Below you will find pages that utilize the taxonomy term “Splunk”
Advanced Splunk Techniques for Beginners
Welcome to the fascinating world of Splunk, a robust tool that converts machine data into insights that can help guide operational intelligence and business decisions. This post is designed for beginners eager to expand their Splunk knowledge.
Getting Started with Splunk Splunk is a software platform used for searching, monitoring, and analyzing machine-generated data via a web-style interface. Setting up Splunk is straightforward:
Download and install the free version from their official website.
read onSearching for Threats in Firewall Logs Using Splunk
To search for threats in firewall logs using Splunk, you need to craft a search query that looks for common indicators of malicious activity. Here’s a basic example to get you started:
Open Splunk and navigate to the Search & Reporting app. Enter the search query. A typical search query for firewall logs might look like this:
index=firewall_logs sourcetype="firewall" | search action=blocked OR action=denied OR action=dropped | table _time src_ip dest_ip action signature | dedup src_ip, dest_ip, signature | sort _time This query does the following:
read onLogon and Logoff Times for Windows Users (Splunk)
A common Splunk question I am asked is what is the easiest way to determine the duration for an account logged into Windows. While there are many opportunities for erroneous data because a user may be logging into several services on different machines at the same time, a report can be generated along the following lines:
sourcetype=WinEventLog:Security (EventCode=4624 OR EventCode=4634) | eval day=strftime(_time,"%m/%d/%Y") | stats earliest(_time) AS logon latest(_time) AS logoff by user host day | eval logon=strftime(logon,"%m/%d/%Y %H.
read on