Splunk
index="main" EventCode!=1The fields command excludes the User field:
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | fields - Userindex="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | table _time, host, ImageThe rename command renames a field in the search results. Example:
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | rename Image as ProcessThe 'dedup' command removes duplicate events. Example:
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | dedup ImageThe sort command sorts the search results. Example:
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | sort - _timeThe chart command creates a data visualization based on statistical operations. Example:
index="main" sourcetype="WinEventLog:Sysmon" EventCode=3 | chart count by _time, ImageThe eval command creates or redefines fields. Example:
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | eval Process_Path=lower(Image)The rex command extracts new fields from existing ones using regular expressions. Example:
index="main" EventCode=4662 | rex max_match=0 "[^%](?<guid>{.*})" | table guidThe lookup command enriches the data with external sources. Example:
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | rex field=Image "(?P<filename>[^\\\]+)$" | eval filename=lower(filename) | lookup malware_lookup.csv filename OUTPUTNEW is_malware | table filename, is_malwareAn equivalent that also removes duplicates is the following:
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | eval filename=mvdedup(split(Image, "\\")) | eval filename=mvindex(filename, -1) | eval filename=lower(filename) | lookup malware_lookup.csv filename OUTPUTNEW is_malware | table filename, is_malware | dedup filename, is_malwareEvery event in Splunk has a timestamp. Using the time range picker or the earliest and latest commands, you can limit searches to specific time periods. Example:
index="main" earliest=-7d EventCode!=1The transaction command is used in Splunk to group events that share common characteristics into transactions, often used to track sessions or user activities that span across multiple events. Example:
index="main" sourcetype="WinEventLog:Sysmon" (EventCode=1 OR EventCode=3) | transaction Image startswith=eval(EventCode=1) endswith=eval(EventCode=3) maxspan=1m | table Image | dedup Image A subsearch in Splunk is a search that is nested inside another search. It's used to compute a set of results that are then used in the outer search. Example:
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 NOT [ search index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | top limit=100 Image | fields Image ] | table _time, Image, CommandLine, User, ComputerNameThis query can help to highlight unusual or rare processes, which may be worth investigating for potential malicious activity.
How To Identify The Available Data
We classify these data sources into source types that dictate how Splunk formats the incoming data. To identify the available source types, we can run the following SPL command.
| eventcount summarize=false index=* | table indexThis query uses eventcount to count events in all indexes, then summarize=false is used to display counts for each index separately, and finally, the table command is used to present the data in tabular form.
To list all sourcetypes in our Splunk environment, along with additional metadata such as the first time a source type was seen (firstTime), the last time it was seen (lastTime), and the number of hosts (totalCount).
| metadata type=sourcetypesFor a simpler view, we can use the following search:
| metadata type=sourcetypes index=* | table sourcetypeThis command returns a list of all data sources in the Splunk environment:
| metadata type=sources index=* | table sourceLet's say we are interested in a sourcetype named WinEventLog:Security, we can use the table command to present the raw data as follows.
sourcetype="WinEventLog:Security" | table _rawLast updated