Detect Machines with High Threatscore

index=<replace> | stats count by src_ip dst_ip dst_port protocol | lookup threatscore clientip as dst_ip | sort –threatscore | where threatscore>0

purpose:

Detect machines/applications who are potentially infected and have active running malware on it. Even use it to detect fraud for shopping site orders coming from bad IP's

requirements:

machine data with external IP's + IP Reputation App

comments:

  • Search Logs index=
  • Make sure fields are extracted fine – you can even let this run in realtime – looks cool: | stats count by src_ip dst_ip dst_port protocol
  • Now we enrich the data with | lookup threatscore clientip as dst_ip
  • Now as there is a new field evaluated (Threatscore) we want to show the IP's with the highest threatscore first by sorting it: | sort –threatscore
  • And now we only want to see malicious connections instead of the good once: | where threatscore>0

Detect Account Sharing

…. | stats dc(src_ip) as ip_count by user

purpose:

Detect Users who login from multiple IP's / User account Sharing

requirements:

Login logs with Username + Source IP field extractions

comments:

  • … - first search for something, maybe with logon/login etc. and review if there are the proper logs for logins and field extractions that are working
  • Do stats to show the distinct count of different source ip's used per user | stats dc(src_ip) as ip_count by user

Simple Top 5 Attackers

sourcetype = "juniper:idp" attack* | top limit=5 src_ip

purpose:

Find the top 5 ip addresses that are attempting to attack us.

requirements:

juniper:idp data

comments:

Find Rare Processes (windows)

sourcetype=winregistry | rare process_image

purpose:

find rarely seen windows processes. might indicate custom malware.

requirements:

winregistry data

comments:

geo-location w/ user home base lookup

index=geod
# get some location information
| iplocation clientip
# lookup user details from a lookup table
#  including their home location
| lookup user_home_lu user as user
# calculate the distance between the login location
#  and the user's home location
#  using the haversine app (http://apps.splunk.com/app/936/)
| haversine originField=home_latlon units=mi inputFieldLat=lat inputFieldLon=lon
# limit the list to those where the distance is greater
#  than 500 miles
| where distance > 500
# clean up for reporting purposes
| strcat City ", " Region cs
# report the results
| fields user, cs, distance

purpose:

find users that are logging in from a location which is greater than 500 miles away from the registered home office

requirements:

haversine app clientip lookup table with user > home_latlon

comments: