(( tag = network tag = communicate ) OR ( index = pan_logs sourcetype = pan * traffic ) OR ( index =* sourcetype = opsec ) OR ( index =* sourcetype = cisco : asa ) ) ( src_ip = 10.0.
It will show output when the bytes out is 3 standard deviations above the source's or organization's average for the latest day compared with the latest 30 days. The query below will output the user, the time, the source IP, the aggregated bytes sent out, the number of data samples, the number of standard deviations away from the source's average bytes sent per day, and the number of standard deviations away from the organization's average bytes sent per day. Users with a Large Increase in Web Traffic Moving out of the Network. For each query, I have included what I like to see for output. You can also use the "table" search command to specify what you'd like to see as output. These are massive searches and with current limits on my allotted hard disk space, I'm thinking about lowering the time frame to two or three weeks. The queries below can be modified for any time frame, but I've been running them with data from the last 30 days. These queries are specifically targeted to identify behaviors that could be viewed as data exfiltration. I've been working with Splunk at my job and wanted to provide some interesting queries that might assist with network data analytics for cyber security purposes. Index=index sourcetype=csv source=src1 host=host1| stats list(field1) as F_1 list(field2) as F_2 list(field3) as F_3 BY ITEM| eval source1=mvzip(F_1,mvzip(F_2,F_3)) | mvexpand source1 | rex field=source1 "(? \d+),(? \d+),(? \d+)" | join ITEM | eval DIFF1=F1-C_1 | eval DIFF2=F_2-C_2 | sort limit=0 ITEM |table ITEM, F_1, F_2, F_3, C_1, C_2, C_3, DIFF1, DIFF2Ĭan someone please check my query as I think there may be a mistake in there somewhere when attempting to create new records for instances where there are multiple values in a single field.Splunk Queries for Identifying Data Exfiltration Could you please have a look at my query and let me know where I'm going wrong and what I could do to avoid using a join command: However, I'm not sure it's working correctly. Based on this join, I want to return results from both searches only in instances where ITEM values match. I'm using the join command to join to searches based on a common field called ITEM. The subsearch is *not* hitting any limits on execution time or number of results the overall data set is fairly small. I am sure this is something simple that I have overlooked, but I don't see it! I've even looked at the Search Job Inspector, but nothing shows up there either. For example, the second search gave an average of 45453.56 while the first search gave an average of 42823.32638888889. I am using the standard access_combined sourcetype for this example, so clientip is the IP address that is connecting to the Apache server, status is the HTTP status code, and bytes is the number of bytes in the HTTP request.īut the searches give slightly different results. (My real search is slightly different, but this illustrates the problem perfectly.) Successful traffic is defined as status=400. The concept of both searches is the same: Identify IPs that have had HTTP errors in the previous week, and summarize the number of bytes of "successful" traffic, average and median during that timeframe. | stats sum(bytes) as bytes count(eval(check="Bad")) as Bad by clientip Index=web sourcetype=access_combined action=purchase **Option 2: using an eval to replace the subsearch**
| stats avg(bytes) as avg_bytes, median(bytes) as median_bytes Index=web sourcetype=access_combined status=400 Here are two searches, which I think are logically equivalent, yet they return different results in Splunk.
0 kommentar(er)
