##################### ## Global ##################### [get_signature(1)] args = value definition = (signature="*$value$*" OR signature_id="*$value$*") [make_subject(1)] args = subjectField definition = eval "$subjectField$"=case(isnotnull('$subjectField$'), '$subjectField$', isnotnull('$subjectField$_dns'), '$subjectField$_dns', isnotnull('$subjectField$_nt_host'), '$subjectField$_nt_host', isnotnull('$subjectField$_mac'), '$subjectField$_mac', isnotnull('$subjectField$_ip'), '$subjectField$_ip') errormsg = subject field (arg1) must be one of: host, orig_host, src, dest, or dvc iseval = 0 validation = subjectField=="host" OR subjectField=="orig_host" OR subjectField=="src" OR subjectField=="dest" OR subjectField=="dvc" ## This macro allows seamless searching of all CIM fields for a given subject (host/orig_host/src/dest/dvc) ## Useful when performing drilldowns/drillacross ## For example, `get_subject(src, 1.2.3.4)` produces (src="1.2.3.4" OR src_ip="1.2.3.4" OR src_mac="1.2.3.4" OR src_nt_host="1.2.3.4" OR src_dns="1.2.3.4") [get_subject(2)] args = subjectField, bestmatch definition = ($subjectField$="$bestmatch$" OR $subjectField$_ip="$bestmatch$" OR $subjectField$_mac="$bestmatch$" OR $subjectField$_nt_host="$bestmatch$" OR $subjectField$_dns="$bestmatch$") errormsg = subject field (arg1) must be one of: host, orig_host, src, dest, or dvc iseval = 0 validation = subjectField=="host" OR subjectField=="orig_host" OR subjectField=="src" OR subjectField=="dest" OR subjectField=="dvc" ## This macro allows seamless searching of all CIM fields for a given user (src_user/user) ## This macro also performs inference by searching the $user$_identity fields [get_user(1)] args = user definition = (`get_src_user_only($user$)` OR `get_user_only($user$)`) [get_src_user_only(1)] args = src_user definition = (src_user="$src_user$" OR src_user_identity="$src_user$") [get_user_only(1)] args = user definition = (user="$user$" OR user_identity="$user$") ## Swap two fields conditionally based on a tag in the event. # # The tag must be of the form "swap__" AND # be in the field named "tagField". [swap_if_tagged(3)] args = first, second, tagField definition = eval swapTmp='$second$' | eval "$second$"=if('$tagField$'="swap_$first$_$second$", '$first$', '$second$') | eval "$first$"=if('$tagField$'="swap_$first$_$second$", swapTmp, '$first$') | fields - swapTmp ## Remap fields to account for deficiencies in source data that cannot be ## handled at the TA level. # # Rationale: # # In some cases IDS systems use the CIM field "src" as the field of interest. # This is often the case for wireless attacks where the target is a broadcast domain. # In this case, we want to map "src" into "dest" so it will show up # in the IDS tracker, but ONLY for certain events. This macro does that and # is used in many of the base-level macros such as "authentication" to apply such # transformations globally. [remap_subjects] definition = tags outputfield=evtTags | `swap_if_tagged(src, dest, evtTags)` | fields - evtTags ## vendor_product [get_vendor_product] definition = eval vendor_product=case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!="unknown" AND isnotnull(product) AND product!="unknown",vendor." ".product,isnotnull(vendor) AND vendor!="unknown" AND (isnull(product) OR product="unknown"),vendor." unknown",(isnull(vendor) OR vendor="unknown") AND isnotnull(product) AND product!="unknown","unknown ".product,isnotnull(sourcetype),sourcetype,1=1,"unknown") ##################### ## Common Action Model ##################### [modular_action_invocations(2)] args = sid,rid definition = tstats summariesonly=false latest(Modular_Actions.action_status) as action_status from datamodel=Splunk_Audit.Modular_Actions where Modular_Actions.action_name!="unknown" (Modular_Actions.sid="$sid$" Modular_Actions.rid="$rid$") OR (Modular_Actions.orig_sid="$sid$" Modular_Actions.orig_rid="$rid$") by _time,nodename,Modular_Actions.action_name,Modular_Actions.sid,Modular_Actions.rid,Modular_Actions.action_mode,Modular_Actions.user span=1s | `drop_dm_object_name("Modular_Actions")` | eventstats latest(action_status) as action_status by action_name,sid,rid | search nodename="Modular_Actions.Modular_Action_Invocations" | sort 0 -_time | join type=outer action_name [| rest splunk_server=local count=0 /services/alerts/alert_actions | spath input=param._cam path=drilldown_uri output=action_drilldown_uri | rename title as action_name,label as action_label | fields action_name,action_label,action_drilldown_uri] | eval action_label=if(isnotnull(action_label),action_label,action_name),epoch_time=_time | fields _time,epoch_time,action_status,action_name,action_label,action_mode,action_drilldown_uri,sid,rid,user ## Lookups [cam_action_modes] definition = inputlookup append=T cam_action_mode_lookup | eval action_mode=lower(action_mode) | dedup action_mode | sort + action_mode [cam_action_statuses] definition = inputlookup append=T cam_action_status_lookup | eval action_status=lower(action_status) | dedup action_status | sort + action_status [cam_categories] definition = inputlookup append=T cam_category_lookup | dedup category | sort + category [cam_tasks] definition = inputlookup append=T cam_task_lookup | eval task=lower(task) | dedup task | sort + task [cam_subjects] definition = inputlookup append=T cam_subject_lookup | eval subject=lower(subject) | dedup subject | sort + subject [cam_workers] definition = inputlookup append=T cam_worker_lookup | append[| makeresults | eval worker_set="local",cam_workers="[\"local\"]"] | dedup worker_set | spath input=cam_workers | where isnotnull('{}') | table worker_set,cam_workers | sort + worker_set ##################### ## CIM Filters ##################### [cim_filter_known_scanners] definition = NOT (host_category="known_scanner" OR orig_host_category="known_scanner" OR dvc_category="known_scanner" OR src_category="known_scanner" OR dest_category="known_scanner") [cim_filter_known_scanners(1)] args = object definition = NOT ($object$.host_category="known_scanner" OR $object$.orig_host_category="known_scanner" OR $object$.dvc_category="known_scanner" OR $object$.src_category="known_scanner" OR $object$.dest_category="known_scanner") [cim_filter_vuln_severity] definition = (severity!="informational" AND severity!="low") [cim_filter_vuln_severity(1)] args = object definition = ($object$.severity!="informational" AND $object$.severity!="low") [cim_filter_unknown_values(1)] args = field definition = ($field$!="-" $field$!="n/a" $field$!="unknown") ##################### ## CIM Lookups ##################### ###### Access Protection ###### [cim_access_actions] definition = inputlookup append=T cim_access_action_lookup | eval action=lower(action) | dedup action ###### Change Analysis ##### [cim_endpoint_actions] definition = inputlookup append=T cim_endpoint_action_lookup | eval action=lower(action) | dedup action | sort + action [cim_endpoint_object_categories] definition = inputlookup append=T cim_endpoint_object_category_lookup | eval object_category=lower(object_category) | dedup object_category | sort + object_category ## no sort here (severity order dictated by order in file) [cim_endpoint_severities] definition = inputlookup append=T cim_endpoint_severity_lookup | eval severity=lower(severity) | dedup severity [cim_endpoint_statuses] definition = inputlookup append=T cim_endpoint_status_lookup | eval status=lower(status) | dedup status | sort + status [cim_endpoint_user_types] definition = inputlookup append=T cim_endpoint_user_type_lookup | eval user_type=lower(user_type) | dedup user_type | sort + user_type ###### Cloud ###### [cloud_domains] definition = inputlookup append=T cim_cloud_domain_lookup [cloud_domain_search(1)] args = field definition = [| `cloud_domains` | rename domain as $field$ | fields $field$ | format | fields search] [cloud_email_search(1)] args = field definition = [| `cloud_domains` | search is_email=true | rename domain as $field$ | fields $field$ | format | fields search] [cloud_storage_search(1)] args = field definition = [| `cloud_domains` | search is_storage=true | rename domain as $field$ | fields $field$ | format | fields search] ###### Data Loss Prevention ###### [cim_dlp_actions] definition = inputlookup append=T cim_dlp_action_lookup | eval action=lower(action) | dedup action | sort + action [cim_dlp_object_categories] definition = inputlookup append=T cim_dlp_object_category_lookup | eval object_category=lower(object_category) | dedup object_category | sort + object_category [cim_dlp_types] definition = inputlookup append=T cim_dlp_type_lookup | eval dlp_type=lower(dlp_type) | dedup dlp_type | sort + dlp_type ###### DNS ###### [cim_dns_reply_codes] definition = inputlookup append=T cim_dns_reply_code_lookup | dedup reply_code | sort + reply_code ###### Email ###### [cim_email_protocols] definition = inputlookup append=T cim_email_protocol_lookup | sort + protocol [cim_corporate_email_domains] definition = inputlookup append=T cim_corporate_email_domain_lookup [cim_corporate_email_domain_search(1)] args = field definition = [| `cim_corporate_email_domains` | rename domain as $field$ | format | fields search] ###### IDS ###### ## no sort here (severity order dictated by order in file) [cim_ids_severities] definition = inputlookup append=T cim_ids_severity_lookup | eval severity=lower(severity) | dedup severity [cim_ids_types] definition = inputlookup append=T cim_ids_type_lookup | eval ids_type=lower(ids_type) | dedup ids_type | sort + ids_type ###### Malware ###### [cim_malware_actions] definition = inputlookup append=T cim_malware_action_lookup | eval action=lower(action) | dedup action | sort + action ###### Traffic ###### [cim_traffic_actions] definition = inputlookup append=T cim_traffic_action_lookup | eval action=lower(action) | dedup action | sort + action [cim_transport_protocols] definition = inputlookup append=T cim_transport_protocol_lookup | eval transport=lower(transport) | dedup transport | sort + transport ###### Proxy ###### [cim_http_methods] definition = inputlookup append=T cim_http_method_lookup | eval http_method=lower(http_method) | dedup http_method [cim_http_statuses] definition = inputlookup append=T cim_http_status_lookup ###### System Updates ###### [cim_update_statii] definition = inputlookup append=T cim_update_status_lookup | eval status=lower(status) | dedup status | sort + status ###### Vendor Product Tracker ###### [cim_vendor_product_tracker] definition = inputlookup append=T cim_vendor_product_tracker [vendor_product_tracker(1)] args = model definition = inputlookup append=T cim_vendor_product_tracker | search model="$model$" ###### Vulnerabilities ###### ## no sort here (severity order dictated by order in file) [cim_vuln_severities] definition = inputlookup append=T cim_vuln_severity_lookup | eval severity=lower(severity) | dedup severity ##### Web ##### [cim_corporate_web_domains] definition = inputlookup append=T cim_corporate_web_domain_lookup [cim_corporate_web_domain_search(1)] args = field definition = [| `cim_corporate_web_domains` | rename domain as $field$ | format | fields search] ##################### ## Data Models ##################### [add_dm_object_name(1)] args = object definition = rename * as "$object$.*" ## DEPRECATED. [drop_dm_object_name(1)] args = object definition = rename "$object$.*" as * ## DEPRECATED in favor of | from command. [datamodel(2)] args = model,object definition = datamodel $model$ $object$ search [recommended_datamodel_attributes(2)] args = model,object definition = datamodel "$model$" "$object$" | spath output=calcs path=calculations{} | spath output=fields path=fields{} | eval outfields=mvappend(fields,NULL,calcs) | mvexpand outfields | spath output=fields input=outfields path=outputFields{} | eval fields=if(isnull(fields),outfields,fields) | mvexpand fields | spath output=field input=fields path=fieldName | spath output=recommended input=fields path=comment.recommended | search recommended="true" | table field | sort field ## Datamodel index filters [cim_Alerts_indexes] definition = () ## This macro has been deprecated [cim_Application_State_indexes] definition = () [cim_Authentication_indexes] definition = () [cim_Certificates_indexes] definition = () ## This macro has been deprecated [cim_Change_Analysis_indexes] definition = () [cim_Change_indexes] definition = () [cim_Compute_Inventory_indexes] definition = () [cim_DLP_indexes] definition = () [cim_Databases_indexes] definition = () [cim_Data_Access_indexes] definition = () [cim_Email_indexes] definition = () [cim_Endpoint_indexes] definition = () [cim_Event_Signatures_indexes] definition = () [cim_Interprocess_Messaging_indexes] definition = () [cim_Intrusion_Detection_indexes] definition = () [cim_JVM_indexes] definition = () [cim_Malware_indexes] definition = () [cim_Network_Resolution_indexes] definition = () [cim_Network_Sessions_indexes] definition = () [cim_Network_Traffic_indexes] definition = () [cim_Performance_indexes] definition = () [cim_Ticket_Management_indexes] definition = () [cim_Updates_indexes] definition = () [cim_Vulnerabilities_indexes] definition = () [cim_Web_indexes] definition = () [cim_datamodelinfo] definition = rest /services/admin/summarization by_tstats=t splunk_server=local count=0 | eval key=replace('title',"tstats:DM_".'eai:acl.app'."_",""),datamodel=replace('summary.id',"DM_".'eai:acl.app'."_","") | join type=left key [| rest /services/data/models splunk_server=local count=0 | table title acceleration.cron_schedule eai:digest | rename title as key | rename acceleration.cron_schedule AS cron] | table datamodel eai:acl.app summary.access_time summary.is_inprogress summary.size summary.latest_time summary.complete summary.buckets_size summary.buckets cron summary.last_error summary.time_range summary.id summary.mod_time eai:digest summary.earliest_time summary.last_sid summary.access_count | rename summary.id AS summary_id, summary.time_range AS retention, summary.earliest_time as earliest, summary.latest_time as latest, eai:digest as digest | rename summary.* AS *, eai:acl.* AS * | sort datamodel