Splunk is a tool for monitoring and searching through big data. A default port is 8089.
Default Credentials
admin:changeme
SPL (Search Processing Language)
In Splunk, click Search & Reporting. Maybe we need to set the “All time” Preset on the right of the search form.
The cheat sheet of searching is below:
# "main" index stores all the processed data
index="main" earliest=0
Files
index=main example.aspx sourcetype="<SourceType>"
EventCode
# EventCode 8: CreateRemoteThread in sysmon.
index="main" sourcetype="<SourceType>" EventCode=8
# EventCode 11: FileCreate in sysmon.
index="main" sourcetype="<SourceType>" EventCode=11
IP Addresses
index=main SourceIp=172.* AND DestinationIp=192.68.*
SourceType
index="main" sourcetype="<SourctType>"
# Identify all SourceType
index="main" earliest=0 | stats count by sourcetype | sort -count
Account Name
index=main AccountName = John AND AccountName != SYSTEM
Retrieving Hashes
# Retrieve MD5 hash of the target image
index="main" sourcetype="<SourceType>" Image="c:\\Path\\to\\file.exe" md5
# Display top N result of frequent
index=main | top limit=10 User
# Display top N result of the least
index=main | rare limit=10 User
Chart
Transform the result to chart.
index=main | chart count by Image
# time-series chart
index=main | timechart count by Image
Removing Duplicate Fields
index=main | table User, Hostname | dedup User
Rename the Field
index=main | fields host, User | rename User as Member
Misc
# Retrive file locations and number of files.
index="main" sourcetype="<SourceType>" EventCode=11 | stats count by TargetFilename
# Client-server method "POST" and search by file formats
index="main" sourcetype="iis" cs_method="POST" | search *.php* OR *.asp* OR *.aspx* OR *.jsp*