From 10f260bf736824ed7dfd1952fc46b215a1739810 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Mon, 1 Jun 2020 01:21:22 -0700 Subject: [PATCH] Update logger_dashboard.xml --- .../splunk_server/logger_dashboard.xml | 380 ++++++++++-------- 1 file changed, 217 insertions(+), 163 deletions(-) diff --git a/Vagrant/resources/splunk_server/logger_dashboard.xml b/Vagrant/resources/splunk_server/logger_dashboard.xml index 76eaab3..2e74211 100644 --- a/Vagrant/resources/splunk_server/logger_dashboard.xml +++ b/Vagrant/resources/splunk_server/logger_dashboard.xml @@ -1,164 +1,218 @@ - - - - Events by Index per Hour - - - | tstats count where index=* by index, _time span=4h prestats=t | timechart span=4h count by index - -7d@h - now - 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Top Suricata Network Alerts - - - index=suricata | stats values(src_ip) count by alert.signature, alert.signature_id - -24h@h - now - 1 - - - - - - - - - -
- - - Zeek Network Traffic by Type - - - index=zeek | stats count by _time, tag::eventtype | timechart span=1h count by tag::eventtype - -24h@h - now - - - - - - - - - - Windows Events by Host - - - | tstats count where index=wineventlog by host, _time span=1h prestats=t | timechart span=1h count by host - -24h@h - now - - - - - - - - osquery Events by Host - - - | tstats count where index=osquery by host, _time span=1h prestats=t | timechart span=1h count by host - -24h@h - now - - - - - - - - Powershell Event Preview - - - index=powershell | table _time, host, _raw, sourcetype - -24h@h - now - - - -
- - - - - License Usage - - - | rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "Used"=round(used_bytes/1024/1024/1024, 3) | eval "Quota"=round(quota/1024/1024/1024, 3) | fields Pool "Used" "Quota" - 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file + + + + Events by Index per Hour + + + | tstats count where index=* by index, _time span=4h prestats=t | timechart span=4h count by index + -7d@h + now + 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Top Suricata Network Alerts + + + index=suricata | stats values(src_ip) count by alert.signature, alert.signature_id + -24h@h + now + 1 + + + + + + + + + +
+ + + Zeek Network Traffic by Type + + + index=zeek | stats count by _time, tag::eventtype | timechart span=1h count by tag::eventtype + -24h@h + now + + + + + + + + + + Windows Events by Host + + + | tstats count where index=wineventlog by host, _time span=1h prestats=t | timechart span=1h count by host + -24h@h + now + + + + + + + + Sysmon Events by Host + + + | tstats count where index=sysmon by host, _time span=1h prestats=t | timechart span=1h count by host + -24h@h + now + + + + + + + osquery Events by Host + + + | tstats count where index=osquery by host, _time span=1h prestats=t | timechart span=1h count by host + -24h@h + now + + + + + + + + + + Jack Crook's Hunting for Beacons Query + + http://findingbad.blogspot.com/2020/05/hunting-for-beacons-part-2.html + + index=zeek (dest_port=443 OR dest_port=80) +| rename orig_bytes as bytes_out resp_bytes as bytes_in +| stats count(bytes_out) as "beacon_count" values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out |eventstats sum(beacon_count) as total_count dc(bytes_out) as unique_count by src_ip,dest_ip +| eval beacon_avg=('beacon_count' / 'total_count') +| stats values(beacon_count) as beacon_count values(unique_count) as unique_count values(beacon_avg) as beacon_avg values(total_count) as total_count values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out +| head 100 +| eval incount=mvcount(bytes_in) +| eventstats avg(beacon_count) as overall_average +| eval beacon_percentage=('beacon_count' / 'overall_average') +| sort - beacon_percentage + -24h@h + now + + + + +
+ + + + + Powershell Event Preview + + + index=powershell | table _time, host, _raw, sourcetype + -24h@h + now + + + + + +
+ + + + + License Usage + + + | rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "Used"=round(used_bytes/1024/1024/1024, 3) | eval "Quota"=round(quota/1024/1024/1024, 3) | fields Pool "Used" "Quota" + 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + index=_internal source="*license_usage.log" type=usage idx="*" | eval MB = round(b/1048576,2) | timechart span=1h sum(MB) by idx + -24h@h + now + + + + + + + + +