Views: 24
Splunk Cheat Sheet
Query to identify failed login attempts:
#Query to identify failed login attempts:
sourcetype=auth* "authentication failure"
| stats count by user
| sort -count Query to identify privilege escalation attempts:
#Query to identify privilege escalation attempts:
sourcetype=linux_secure su*
| where user!=root AND user!="" Query to identify failed SSH attempts:
#Query to identify failed SSH attempts:
sourcetype=linux_secure "Failed password for"
| stats count by src_ip
| sort -count Query to identify successful SSH attempts:
#Query to identify successful SSH attempts:
sourcetype=linux_secure "Accepted publickey for"
| stats count by src_ip
| sort -count Query to identify unusual network traffic:
#Query to identify unusual network traffic:
sourcetype=network_traffic
| stats sum(bytes) as total_bytes by src_ip, dest_ip
| where total_bytes > 1000000 Query to identify suspicious processes:
#Query to identify suspicious processes:
sourcetype=processes
| search "lsass.exe" OR "svchost.exe" OR "explorer.exe"
| stats count by user
| sort -countQuery to identify brute force attacks:
#Query to identify brute force attacks:
sourcetype=access_* | stats count by clientip, action | where action="failure" AND count>=5
#Another Search Query
index=your_security_logs_index
sourcetype=your_security_logs_sourcetype
| stats count as failed_attempts by user
| where failed_attempts > threshold
| table user, failed_attemptsQuery to identify privilege escalation attempts on Windows systems:
#Query to identify privilege escalation attempts on Windows systems:
sourcetype="WinEventLog:Security" EventCode=4672
| eval user_account=mvindex(Account_Name,1)
| search "Security ID" NOT IN ("SYSTEM","LOCAL SERVICE","NETWORK SERVICE")Query to identify potential DNS tunneling activity:
#Query to identify potential DNS tunneling activity:
sourcetype=dns
| rex field=answer "data\"\s*:\s*\"(?<data>[^\"]+)\""
| eval data_length=len(data)
| where data_length > 32 AND (data_length % 4) == 0 Query to identify suspicious PowerShell activity:
#Query to identify suspicious PowerShell activity:
sourcetype="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4103
| eval script_block=mvindex(Message,3)
| search script_block="*Start-Process*"Query to identify network port scans:
#Query to identify network port scans:
sourcetype=network_traffic
| stats count by src_ip, dest_port
| where count > 100 Query to identify potential data exfiltration:
#Query to identify potential data exfiltration:
source type=access_* action=file_download
| stats count by user, dest_ip, dest_port
| where count > 10 Query to identify failed VPN attempts:
# Query to identify failed VPN attempts:
sourcetype=access_* VPN AND action="failure"Query to identify successful VPN attempts:
#Query to identify successful VPN attempts:
sourcetype=access_* VPN AND action="success"Query to identify potential SQL injection attempts:
#Query to identify potential SQL injection attempts:
sourcetype=access_* method=POST | rex
field=_raw "SELECT\s+(?<query>[^;]+)"
| eval query_length=length(query)
| where query_length > 50 AND query_length < 100 Query to identify successful login attempts from new or unknown IP addresses:
# Query to identify successful login attempts from new or unknown IP addresses:
sourcetype=access_* action=login
| stats count by user, src_ip
| where count=1 Query to identify privilege escalation attempts on Linux systems:
#Query to identify privilege escalation attempts on Linux systems:
sourcetype=linux_secure "sudo:" |
where user!="root" AND user!="" Query to identify unusual DNS requests:
#Query to identify unusual DNS requests:
index=your_dns_data_index sourcetype=your_dns_data_sourcetype
| stats count by query
| where count > threshold (eg: 10)
| table query, count