lottoleft.blogg.se - Splunk tstats example

SPLUNK TSTATS EXAMPLE INSTALL
SPLUNK TSTATS EXAMPLE UPDATE
SPLUNK TSTATS EXAMPLE FULL
SPLUNK TSTATS EXAMPLE SOFTWARE

This account will execute REST commands against the Search Head, to initiate searches and retrieve results. On Splunk, we require a “ service account” that Phantom can use to authenticate with. OpenSSL routines in Phantom will now be able to verify the certificate on Splunk.

SPLUNK TSTATS EXAMPLE UPDATE

Update the system CA trust store update-ca-trust

SPLUNK TSTATS EXAMPLE INSTALL

To install these certificates on the Phantom instance, do the following (as root):Ĭopy your CA public key (PEM format) to the system PKI store: cp /home/myuser/my_org_root_ca.pem /etc/pki/ca-trust/source/anchors This certificate also needs to be validated by the Phantom client, so any required CA certs also need to be present on the certificate store of the Phantom machine. If the authenticity of the data cannot be guaranteed, an attacker could direct the query to rogue infrastructure, returning malicious search results that will be operated on automatically. It is recommended that a valid TLS certificate is installed on the Search Head or cluster that is to be queried by Phantom. Valid TLS certificates on Splunk Web and Phantom There are a number of security considerations we need to keep in mind when setting up the integration between Splunk and Phantom as well as when executing security playbooks. This could indicate compromise on a client machine that needs to be re-mediatedįor the example in this article, we will look at finding users in the organisation that clicked on a malicious link in a Phishing email Security Considerations Querying firewall logs to determine if a call-out was made to a C&C server.Querying the email logs to determine which other users were the target of a Phishing campaign.

SPLUNK TSTATS EXAMPLE FULL

These users could undergo an automatic password reset or a full malware scan of their machine can be initiated

Querying the proxy logs to find other users that clicked on a malicious link.

These could include functionalities such as: There are a number of use-cases or playbooks with Phantom that requires information within Splunk to be queried.

Often it is required to act upon data within Splunk, or to augment case details in Phantom by querying Splunk for additional information. Searching for TERM(127.0.0.This article deals with querying Splunk from within Phantom to enable automation of security use-cases. See Use the TERM directive to match terms that contain minor breakers.

SPLUNK TSTATS EXAMPLE SOFTWARE

For more information about how Splunk software breaks events up into searchable segments, see About segmentation in Getting Data In. When you use the TERM directive, the Splunk software expects to see the term you specify as a token in the lexicon in the. This is illustrated in the examples below. For example, you cannot use TERM to search for Maria Dubois because there is a space between the names. The TERM directive only works for terms that are bounded by major breakers, but the term you are searching for cannot contain major breakers. If you specify TERM(127.0.0.1), the search treats the IP address as a single term, instead of individual numbers, and returns all events that contain the IP address 127.0.0.1. If you search for the IP address 127.0.0.1, Splunk software searches for 127 AND 0 AND 1 and returns events that contain those numbers anywhere in the event. For example, the IP address 127.0.0.1 contains the period (. Use the TERM directive to ignore the minor breakers and match whatever is inside the parentheses as a single term. When data is indexed, characters such as periods and underscores are recognized as minor breakers between terms.

Is bound by major breakers, such as spaces or commas.

Contains minor breakers, such as periods or underscores.

The TERM directive is useful for more efficiently searching for a term that: The following search only matches events that contain localhost in uppercase in the host field. For example, if you search for CASE(error), your search returns results containing only the specified case of the term, which is error. You can use the CASE directive to perform case-sensitive matches for terms and field values. For example, if you search for Error, any case of that term is returned, such as Error, error, and ERROR.

For more information about the PREFIX() directive, see tstats in the Search Reference.īy default, searches are case-insensitive. The CASE() and TERM() directives are similar to the PREFIX() directive used with the tstats command because they match strings in your raw data. TERM Syntax: TERM() Description: Match whatever is inside the parentheses as a single term in the index, even if it contains characters that are usually recognized as minor breakers, such as periods or underscores. If you want to search for a specific term or phrase in your Splunk index, use the CASE() or TERM() directives to do an exact match of the entire term.ĬASE Syntax: CASE() Description: Search for case-sensitive matches for terms and field values.