###### Lookup Generating Searches ###### ## CIM - Vendor Product Tracker - Lookup Gen Breakdown ## 1 - get vendor_product values from Malware data model ## 2 - field renaming ## 3 - set model="Malware" ## 4 - get vendor_product values from Network_Traffic data model ## 5 - field renaming ## 6 - set model="Network_Traffic" ## 7 - get vendor_product values from Intrusion_Detection data model ## 8 - field renaming ## 9 - set model="Intrusion_Detection" ## 10 - get vendor_product values from Vulnerability namespace ## 11 - field renaming ## 12 - set model="Vulnerabilities" ## 13 - consolidate vendor_product values ## 14 - input existing values ## 15 - consolidate vendor_product values for the second time ## 16 - write lookup ## 17 - purge results [CIM - Vendor Product Tracker - Lookup Gen] action.email.sendresults = 0 cron_schedule = 5,20,35,50 * * * * description = Maintains a list of vendor_product values and the first and last time they have been seen dispatch.earliest_time = -30m@m dispatch.latest_time = +0s enableSched = 0 is_visible = false search = | tstats prestats=true summariesonly=true min(_time),max(_time) from datamodel=Malware.Malware_Attacks by Malware_Attacks.vendor_product | `drop_dm_object_name("Malware_Attacks")` | eval model="Malware" | tstats prestats=true summariesonly=true append=true min(_time),max(_time) from datamodel=Network_Traffic.All_Traffic by All_Traffic.vendor_product | `drop_dm_object_name("All_Traffic")` | eval model=if(isnull(model),"Network_Traffic",model) | tstats prestats=true summariesonly=true append=true min(_time),max(_time) from datamodel=Intrusion_Detection.IDS_Attacks by IDS_Attacks.vendor_product | `drop_dm_object_name("IDS_Attacks")` | eval model=if(isnull(model),"Intrusion_Detection",model) | tstats prestats=true summariesonly=true append=true min(_time),max(_time) from datamodel=Vulnerabilities.Vulnerabilities by Vulnerabilities.vendor_product | `drop_dm_object_name("Vulnerabilities")` | eval model=if(isnull(model),"Vulnerabilities",model) | stats min(_time) as firstTime,max(_time) as lastTime by vendor_product,model | inputlookup append=true cim_vendor_product_tracker | stats min(firstTime) as firstTime,max(lastTime) as lastTime by vendor_product,model | outputlookup override_if_empty=false cim_vendor_product_tracker | stats count ###### Report Searches ###### [CIM - Top Data Model Accelerations] description = Maintains a data cube of DMA statistics for use in Datamodel Audit view dispatchAs = user dispatch.latest_time = now is_visible = false search = | `datamodel("Splunk_Audit", "Datamodel_Acceleration")` | `drop_dm_object_name("Datamodel_Acceleration")` | join type=outer last_sid [| rest splunk_server=local count=0 /services/search/jobs reportSearch=summarize* | rename sid as last_sid | fields last_sid,runDuration] | eval "size(MB)"=round(size/1048576,1), "retention(days)"=if(retention==0,"unlimited",round(retention/86400,1)), "complete(%)"=round(complete*100,1), "runDuration(s)"=round(runDuration,1) [CIM - Top Data Model Accelerations By Size] action.email.reportServerEnabled = 0 alert.track = 0 dispatch.latest_time = now display.general.enablePreview = 1 display.general.timeRangePicker.show = false display.general.type = visualizations display.statistics.rowNumbers = 0 display.statistics.wrap = 0 display.visualizations.charting.chart = bar display.visualizations.charting.drilldown = all display.visualizations.chartHeight = 350 display.visualizations.show = 1 search = | `datamodel("Splunk_Audit", "Datamodel_Acceleration")` | `drop_dm_object_name("Datamodel_Acceleration")` | eval size(MB)=size/1048576 | sort 100 - size | table datamodel,size(MB) [CIM - Top Data Model Accelerations By Run Duration] action.email.reportServerEnabled = 0 alert.track = 0 dispatch.latest_time = now display.general.enablePreview = 1 display.general.timeRangePicker.show = false display.general.type = visualizations display.statistics.rowNumbers = 0 display.statistics.wrap = 0 display.visualizations.charting.chart = bar display.visualizations.charting.drilldown = all display.visualizations.chartHeight = 350 display.visualizations.show = 1 search = | `datamodel("Splunk_Audit", "Datamodel_Acceleration")` | `drop_dm_object_name("Datamodel_Acceleration")` | join type=outer last_sid [| rest splunk_server=local count=0 /services/search/jobs reportSearch=summarize* | rename sid as last_sid | fields last_sid,runDuration] | sort 100 - runDuration | table datamodel,runDuration [CIM - Data Model Acceleration Details] action.email.reportServerEnabled = 0 alert.track = 0 dispatch.latest_time = now display.general.enablePreview = 1 display.general.timeRangePicker.show = false display.general.type = statistics display.statistics.drilldown = row display.statistics.rowNumbers = 0 display.statistics.wrap = 0 display.visualizations.show = 0 search = | `datamodel("Splunk_Audit", "Datamodel_Acceleration")` | `drop_dm_object_name("Datamodel_Acceleration")` | eval size(MB)=round(size/1048576,1) | eval retention(days)=retention/86400 | eval complete(%)=round(complete*100,1) | sort 100 + datamodel | fieldformat earliest=strftime(earliest, "%m/%d/%Y %H:%M:%S") | fieldformat latest=strftime(latest, "%m/%d/%Y %H:%M:%S") | fields datamodel,app,cron,retention(days),earliest,latest,is_inprogress,complete(%),size(MB),last_error