admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2444c9a8a5'
${ noResults }
Deploiement_Server/deployment-apps/Splunk_SA_CIM/default/savedsearches.conf

83 lines
5.8 KiB
Raw Blame History

###### Lookup Generating Searches ######
## CIM - Vendor Product Tracker - Lookup Gen Breakdown
## 1 - get vendor_product values from Malware data model
## 2 - field renaming
## 3 - set model="Malware"
## 4 - get vendor_product values from Network_Traffic data model
## 5 - field renaming
## 6 - set model="Network_Traffic"
## 7 - get vendor_product values from Intrusion_Detection data model
## 8 - field renaming
## 9 - set model="Intrusion_Detection"
## 10 - get vendor_product values from Vulnerability namespace
## 11 - field renaming
## 12 - set model="Vulnerabilities"
## 13 - consolidate vendor_product values
## 14 - input existing values
## 15 - consolidate vendor_product values for the second time
## 16 - write lookup
## 17 - purge results
[CIM - Vendor Product Tracker - Lookup Gen]
action.email.sendresults = 0
cron_schedule = 5,20,35,50 * * * *
description = Maintains a list of vendor_product values and the first and last time they have been seen
dispatch.earliest_time = -30m@m
dispatch.latest_time = +0s
enableSched = 0
is_visible = false
search = | tstats prestats=true summariesonly=true min(_time),max(_time) from datamodel=Malware.Malware_Attacks by Malware_Attacks.vendor_product | `drop_dm_object_name("Malware_Attacks")` | eval model="Malware" | tstats prestats=true summariesonly=true append=true min(_time),max(_time) from datamodel=Network_Traffic.All_Traffic by All_Traffic.vendor_product | `drop_dm_object_name("All_Traffic")` | eval model=if(isnull(model),"Network_Traffic",model) | tstats prestats=true summariesonly=true append=true min(_time),max(_time) from datamodel=Intrusion_Detection.IDS_Attacks by IDS_Attacks.vendor_product | `drop_dm_object_name("IDS_Attacks")` | eval model=if(isnull(model),"Intrusion_Detection",model) | tstats prestats=true summariesonly=true append=true min(_time),max(_time) from datamodel=Vulnerabilities.Vulnerabilities by Vulnerabilities.vendor_product | `drop_dm_object_name("Vulnerabilities")` | eval model=if(isnull(model),"Vulnerabilities",model) | stats min(_time) as firstTime,max(_time) as lastTime by vendor_product,model | inputlookup append=true cim_vendor_product_tracker | stats min(firstTime) as firstTime,max(lastTime) as lastTime by vendor_product,model | outputlookup override_if_empty=false cim_vendor_product_tracker | stats count
###### Report Searches ######
[CIM - Top Data Model Accelerations]
description = Maintains a data cube of DMA statistics for use in Datamodel Audit view
dispatchAs = user
dispatch.latest_time = now
is_visible = false
search = | `datamodel("Splunk_Audit", "Datamodel_Acceleration")` | `drop_dm_object_name("Datamodel_Acceleration")` | join type=outer last_sid [| rest splunk_server=local count=0 /services/search/jobs reportSearch=summarize* | rename sid as last_sid | fields last_sid,runDuration] | eval "size(MB)"=round(size/1048576,1), "retention(days)"=if(retention==0,"unlimited",round(retention/86400,1)), "complete(%)"=round(complete*100,1), "runDuration(s)"=round(runDuration,1)
[CIM - Top Data Model Accelerations By Size]
action.email.reportServerEnabled = 0
alert.track = 0
dispatch.latest_time = now
display.general.enablePreview = 1
display.general.timeRangePicker.show = false
display.general.type = visualizations
display.statistics.rowNumbers = 0
display.statistics.wrap = 0
display.visualizations.charting.chart = bar
display.visualizations.charting.drilldown = all
display.visualizations.chartHeight = 350
display.visualizations.show = 1
search = | `datamodel("Splunk_Audit", "Datamodel_Acceleration")` | `drop_dm_object_name("Datamodel_Acceleration")` | eval size(MB)=size/1048576 | sort 100 - size | table datamodel,size(MB)
[CIM - Top Data Model Accelerations By Run Duration]
action.email.reportServerEnabled = 0
alert.track = 0
dispatch.latest_time = now
display.general.enablePreview = 1
display.general.timeRangePicker.show = false
display.general.type = visualizations
display.statistics.rowNumbers = 0
display.statistics.wrap = 0
display.visualizations.charting.chart = bar
display.visualizations.charting.drilldown = all
display.visualizations.chartHeight = 350
display.visualizations.show = 1
search = | `datamodel("Splunk_Audit", "Datamodel_Acceleration")` | `drop_dm_object_name("Datamodel_Acceleration")` | join type=outer last_sid [| rest splunk_server=local count=0 /services/search/jobs reportSearch=summarize* | rename sid as last_sid | fields last_sid,runDuration] | sort 100 - runDuration | table datamodel,runDuration
[CIM - Data Model Acceleration Details]
action.email.reportServerEnabled = 0
alert.track = 0
dispatch.latest_time = now
display.general.enablePreview = 1
display.general.timeRangePicker.show = false
display.general.type = statistics
display.statistics.drilldown = row
display.statistics.rowNumbers = 0
display.statistics.wrap = 0
display.visualizations.show = 0
search = | `datamodel("Splunk_Audit", "Datamodel_Acceleration")` | `drop_dm_object_name("Datamodel_Acceleration")` | eval size(MB)=round(size/1048576,1) | eval retention(days)=retention/86400 | eval complete(%)=round(complete*100,1) | sort 100 + datamodel | fieldformat earliest=strftime(earliest, "%m/%d/%Y %H:%M:%S") | fieldformat latest=strftime(latest, "%m/%d/%Y %H:%M:%S") | fields datamodel,app,cron,retention(days),earliest,latest,is_inprogress,complete(%),size(MB),last_error
Reference in new issue View Git Blame Copy Permalink