![]() 0.0 / 16 ) AND action = allowed AND ( dest_port = 80 OR dest_port = 443 ) NOT ( dest_ip = 10.0. (( tag = network tag = communicate ) OR ( index = pan_logs sourcetype = pan * traffic ) OR ( index =* sourcetype = opsec ) OR ( index =* sourcetype = cisco : asa ) ) ( src_ip = 10.0. It will show output when the bytes out is 3 standard deviations above the source's or organization's average for the latest day compared with the latest 30 days. The query below will output the user, the time, the source IP, the aggregated bytes sent out, the number of data samples, the number of standard deviations away from the source's average bytes sent per day, and the number of standard deviations away from the organization's average bytes sent per day. Users with a Large Increase in Web Traffic Moving out of the Network. For each query, I have included what I like to see for output. You can also use the "table" search command to specify what you'd like to see as output. These are massive searches and with current limits on my allotted hard disk space, I'm thinking about lowering the time frame to two or three weeks. The queries below can be modified for any time frame, but I've been running them with data from the last 30 days. These queries are specifically targeted to identify behaviors that could be viewed as data exfiltration. I've been working with Splunk at my job and wanted to provide some interesting queries that might assist with network data analytics for cyber security purposes. ![]() The result shows the mean and variance of the values of the field named bytes in rows organized by the http status values of the events.Splunk Queries for Identifying Data Exfiltration We continue using the same fields as shown in the previous examples. In the below example, we use the functions mean() & var() to achieve this. Statistically focused values like the mean and variance of fields is also calculated in a similar manner as given above by using appropriate functions with the stats command. We continue the previous example but instead of average, we now use the max(), min() and range function together in the stats command so that we can see how the range has been calculated by taking the difference between the values of max and min columns. The stats command can be used to display the range of the values of a numeric field by using the range function. In the below example, we find the average byte size of the files grouped by the various http status code linked to the events associated with those files. But with a by clause, it will give multiple rows depending on how the field is grouped by the additional new field. ![]() Without a BY clause, it will give a single record which shows the average value of the field for all the events. This function takes the field name as input. We can find the average value of a numeric field by using the avg() function. If a BY clause is used, one row is returned for each distinct value specified in the BY clause.īelow we see the examples on some frequently used stats command. If the stats command is used without a BY clause, only one row is returned, which is the aggregation over the entire incoming result set. ![]() The stats command works on the search results as a whole and returns only the fields that you specify.Įach time you invoke the stats command, you can use one or more functions. The stats command is used to calculate summary statistics on the results of a search or the events retrieved from an index. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |