Challenges

Boss of the SOC

BOTSv1 Investigate Workshop

BOTSv3

Searches

More defined searches = faster

# see all source(type)s
| metadata type=source[type]s index=<>

# see all indexes
| eventcount summarize=false index=* index=_* | dedup index | sort -count

# command line using sysmon
Image="*\\\\cmd.exe" | stats values(CommandLine) by host
Image="*\\\\cmd.exe" | stats count by CommandLine

Cheatsheet by domanchi

Dashboard

# Failed Logons
sourcetype="WinEventLog:Security" source="WinEventLog:Security" EventCode=4625
| timechart span=2h count

# Chosen Commands
source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
  AND (CommandLine=*whoami* OR CommandLine=*ssh* OR CommandLine=*ftp* OR CommandLine=*FromBase64String*)
| table _time user CommandLine

# Logins
source="WinEventLog:Security" sourcetype="WinEventLog:Security"
  EventCode=4624 AND (Logon_Type=2 OR Logon_Type=7)
| timechart span=2h count

# Top Commands
source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" CommandLine=*
| top CommandLine

# Event Codes
sourcetype="WinEventLog:Security" source="WinEventLog:Security" host="LAPTOP-OI4EI350"
| stats count by EventCode| sort -count

# USB Devices
source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" process_name="WUDFHost.exe"
| dedup _time | table _time Details

Courses

Splunk 7.x Fundamentals Part 1 (eLearning)