admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2444c9a8a5'
${ noResults }
Deploiement_Server/deployment-apps/Splunk_Security_Essentials/default/macros.conf

71 lines
4.2 KiB
Raw Blame History

[Load_Sample_Log_Data(1)]
args = label
definition = inputlookup [| inputlookup SampleDataList | search label="$label$" | rename lookup as search | table search]
[Sort_MITRE]
definition = fields "Initial Access" "Execution" "Persistence" "Privilege Escalation" "Defense Evasion" "Credential Access" "Discovery" "Lateral Movement" "Collection" "Command and Control" "Exfiltration" "Impact"
[Sort_MITRE_Rows(1)]
definition = eval eventOrderTactic = case($fieldname$="Initial Access", 1, $fieldname$="Execution", 2, $fieldname$="Persistence", 3, $fieldname$="Privilege Escalation", 4, $fieldname$="Defense Evasion", 5, $fieldname$="Credential Access", 6, $fieldname$="Discovery", 7, $fieldname$="Lateral Movement", 8, $fieldname$="Collection", 9, $fieldname$="Command and Control", 10, $fieldname$="Exfiltration", 11, $fieldname$="Impact", 12, 1=1, 13) | sort eventOrderTactic | fields - eventOrderTactic
args = fieldname
[Init_All_MITRE_Rows(2)]
definition = append [| makeresults | eval $fieldname$="Initial Access", $countfield$=0 | fields - _time ] | append [| makeresults | eval $fieldname$="Execution", $countfield$=0 | fields - _time ] | append [| makeresults | eval $fieldname$="Persistence", $countfield$=0 | fields - _time ] | append [| makeresults | eval $fieldname$="Privilege Escalation", $countfield$=0 | fields - _time ] | append [| makeresults | eval $fieldname$="Defense Evasion", $countfield$=0 | fields - _time ] | append [| makeresults | eval $fieldname$="Credential Access", $countfield$=0 | fields - _time ] | append [| makeresults | eval $fieldname$="Discovery", $countfield$=0 | fields - _time ] | append [| makeresults | eval $fieldname$="Lateral Movement", $countfield$=0 | fields - _time ] | append [| makeresults | eval $fieldname$="Collection", $countfield$=0 | fields - _time ] | append [| makeresults | eval $fieldname$="Command and Control", $countfield$=0 | fields - _time ] | append [| makeresults | eval $fieldname$="Exfiltration", $countfield$=0 | fields - _time ] | append [| makeresults | eval $fieldname$="Impact", $countfield$=0 | fields - _time ]
args = fieldname,countfield
[User_to_Index_Provisioning_From_Data_Governance_App]
definition = rest splunk_server=local /services/authentication/users \
| eval roles=mvjoin(roles,", ") \
| fields title, roles \
| rename title as username \
| makemv delim=", " roles \
| mvexpand roles \
| rename roles as role \
| join max=1 overwrite=1 type=inner usetime=0 role \
[| rest splunk_server=local /services/authorization/roles \
| rename title as role \
| fillnull value="" \
| fields role, srchIndexesAllowed] \
| fields username, srchIndexesAllowed \
| rex field=srchIndexesAllowed mode=sed "s/\s/,/g" \
| makemv delim="," srchIndexesAllowed \
| mvcombine srchIndexesAllowed \
| mvcombine srchIndexesAllowed \
| rex field=srchIndexesAllowed mode=sed "s/\s/,/g" \
| makemv delim="," srchIndexesAllowed \
| eventstats values(srchIndexesAllowed) AS didx by username \
| fields username, didx \
| mvcombine didx \
| rex field=didx mode=sed "s/\s/, /g" \
| rename didx as accessible_indexes \
| join max=1 overwrite=1 type=inner usetime=0 username \
[| rest splunk_server=local /services/authentication/users \
| eval roles=mvjoin(roles,", ") \
| rename title as username \
| fields username, roles] \
| makemv delim=", " accessible_indexes \
| mvexpand accessible_indexes \
| join max=1 overwrite=1 type=outer usetime=0 accessible_indexes \
[| rest /services/data/indexes \
| fields title \
| dedup title \
| where match(title,"^_\\w+$") \
| mvcombine title \
| eval title=mvjoin(title,", ") \
| rename title as expanded_indexes \
| eval accessible_indexes="_*"] \
| join max=1 overwrite=1 type=outer usetime=0 accessible_indexes \
[| rest /services/data/indexes \
| fields title \
| dedup title \
| where match(title,"^[^_]+$") \
| mvcombine title \
| eval title=mvjoin(title,", ") \
| rename title as expanded_indexes \
| eval accessible_indexes="*"] \
| eval accessible_indexes=if(match(accessible_indexes,"^(?:_\\*|\\*)$"),expanded_indexes,accessible_indexes) \
| fields - expanded_indexes \
| makemv delim=", " accessible_indexes \
| mvexpand accessible_indexes
iseval = 0
Reference in new issue View Git Blame Copy Permalink