`4662_directory_sync_events`
| eval SubjectUserName=lower(trim(SubjectUserName)) ``` Normalize value ```
| bin _time span=1d AS last_day_seen ``` 1d unit ```
``` Ingest the current baseline ```
| inputlookup append=1 dcsync_baseline.csv
Alex Teixeira inodee
inodee
/ detecting_dcsync_attack_via_baselines.md
Created
February 11, 2025 22:45
inodee
/ gist:dec2550ae15ba7f0aeca7e911c96db90
Created
January 21, 2025 15:59
Successful network connections towards SpamHaus's DROP ranges, excluding common browsers as client
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // This is a prototype, do not run against long periods before tuning | |
| let SpamHausDROP = externaldata(cidr: string) [@"https://www.spamhaus.org/drop/drop_v4.json"] with (format="json", ignoreFirstRecord=False); | |
| DeviceNetworkEvents | |
| | where LocalIPType == 'Private' and RemoteIPType == 'Public'and ActionType == 'ConnectionSuccess' | |
| | where not(InitiatingProcessFileName has_any ('chrome.exe','firefox.exe','msedge.exe','brave.exe')) | |
| | evaluate ipv4_lookup(SpamHausDROP, RemoteIP, cidr, return_unmatched = false) | |
| | where isnotempty(cidr) | |
| | summarize InitiatingProcessCommandLine=make_set(InitiatingProcessCommandLine), RemoteUrl=make_set(RemoteUrl), LastSeen=max(Timestamp) by RemoteIP |
inodee
/ gist:3bb01bdf4f8e7f7e4b30347403b67427
Created
September 18, 2024 07:47
Builds a Concurrency Table of Minute x Hour to be later displayed as a Heatmap using table's overlay
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index=_internal sourcetype=scheduler search_type="scheduled" scheduled_time=* savedsearch_name=*rule scheduler rule earliest=-24h@h latest=@h | |
| | eventstats count by savedsearch_name | |
| | where count>=23 | |
| | eval H=strftime(scheduled_time, "%-H") | |
| | eval M=strftime(scheduled_time, "%-M") | |
| | chart limit=24 count over M by H | |
| | table M 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
inodee
/ gist:04569e2c94b783f920c45dd24e03025e
Last active
March 12, 2024 10:01
Detect and alert on new Splunk indexes created
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index=_audit sourcetype=audittrail TERM(create) operation=create action=indexes_edit | |
| | rex field=_raw "object=\"*(?<object>[^\"]+)" | |
| | stats values(user) AS user, min(_time) AS _time by object | |
| | eval reason="There is a new index in town! New index: ".object.". Please evaluate if that needs to be in scope for any existing search or use case (ex.: IOC Scan Framework)." |
inodee
/ correlation_searches_heatmap.spl
Last active
May 2, 2023 06:37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index=_internal sourcetype=scheduler savedsearch_name="* - Rule" scheduled_time=* | |
| | fields dispatch_time scheduled_time | |
| ``` Pick the data point you want to use (hint: consider a dashboard dropdown) ``` | |
| | eval _time=scheduled_time | |
| | eval H=strftime(_time, "%k"), M=strftime(_time, "%M") | |
| ``` Use a chart/viz or simply enable 'Heatmap' overlay from Format options ``` | |
| | chart useother=0 count over M by H |
inodee
/ gist:a56dd711d05df77f21d334c11935cb54
Created
June 1, 2022 13:26
Hunting dashboard for Follina - CVE-2022-30190
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index=YOUR_ENDPOINT_TELEMETRY_INDEX msdt ChildPath=*msdt.exe ``` make sure you use msdt as a bloomfilter to speedup the query and filter on msdt.exe as child (primarily)``` | |
| ``` Highlight interesting traces ``` | |
| | eval office_parent=if(match(ParentPath, "(?i)(winword|excel|powerpnt|outlook)\.exe"), 1, 0) | |
| | eval cmdshell_parent=if(match(ParentPath, "(?i)\S+\\\(cmd|pwsh|sqlps|sqltoolsps|powershell|powershell_ise)\.exe"), 1, 0) | |
| | eval uri_scheme=if(match(command, "(?i)ms-msdt:/"), 1, 0) | |
| | eval traversal=if(match(command, "(?i)\.\.\S\.\."), 1, 0) | |
| | eval exe_param=if(match(replace(command, "(?i)msdt\.exe", ""), "(?i)\S+\.exe"), 1, 0) | |
| ``` Normalize the parent path``` |
inodee
/ gist:6c599147fef0692617b2b9d66d286bf3
Created
May 17, 2019 10:03
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ```<option name="charting.seriesColors">[#67001f,#b2182b,#d6604d,#f4a582,#fddbc7,#e0e0e0,#bababa,#878787,#4d4d4d]</option>``` |