search_tok$*"
| eval nt=replace(scancompletedon,"^(.{16}).*","\1"), "Scan"=targetlist."-".nt
| sort - Scan, - threatscore
| table Scan, hostname, ip, name, commandline, account, accountpriv
#Autostarts
index="infocyte" sourcetype="infocytescan" (type=Autostart) $dash_scan_tok$
| where (threatname="Bad" OR threatname="Suspicious" OR flagname="Verified Bad") AND (flagname!="Verified Good")
| search "*$analytics_search_tok$*"
| eval nt=replace(scancompletedon,"^(.{16}).*","\1"), "Scan"=targetlist."-".nt
| sort - Scan, - threatscore
| table Scan, hostname, ip, autostarttype, name, sha1, size, regpath, regvalue, occurrences, avpositives, synapse, threatscore, threatname
| fieldformat regpath=replace(regpath,".*(.{30})$","...\1")
| fieldformat sha1=replace(sha1,".*(.{16})$","...\1")
| fieldformat size=size/1024
| rename avpositives as av
# Connections
index="infocyte" sourcetype="infocytescan" (type=Connection) $dash_scan_tok$
| where localaddr != remoteaddr AND threatscore>0
| search "*$analytics_search_tok$*"
| eval nt=replace(scancompletedon,"^(.{16}).*","\1"), "Scan"=targetlist."-".nt
| sort - Scan, - threatscore
| table Scan, hostname, processname, localaddr, localport, remoteaddr, remoteport, protocol, threatscore