From 107b6c28bc99e6dc593cb29510a4f3b51db1c7ef Mon Sep 17 00:00:00 2001 From: Zak Scholl Date: Tue, 25 Jan 2022 09:08:48 -0600 Subject: [PATCH 1/2] (fix): typo in README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 362d1c034..d300c5083 100644 --- a/README.md +++ b/README.md @@ -269,7 +269,7 @@ user sessions containing suspicious activity. ### cmd_line -A module to support he detection of known malicious command line activity or suspicious +A module to support the detection of known malicious command line activity or suspicious patterns of command line activity. ### domain_utils From 99729d285ec7f4c5173326ac00c4b8fb4ad7215f Mon Sep 17 00:00:00 2001 From: Joey Dreijer Date: Tue, 25 Jan 2022 21:53:15 +0100 Subject: [PATCH 2/2] Added predefined Splunk queries for alerts --- .../data/queries/splunk_alert_queries.yaml | 72 +++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 msticpy/data/queries/splunk_alert_queries.yaml diff --git a/msticpy/data/queries/splunk_alert_queries.yaml b/msticpy/data/queries/splunk_alert_queries.yaml new file mode 100644 index 000000000..67509a5e1 --- /dev/null +++ b/msticpy/data/queries/splunk_alert_queries.yaml @@ -0,0 +1,72 @@ +metadata: + version: 1 + description: Splunk Alert Queries (non-accelerated) + data_environments: [Splunk] + data_families: [SplunkDatamodel] + tags: ['alerts'] +defaults: + metadata: + data_source: 'bots' + parameters: + start: + description: Query start time + type: datetime + end: + description: Query end time + type: datetime + project_fields: + description: Project Field names + type: str + default: '| table _time, host, source, sourcetype, src, dest, description, type, user, severity, signature, subject, body, mitre_technique_id, signature_id, app' + add_query_items: + description: Additional query clauses + type: str + default: '| head 100' + field_rename: + description: Renames fields which are prepended by datamodel name + type: str + default: '|rename "Alerts.*" as *' + timeformat: + description: 'Datetime format to use in Splunk query' + type: str + default: '"%Y-%m-%d %H:%M:%S.%6N"' +sources: + list_alerts: + description: Retrieves list of alerts + metadata: + data_families: [Alerts] + args: + query: '|datamodel Alerts Alerts search {field_rename} {project_fields} {add_query_items}' + + list_alerts_for_src_ip: + description: Retrieves list of alerts with a common source IP Address + metadata: + data_families: [Alerts] + args: + query: '|datamodel Alerts Alerts search {field_rename}| search src={ip_address} {field_rename} {project_fields} {add_query_items}' + parameters: + ip_address: + description: The source IP Address to search on + type: str + + list_alerts_for_dest_ip: + description: Retrieves list of alerts with a common destination IP Address + metadata: + data_families: [Alerts] + args: + query: '|datamodel Alerts Alerts search| search dest={ip_address} {field_rename} {project_fields} {add_query_items}' + parameters: + ip_address: + description: The source IP Address to search on + type: str + + list_alerts_for_user: + description: Retrieves list of alerts with a common username + metadata: + data_families: [Alerts] + args: + query: '|datamodel Alerts Alerts search| search user={user} {field_rename} {project_fields} {add_query_items}' + parameters: + user: + description: The username to search on + type: str \ No newline at end of file