[360 by Account]
action.email.useNSSubject = 1
alert.track = 0
auto_summarize = 1
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 15 * * * *
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.charting.chart = line
display.visualizations.custom.type = network_topology.network_topology
display.visualizations.show = 0
display.visualizations.type = singlevalue
enableSched = 1
request.ui_dispatch_app = InfoSec
request.ui_dispatch_view = search
schedule_window = auto
search = `infosec-indexes` (tag=security OR tag=attack) \
| bucket span=1h@h _time \
| eval tag=mvfilter(match(tag, "failure") OR match(tag, "success") OR match(tag, "access") OR match(tag, "add") OR match(tag, "change") OR match(tag, "delete") OR match(tag, "error") OR match(tag, "misconfiguration") OR match(tag, "vulnerability") OR match(tag, "attack") OR match(tag, "lock") OR match(tag, "cleared") OR match(tag, "email")) \
| stats count, dc(user) AS dc by tag, _time \
| eval hours=tostring(-floor((now() - _time)/3600))."h"\
| eval hours=if(hours=="0h","now",hours) \
| sort _time \
| fields hours, tag, count, dc

[360 by Host]
action.email.useNSSubject = 1
alert.track = 0
auto_summarize = 1
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 30 * * * *
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.charting.chart = line
display.visualizations.custom.type = network_topology.network_topology
display.visualizations.show = 0
display.visualizations.type = singlevalue
enableSched = 1
request.ui_dispatch_app = InfoSec
request.ui_dispatch_view = search
schedule_window = auto
search = `infosec-indexes` (tag=security OR tag=attack) \
| bucket span=1h@h _time \
| eval tag=mvfilter(match(tag, "failure") OR match(tag, "success") OR match(tag, "access") OR match(tag, "add") OR match(tag, "change") OR match(tag, "delete") OR match(tag, "error") OR match(tag, "misconfiguration") OR match(tag, "vulnerability") OR match(tag, "attack") OR match(tag, "lock") OR match(tag, "cleared") OR match(tag, "email")) \
| stats count, dc(host) AS dc by tag, _time \
| eval hours=tostring(-floor((now() - _time)/3600))."h"\
| eval hours=if(hours=="0h","now",hours) \
| sort _time \
| fields hours, tag, count, dc

[Geographically Improbable Access]
alert.digest_mode = 0
alert.severity = 4
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = 0 7 * * *
dispatch.earliest_time = -1d
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = InfoSec_App_for_Splunk
request.ui_dispatch_view = search
search = | tstats summariesonly=true allow_old_summaries=true values(Authentication.app) as app from datamodel=Authentication.Authentication by Authentication.user, Authentication.src _time span=1s \
| rename "Authentication.*" as "*" \
| eventstats dc(src) as src_count by user \
| search src_count>1 \
| sort 0 + _time \
| iplocation src \
| where isnotnull(lat) AND isnotnull(lon) \
| streamstats window=2 global=false earliest(lat) as prev_lat, earliest(lon) as prev_lon, earliest(_time) as prev_time, earliest(src) as prev_src, earliest(City) as prev_city, earliest(Country) as prev_country, earliest(app) as prev_app by user \
| where (src != prev_src) \
| eval lat1_r=((lat * 3.14159265358) / 180), lat2_r=((prev_lat * 3.14159265358) / 180), delta=(((prev_lon - lon) * 3.14159265358) / 180), distance=(3959 * acos(((sin(lat1_r) * sin(lat2_r)) + ((cos(lat1_r) * cos(lat2_r)) * cos(delta))))), distance=round(distance,2) \
| fields - lat1_r, lat2_r, long1_r, long2_r, delta \
| eval time_diff=if((('_time' - prev_time) == 0),1,('_time' - prev_time)), speed=round(((distance * 3600) / time_diff),2) \
| where (speed > 500) \
| eval prev_time=strftime(prev_time,"%Y-%m-%d %H:%M:%S")\
| table user, src, _time, City, Country, app, prev_src, prev_time, prev_city, prev_country, prev_app, distance, speed

[Suspected Network Scanning]
alert.severity = 2
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = */30 * * * *
dispatch.earliest_time = -30m
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = InfoSec_App_for_Splunk
request.ui_dispatch_view = search
search = | tstats summariesonly=t allow_old_summaries=t dc(All_Traffic.dest_port) as num_dest_port dc(All_Traffic.dest_ip) as num_dest_ip from datamodel=Network_Traffic by All_Traffic.src_ip \
| rename "All_Traffic.*" as "*"\
| where num_dest_port > 100 OR num_dest_ip > 100 \
| sort - num_dest_ip

[Critical Severity Intrusion]
alert.severity = 5
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = */15 * * * *
dispatch.earliest_time = -15m
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = InfoSec_App_for_Splunk
request.ui_dispatch_view = search
search = | tstats local=false summariesonly=true allow_old_summaries=true count from datamodel=Intrusion_Detection.IDS_Attacks where IDS_Attacks.severity="critical" by IDS_Attacks.signature, IDS_Attacks.severity | rename "IDS_Attacks.*" as "*"

[High Severity Intrusion]
alert.severity = 4
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = */15 * * * *
dispatch.earliest_time = -15m
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = InfoSec_App_for_Splunk
request.ui_dispatch_view = search
search = | tstats local=false summariesonly=true allow_old_summaries=true count from datamodel=Intrusion_Detection.IDS_Attacks where IDS_Attacks.severity="high" by IDS_Attacks.signature, IDS_Attacks.severity | rename "IDS_Attacks.*" as "*"

[Brute Force Attack]
alert.severity = 5
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = 45 * * * *
dispatch.earliest_time = -1h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = InfoSec_App_for_Splunk
request.ui_dispatch_view = search
search = | tstats summariesonly=t allow_old_summaries=t count from datamodel=Authentication by Authentication.action, Authentication.src \
| rename Authentication.src as source, Authentication.action as action \
| chart last(count) over source by action \
| where success>0 and failure>20 \
| sort -failure \
| rename failure as failures \
| fields - success, unknown

[Locked Out Accounts]
alert.severity = 2
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = 0 * * * *
dispatch.earliest_time = -1h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = InfoSec_App_for_Splunk
request.ui_dispatch_view = search
search = `wineventlog-index` EventCode=4740 | table user, _time