Splunk Security Search Query's

Searching Data in Splunk

One of the fundamental skills in Splunk is mastering its search capabilities. In practical lab environments, the index used might be predefined, such as index=botsv1. However, during an exam or in real-world scenarios, the index might be unknown. In such cases, we can use index=* to search across all indexes.

Example:

To search for events from a specific IP address, you can use:

search src="10.10.10.50" OR dst="10.10.10.50"

If you suspect login failures, you can search for logs containing both "pass" and "fail":

search pass* AND fail*

Search Commands for Better Data Understanding

Sort

The sort command organizes your search results. For instance, to sort events by time in ascending order:

| sort time asc

You can limit the number of results using count:

| sort limit=2 time asc

Using desc sorts in descending order.

Stats

The stats command provides statistical summaries. To find the most frequent IP addresses:

| stats count by srcip

You can combine it with sort for better clarity:

| stats count by srcip | sort count desc

Table

The table command allows you to create custom views of your data, displaying only relevant fields. For example:

| table date, time, srcip, dstport, action, msg

This makes it easier to focus on essential information.

Uniq and Dedup

uniq retrieves unique values. For example, to find unique source IP addresses:

| table srcip | uniq

If uniq doesn't work, dedup is a reliable alternative:

| table action | dedup action

Practical Examples

1. Finding Initial Events: To look at the earliest event in the dataset:

   earliest=0
   

2. Handling Different Field Names: Different logs might use different field names for the same data. For instance, source IP could be srcip or source_ip. Adapt your searches accordingly.

3. Detecting Malware: Search for logs related to executable files (which can be crucial in malware detection):

   | table date, time, script, dstport, action, msg, image
   

   The image field often refers to executable files, helping identify malicious processes like crypto miners.

Conclusion

Mastering these Splunk search commands enhances your ability to analyze and understand security events effectively. By leveraging sort, stats, table, uniq, and dedup commands, you can transform raw log data into actionable intelligence, crucial for incident response and forensic analysis.