Splunk (SPL) Queries📔
Some frequently used Splunk queries.
SHELLing out tips which have saved me time
- Return notable events with “CrowdStrike” keyword that contain a file hash, and deduplicate events by the file hash:
- Return DUO Office 365 failed authentication events from a particular country
Return notable events with “CrowdStrike” keyword that contain a file hash, and deduplicate events by the file hash:
"details.notable_type"=notable | search "CrowdStrike" "details.file_hash"="*" | dedup details.file_hash | table details.event_id, details.url, details.file_hash
Return DUO Office 365 failed authentication events from a particular country
index=security sourcetype=duo integration="Office 365" | where factor != "n/a" | where result="FAILURE" | search "location.country"=RU
