Splunk

index="main" EventCode!=1

The fields command excludes the User field:

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | fields - User

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | table _time, host, Image

The rename command renames a field in the search results. Example:

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | rename Image as Process

The 'dedup' command removes duplicate events. Example:

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | dedup Image

The sort command sorts the search results. Example:

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | sort - _time

The chart command creates a data visualization based on statistical operations. Example:

index="main" sourcetype="WinEventLog:Sysmon" EventCode=3 | chart count by _time, Image

The eval command creates or redefines fields. Example:

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | eval Process_Path=lower(Image)

The rex command extracts new fields from existing ones using regular expressions. Example:

index="main" EventCode=4662 | rex max_match=0 "[^%](?<guid>{.*})" | table guid

The lookup command enriches the data with external sources. Example:

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | rex field=Image "(?P<filename>[^\\\]+)$" | eval filename=lower(filename) | lookup malware_lookup.csv filename OUTPUTNEW is_malware | table filename, is_malware

An equivalent that also removes duplicates is the following:

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | eval filename=mvdedup(split(Image, "\\")) | eval filename=mvindex(filename, -1) | eval filename=lower(filename) | lookup malware_lookup.csv filename OUTPUTNEW is_malware | table filename, is_malware | dedup filename, is_malware

Every event in Splunk has a timestamp. Using the time range picker or the earliest and latest commands, you can limit searches to specific time periods. Example:

index="main" earliest=-7d EventCode!=1

The transaction command is used in Splunk to group events that share common characteristics into transactions, often used to track sessions or user activities that span across multiple events. Example:

index="main" sourcetype="WinEventLog:Sysmon" (EventCode=1 OR EventCode=3) | transaction Image startswith=eval(EventCode=1) endswith=eval(EventCode=3) maxspan=1m | table Image |  dedup Image 

A subsearch in Splunk is a search that is nested inside another search. It's used to compute a set of results that are then used in the outer search. Example:

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 NOT [ search index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | top limit=100 Image | fields Image ] | table _time, Image, CommandLine, User, ComputerName

This query can help to highlight unusual or rare processes, which may be worth investigating for potential malicious activity.

How To Identify The Available Data

We classify these data sources into source types that dictate how Splunk formats the incoming data. To identify the available source types, we can run the following SPL command.

| eventcount summarize=false index=* | table index

This query uses eventcount to count events in all indexes, then summarize=false is used to display counts for each index separately, and finally, the table command is used to present the data in tabular form.

To list all sourcetypes in our Splunk environment, along with additional metadata such as the first time a source type was seen (firstTime), the last time it was seen (lastTime), and the number of hosts (totalCount).

| metadata type=sourcetypes

For a simpler view, we can use the following search:

| metadata type=sourcetypes index=* | table sourcetype

This command returns a list of all data sources in the Splunk environment:

| metadata type=sources index=* | table source

Let's say we are interested in a sourcetype named WinEventLog:Security, we can use the table command to present the raw data as follows.

sourcetype="WinEventLog:Security" | table _raw