Splunk / CS Next-Gen SIEM Queries 📔

∙ 3 mins read ∙ Tags: Linux, Windows, Splunk
Splunk / CS Next-Gen SIEM Queries 📔

Some frequently used Splunk queries.

SHELLing out tips which have saved me time

Return notable events with “CrowdStrike” keyword that contain a file hash, and deduplicate events by the file hash:

"details.notable_type"=notable | search "CrowdStrike" "details.file_hash"="*" | dedup details.file_hash | table details.event_id, details.url, details.file_hash

Return DUO Office 365 failed authentication events from a particular country

index=security sourcetype=duo integration="Office 365" | where factor != "n/a" | where result="FAILURE"  | search "location.country"=RU

Return AnyConnect DAP attributes

sourcetype = cisco:asa vendor_definition="Dynamic Access Policies" Session Attribute {userID}

Proofpoint: Obtain Phishing Email Contents

sourcetype="proofpoint:TAP" index=security "threatsInfoMap{}.threat"="https://docs.google.com/document/d" "threatsInfoMap{}.classification"=phish "fromAddress{}"="x@med.cornell.edu" | table _time, threatsInfoMap{}.threat, fromAddress{}, recipient{}

Return Hostscan Attributes (e.g. OS/hardware details, connecting IP address, hostname, user IDs) from Cisco ASA VPN Logs based on VPN IP Address(es)

source=/opt/syslog-ng/logs/vpn/vpn-frp4112-xxxx-act/vpn.log sourcetype=cisco:asa (vendor_definition="Dynamic Access Policies") AND (endpoint_anyconnect_publicmacaddress=* OR endpoint_device_hostname=* OR aaa_cisco_tunnelgroup=* OR endpoint_os_servicepack=* OR endpoint_anyconnect_devicetype=*) AND [search source = /opt/syslog-ng/logs/vpn/vpn-frp4112-xxxx-act/vpn.log sourcetype=cisco:asa vendor_definition="SSL VPN Client" "assigned to session" "vpnIPAddressHere" | return user] | eval "Connect Time" = (strftime(_time, "%Y-%m-%d %H:%M:%S")) | stats values("Connect Time") AS "Connect Time", values(endpoint_device_hostname) AS hostname, values(endpoint_anyconnect_publicmacaddress) AS publicmac, values(aaa_cisco_tunnelgroup) AS vpngroup,values(endpoint_anyconnect_devicetype) AS model, values(endpoint_os_servicepack) AS os_version, values(src_ip) AS public_ip by user

Git ‘Clone’ Vulnerability (CVE-2024-32002) Detection

//If shell commands are spawned from git
CommandLine = "zsh*" OR CommandLine = "sh *" OR CommandLine = "*.sh" OR CommandLine = "powershell*"
| ParentBaseFileName = "*git*"
//then check if the respective usernames are seen performing a git clone operation or enabling symbolic links
| join({#event_simpleName=ProcessRollup2 (CommandLine = "*config --global core.symlinks true" OR CommandLine = "*clone --recursive")}, key=UserName, field=UserName, include=[@timestamp, CommandLine, UserName])
//@timestamp, CommandLine, UserName fields are returned from results

Cyberhaven Incident / Malicious Chrome browser extension campaign Detection

BrowserExtensionId=* 
| in(BrowserExtensionId, values=[
bibjgkidgpfbblifamdlkdlhgihmfohh,
pkgciiiancapdlpcbppfkmeaieppikkk,
epdjhgbipjpbbhoccdeipghoihibnfja,
bbdnohkpnbkdkmnkddobeafboooinpla,
befflofjcniongenjmbkgkoljhgliihe,
cedgndijpacnfbdggppddacngjfdkaca,
nnpnnpemnckcfdebeekibpiijlicmpom,
dpggmcodlahmljkhlmpgpdcffdaoccni,
cplhlgabfijoiabgkigdafklbhhdkahj,
egmennebgadmncfjafcemlecimkepcle,
acmfnomgphggonodopogfbmkneepfgnh,
mnhffkhmpnefgklngfmlndmkimimbphc,
oaikpkmjciadfpddlpjjdapglcihgdle,
fbmlcbhdmilaggedifpihjgkkmdgeljh,
kkodiihpgodmdankclfibbiphjkfdenh,
oeiomhmbaapihbilkfkhmlajkeegnjhe,
jiofmdifioeejeilfkpegipdjiopiekl,
hihblcmlaaademjlakdpicchbjnnnkbo,
ndlbedplllcgconngcnfmkadhokfaaln,
igbodamhgjohafcenbcljfegbipdfjpk,
bgejafhieobnfpjlpcjjggoboebonfcg,
llimhhconnjiflfimocjggfjdlmlhblm,
hodiladlefdpcbemnbbcpclbmknkiaem,
epikoohpebngmakjinphfiagogjcnddm,
pajkjnmeojmbapicmbpliphjmcekeaac,
ogbhbgkiojdollpjbhbamafmedkeockb,
eanofdhdfbcalhflpbdipkjjkoimeeod,
ekpkdmohpdnebfedjjfklhpefgpgaaji,
miglaibdlgminlepgeifekifakochlka,
mbindhfolmpijhodmgkloeeppmkhpmhc,
eaijffijbobmnonfhilihbejadplhddo,
lbneaaedflankmgmfbmaplggbmjjmbae,
hmiaoahjllhfgebflooeeefeiafpkfde,
pdkmmfdfggfpibdjbbghggcllhhainjo,
emedckhdnioeieppmeojgegjfkhdlaeo,
didhgeamncokiaegffipckhhcpnmlcbl
])
//a new finding of #event_simpleName="InstalledBrowserExtension" is defined as a new BrowserExtensionPath on the same ComputerName or a new BrowserExtensionPath on a different ComputerName
| isNewFinding := if((!in(BrowserExtensionPath, values=[
"*C:\\Users\\xyz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\hodiladlefdpcbemnbbcpclbmknkiaem\\3.3.0_0*",
])), then=if((!in(ComputerName, values=[
"PCXXXXXX",
])),then="newPathnewComputer", else="newPathSameComputer") ,else="samePath")
| in(isNewFinding, values=["newPathnewComputer","newPathSameComputer"])

Source

Comments 💬