Splunk
commands
streamstats
used for calculating statistics and adding them as new fields in your search results, based on the order in which the events are encountered.
# current - option means the current event's value isn't included when calculating ( f = false, t = true)
# window - limits to just the next event
| streamstats current=f window=1 last(value) as last_value by cve
sourcetype
json
[json]
KV_MODE = json
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+){
“If you set KV_MODE = json, do not also set INDEXED_EXTRACTIONS = JSON for the same source type. If you do this, the json fields are extracted twice, once at index time and again at search time.”
Environment Variables
/opt/splunk/bin/splunk envvars
Split Data from one sourcetype into different indexes
- create indexes
- i would recommend to create a new app to gather all config files in one place
- transforms.conf
- define the transformation
- Regex to find the data
- Format defines the Target Index
- props.conf
- combines the sourcetype with the transformation
- Transforms-
- defines the transformation that will be used on the data - key value can be any values you want, it doesn´t matter
# input
## inputs.conf
[monitor://path/to/data]
index = <index>
sourcetype = some_data_sourcetype
# transformation
## transforms.conf
[transformation_for_somedata]
REGEX = <matching_criteria>
DEST_KEY = _MetaData:Index
Format = <target-index>
# sourcetype
## props.conf
[some_data_sourcetype]
TRANSFORMS-index = transformation_for_somedata
RBA
Where do Risk Scores Come From
- Adaptive Response Actions
- Manual Risk Score (
| eval risk_score=50) - Risk Factor Editor
- Can use addition or multiplication to raise Risk Score
- Multiply by 0 to change Risk Score to 0
# see all combined
| from datamodel:"Risk"
| table source risk_factor_add risk_factor_mult risk_score
How to weight?
- MITRE ATT&CK Weight + Use Case Weight
- Weight by Volume
- Track how often detections are firing
- create more depth to risk scores
| from datamodel:"Risk"."All_Risk" | search `risk_notable_sources` | stats count by search_name | eval avg=round(count/30) | eval velocity=case(avg<=1,1.25,avg>1 AND avg<=50,1,avg>50 AND avg<=100,0.75,avg>100 AND avg<=500,0.5,avg>500,0.25) | outputlookup risk_velocity.csv