trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Update logger_dashboard.xml

Browse Source
This commit is contained in:
Chris Long
2020-06-01 01:21:22 -07:00
committed by GitHub
parent dcd69ea6cf
commit 10f260bf73
1 changed files with 217 additions and 163 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
Vagrant/resources/splunk_server/logger_dashboard.xml
View File

@@ -93,6 +93,18 @@
<option name="refresh.display">progressbar</option> <option name="refresh.display">progressbar</option>
</chart> </chart>
</panel> </panel>
<panel>
<title>Sysmon Events by Host</title>
<chart>
<search>
<query>| tstats count where index=sysmon by host, _time span=1h prestats=t | timechart span=1h count by host</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
<panel> <panel>
<title>osquery Events by Host</title> <title>osquery Events by Host</title>
<chart> <chart>
@@ -106,6 +118,33 @@
<option name="refresh.display">progressbar</option> <option name="refresh.display">progressbar</option>
</chart> </chart>
</panel> </panel>
</row>
<row>
<panel>
<title>Jack Crook's Hunting for Beacons Query</title>
<table>
<title>http://findingbad.blogspot.com/2020/05/hunting-for-beacons-part-2.html</title>
<search>
<query>index=zeek (dest_port=443 OR dest_port=80)
| rename orig_bytes as bytes_out resp_bytes as bytes_in
| stats count(bytes_out) as "beacon_count" values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out |eventstats sum(beacon_count) as total_count dc(bytes_out) as unique_count by src_ip,dest_ip
| eval beacon_avg=('beacon_count' / 'total_count')
| stats values(beacon_count) as beacon_count values(unique_count) as unique_count values(beacon_avg) as beacon_avg values(total_count) as total_count values(bytes_in) as bytes_in by src_ip,dest_ip,bytes_out
| head 100
| eval incount=mvcount(bytes_in)
| eventstats avg(beacon_count) as overall_average
| eval beacon_percentage=('beacon_count' / 'overall_average')
| sort - beacon_percentage</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="count">20</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel> <panel>
<title>Powershell Event Preview</title> <title>Powershell Event Preview</title>
<table> <table>
@@ -116,6 +155,8 @@
</search> </search>
<option name="count">1</option> <option name="count">1</option>
<option name="drilldown">none</option> <option name="drilldown">none</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table> </table>
</panel> </panel>
</row> </row>
@@ -160,5 +201,18 @@
<option name="trellis.size">medium</option> <option name="trellis.size">medium</option>
</chart> </chart>
</panel> </panel>
<panel>
<chart>
<search>
<query>index=_internal source="*license_usage.log" type=usage idx="*" | eval MB = round(b/1048576,2) | timechart span=1h sum(MB) by idx</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row> </row>
</dashboard> </dashboard>