You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
340 lines
14 KiB
340 lines
14 KiB
|
|
#####################
|
|
## Global
|
|
#####################
|
|
[get_signature(1)]
|
|
args = value
|
|
definition = (signature="*$value$*" OR signature_id="*$value$*")
|
|
|
|
[make_subject(1)]
|
|
args = subjectField
|
|
definition = eval "$subjectField$"=case(isnotnull('$subjectField$'), '$subjectField$', isnotnull('$subjectField$_dns'), '$subjectField$_dns', isnotnull('$subjectField$_nt_host'), '$subjectField$_nt_host', isnotnull('$subjectField$_mac'), '$subjectField$_mac', isnotnull('$subjectField$_ip'), '$subjectField$_ip')
|
|
errormsg = subject field (arg1) must be one of: host, orig_host, src, dest, or dvc
|
|
iseval = 0
|
|
validation = subjectField=="host" OR subjectField=="orig_host" OR subjectField=="src" OR subjectField=="dest" OR subjectField=="dvc"
|
|
|
|
|
|
## This macro allows seamless searching of all CIM fields for a given subject (host/orig_host/src/dest/dvc)
|
|
## Useful when performing drilldowns/drillacross
|
|
## For example, `get_subject(src, 1.2.3.4)` produces (src="1.2.3.4" OR src_ip="1.2.3.4" OR src_mac="1.2.3.4" OR src_nt_host="1.2.3.4" OR src_dns="1.2.3.4")
|
|
[get_subject(2)]
|
|
args = subjectField, bestmatch
|
|
definition = ($subjectField$="$bestmatch$" OR $subjectField$_ip="$bestmatch$" OR $subjectField$_mac="$bestmatch$" OR $subjectField$_nt_host="$bestmatch$" OR $subjectField$_dns="$bestmatch$")
|
|
errormsg = subject field (arg1) must be one of: host, orig_host, src, dest, or dvc
|
|
iseval = 0
|
|
validation = subjectField=="host" OR subjectField=="orig_host" OR subjectField=="src" OR subjectField=="dest" OR subjectField=="dvc"
|
|
|
|
|
|
## This macro allows seamless searching of all CIM fields for a given user (src_user/user)
|
|
## This macro also performs inference by searching the $user$_identity fields
|
|
[get_user(1)]
|
|
args = user
|
|
definition = (`get_src_user_only($user$)` OR `get_user_only($user$)`)
|
|
|
|
[get_src_user_only(1)]
|
|
args = src_user
|
|
definition = (src_user="$src_user$" OR src_user_identity="$src_user$")
|
|
|
|
[get_user_only(1)]
|
|
args = user
|
|
definition = (user="$user$" OR user_identity="$user$")
|
|
|
|
|
|
## Swap two fields conditionally based on a tag in the event.
|
|
#
|
|
# The tag must be of the form "swap_<field1>_<field2>" AND
|
|
# be in the field named "tagField".
|
|
[swap_if_tagged(3)]
|
|
args = first, second, tagField
|
|
definition = eval swapTmp='$second$' | eval "$second$"=if('$tagField$'="swap_$first$_$second$", '$first$', '$second$') | eval "$first$"=if('$tagField$'="swap_$first$_$second$", swapTmp, '$first$') | fields - swapTmp
|
|
|
|
|
|
## Remap fields to account for deficiencies in source data that cannot be
|
|
## handled at the TA level.
|
|
#
|
|
# Rationale:
|
|
#
|
|
# In some cases IDS systems use the CIM field "src" as the field of interest.
|
|
# This is often the case for wireless attacks where the target is a broadcast domain.
|
|
# In this case, we want to map "src" into "dest" so it will show up
|
|
# in the IDS tracker, but ONLY for certain events. This macro does that and
|
|
# is used in many of the base-level macros such as "authentication" to apply such
|
|
# transformations globally.
|
|
[remap_subjects]
|
|
definition = tags outputfield=evtTags | `swap_if_tagged(src, dest, evtTags)` | fields - evtTags
|
|
|
|
## vendor_product
|
|
[get_vendor_product]
|
|
definition = eval vendor_product=case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!="unknown" AND isnotnull(product) AND product!="unknown",vendor." ".product,isnotnull(vendor) AND vendor!="unknown" AND (isnull(product) OR product="unknown"),vendor." unknown",(isnull(vendor) OR vendor="unknown") AND isnotnull(product) AND product!="unknown","unknown ".product,isnotnull(sourcetype),sourcetype,1=1,"unknown")
|
|
|
|
|
|
#####################
|
|
## Common Action Model
|
|
#####################
|
|
[modular_action_invocations(2)]
|
|
args = sid,rid
|
|
definition = tstats summariesonly=false latest(Modular_Actions.action_status) as action_status from datamodel=Splunk_Audit.Modular_Actions where Modular_Actions.action_name!="unknown" (Modular_Actions.sid="$sid$" Modular_Actions.rid="$rid$") OR (Modular_Actions.orig_sid="$sid$" Modular_Actions.orig_rid="$rid$") by _time,nodename,Modular_Actions.action_name,Modular_Actions.sid,Modular_Actions.rid,Modular_Actions.action_mode,Modular_Actions.user span=1s | `drop_dm_object_name("Modular_Actions")` | eventstats latest(action_status) as action_status by action_name,sid,rid | search nodename="Modular_Actions.Modular_Action_Invocations" | sort 0 -_time | join type=outer action_name [| rest splunk_server=local count=0 /services/alerts/alert_actions | spath input=param._cam path=drilldown_uri output=action_drilldown_uri | rename title as action_name,label as action_label | fields action_name,action_label,action_drilldown_uri] | eval action_label=if(isnotnull(action_label),action_label,action_name),epoch_time=_time | fields _time,epoch_time,action_status,action_name,action_label,action_mode,action_drilldown_uri,sid,rid,user
|
|
|
|
## Lookups
|
|
[cam_action_modes]
|
|
definition = inputlookup append=T cam_action_mode_lookup | eval action_mode=lower(action_mode) | dedup action_mode | sort + action_mode
|
|
|
|
[cam_action_statuses]
|
|
definition = inputlookup append=T cam_action_status_lookup | eval action_status=lower(action_status) | dedup action_status | sort + action_status
|
|
|
|
[cam_categories]
|
|
definition = inputlookup append=T cam_category_lookup | dedup category | sort + category
|
|
|
|
[cam_tasks]
|
|
definition = inputlookup append=T cam_task_lookup | eval task=lower(task) | dedup task | sort + task
|
|
|
|
[cam_subjects]
|
|
definition = inputlookup append=T cam_subject_lookup | eval subject=lower(subject) | dedup subject | sort + subject
|
|
|
|
[cam_workers]
|
|
definition = inputlookup append=T cam_worker_lookup | append[| makeresults | eval worker_set="local",cam_workers="[\"local\"]"] | dedup worker_set | spath input=cam_workers | where isnotnull('{}') | table worker_set,cam_workers | sort + worker_set
|
|
|
|
|
|
#####################
|
|
## CIM Filters
|
|
#####################
|
|
[cim_filter_known_scanners]
|
|
definition = NOT (host_category="known_scanner" OR orig_host_category="known_scanner" OR dvc_category="known_scanner" OR src_category="known_scanner" OR dest_category="known_scanner")
|
|
|
|
[cim_filter_known_scanners(1)]
|
|
args = object
|
|
definition = NOT ($object$.host_category="known_scanner" OR $object$.orig_host_category="known_scanner" OR $object$.dvc_category="known_scanner" OR $object$.src_category="known_scanner" OR $object$.dest_category="known_scanner")
|
|
|
|
[cim_filter_vuln_severity]
|
|
definition = (severity!="informational" AND severity!="low")
|
|
|
|
[cim_filter_vuln_severity(1)]
|
|
args = object
|
|
definition = ($object$.severity!="informational" AND $object$.severity!="low")
|
|
|
|
[cim_filter_unknown_values(1)]
|
|
args = field
|
|
definition = ($field$!="-" $field$!="n/a" $field$!="unknown")
|
|
|
|
|
|
#####################
|
|
## CIM Lookups
|
|
#####################
|
|
|
|
###### Access Protection ######
|
|
[cim_access_actions]
|
|
definition = inputlookup append=T cim_access_action_lookup | eval action=lower(action) | dedup action
|
|
|
|
###### Change Analysis #####
|
|
[cim_endpoint_actions]
|
|
definition = inputlookup append=T cim_endpoint_action_lookup | eval action=lower(action) | dedup action | sort + action
|
|
|
|
[cim_endpoint_object_categories]
|
|
definition = inputlookup append=T cim_endpoint_object_category_lookup | eval object_category=lower(object_category) | dedup object_category | sort + object_category
|
|
|
|
## no sort here (severity order dictated by order in file)
|
|
[cim_endpoint_severities]
|
|
definition = inputlookup append=T cim_endpoint_severity_lookup | eval severity=lower(severity) | dedup severity
|
|
|
|
[cim_endpoint_statuses]
|
|
definition = inputlookup append=T cim_endpoint_status_lookup | eval status=lower(status) | dedup status | sort + status
|
|
|
|
[cim_endpoint_user_types]
|
|
definition = inputlookup append=T cim_endpoint_user_type_lookup | eval user_type=lower(user_type) | dedup user_type | sort + user_type
|
|
|
|
###### Cloud ######
|
|
[cloud_domains]
|
|
definition = inputlookup append=T cim_cloud_domain_lookup
|
|
|
|
[cloud_domain_search(1)]
|
|
args = field
|
|
definition = [| `cloud_domains` | rename domain as $field$ | fields $field$ | format | fields search]
|
|
|
|
[cloud_email_search(1)]
|
|
args = field
|
|
definition = [| `cloud_domains` | search is_email=true | rename domain as $field$ | fields $field$ | format | fields search]
|
|
|
|
[cloud_storage_search(1)]
|
|
args = field
|
|
definition = [| `cloud_domains` | search is_storage=true | rename domain as $field$ | fields $field$ | format | fields search]
|
|
|
|
###### Data Loss Prevention ######
|
|
[cim_dlp_actions]
|
|
definition = inputlookup append=T cim_dlp_action_lookup | eval action=lower(action) | dedup action | sort + action
|
|
|
|
[cim_dlp_object_categories]
|
|
definition = inputlookup append=T cim_dlp_object_category_lookup | eval object_category=lower(object_category) | dedup object_category | sort + object_category
|
|
|
|
[cim_dlp_types]
|
|
definition = inputlookup append=T cim_dlp_type_lookup | eval dlp_type=lower(dlp_type) | dedup dlp_type | sort + dlp_type
|
|
|
|
###### DNS ######
|
|
[cim_dns_reply_codes]
|
|
definition = inputlookup append=T cim_dns_reply_code_lookup | dedup reply_code | sort + reply_code
|
|
|
|
###### Email ######
|
|
[cim_email_protocols]
|
|
definition = inputlookup append=T cim_email_protocol_lookup | sort + protocol
|
|
|
|
[cim_corporate_email_domains]
|
|
definition = inputlookup append=T cim_corporate_email_domain_lookup
|
|
|
|
[cim_corporate_email_domain_search(1)]
|
|
args = field
|
|
definition = [| `cim_corporate_email_domains` | rename domain as $field$ | format | fields search]
|
|
|
|
###### IDS ######
|
|
|
|
## no sort here (severity order dictated by order in file)
|
|
[cim_ids_severities]
|
|
definition = inputlookup append=T cim_ids_severity_lookup | eval severity=lower(severity) | dedup severity
|
|
|
|
[cim_ids_types]
|
|
definition = inputlookup append=T cim_ids_type_lookup | eval ids_type=lower(ids_type) | dedup ids_type | sort + ids_type
|
|
|
|
###### Malware ######
|
|
[cim_malware_actions]
|
|
definition = inputlookup append=T cim_malware_action_lookup | eval action=lower(action) | dedup action | sort + action
|
|
|
|
###### Traffic ######
|
|
[cim_traffic_actions]
|
|
definition = inputlookup append=T cim_traffic_action_lookup | eval action=lower(action) | dedup action | sort + action
|
|
|
|
[cim_transport_protocols]
|
|
definition = inputlookup append=T cim_transport_protocol_lookup | eval transport=lower(transport) | dedup transport | sort + transport
|
|
|
|
###### Proxy ######
|
|
[cim_http_methods]
|
|
definition = inputlookup append=T cim_http_method_lookup | eval http_method=lower(http_method) | dedup http_method
|
|
|
|
[cim_http_statuses]
|
|
definition = inputlookup append=T cim_http_status_lookup
|
|
|
|
###### System Updates ######
|
|
[cim_update_statii]
|
|
definition = inputlookup append=T cim_update_status_lookup | eval status=lower(status) | dedup status | sort + status
|
|
|
|
###### Vendor Product Tracker ######
|
|
[cim_vendor_product_tracker]
|
|
definition = inputlookup append=T cim_vendor_product_tracker
|
|
|
|
[vendor_product_tracker(1)]
|
|
args = model
|
|
definition = inputlookup append=T cim_vendor_product_tracker | search model="$model$"
|
|
|
|
###### Vulnerabilities ######
|
|
## no sort here (severity order dictated by order in file)
|
|
[cim_vuln_severities]
|
|
definition = inputlookup append=T cim_vuln_severity_lookup | eval severity=lower(severity) | dedup severity
|
|
|
|
##### Web #####
|
|
[cim_corporate_web_domains]
|
|
definition = inputlookup append=T cim_corporate_web_domain_lookup
|
|
|
|
[cim_corporate_web_domain_search(1)]
|
|
args = field
|
|
definition = [| `cim_corporate_web_domains` | rename domain as $field$ | format | fields search]
|
|
|
|
|
|
#####################
|
|
## Data Models
|
|
#####################
|
|
[add_dm_object_name(1)]
|
|
args = object
|
|
definition = rename * as "$object$.*"
|
|
|
|
## DEPRECATED.
|
|
[drop_dm_object_name(1)]
|
|
args = object
|
|
definition = rename "$object$.*" as *
|
|
|
|
## DEPRECATED in favor of | from command.
|
|
[datamodel(2)]
|
|
args = model,object
|
|
definition = datamodel $model$ $object$ search
|
|
|
|
[recommended_datamodel_attributes(2)]
|
|
args = model,object
|
|
definition = datamodel "$model$" "$object$" | spath output=calcs path=calculations{} | spath output=fields path=fields{} | eval outfields=mvappend(fields,NULL,calcs) | mvexpand outfields | spath output=fields input=outfields path=outputFields{} | eval fields=if(isnull(fields),outfields,fields) | mvexpand fields | spath output=field input=fields path=fieldName | spath output=recommended input=fields path=comment.recommended | search recommended="true" | table field | sort field
|
|
|
|
## Datamodel index filters
|
|
[cim_Alerts_indexes]
|
|
definition = ()
|
|
|
|
## This macro has been deprecated
|
|
[cim_Application_State_indexes]
|
|
definition = ()
|
|
|
|
[cim_Authentication_indexes]
|
|
definition = ()
|
|
|
|
[cim_Certificates_indexes]
|
|
definition = ()
|
|
|
|
## This macro has been deprecated
|
|
[cim_Change_Analysis_indexes]
|
|
definition = ()
|
|
|
|
[cim_Change_indexes]
|
|
definition = ()
|
|
|
|
[cim_Compute_Inventory_indexes]
|
|
definition = ()
|
|
|
|
[cim_DLP_indexes]
|
|
definition = ()
|
|
|
|
[cim_Databases_indexes]
|
|
definition = ()
|
|
|
|
[cim_Data_Access_indexes]
|
|
definition = ()
|
|
|
|
[cim_Email_indexes]
|
|
definition = ()
|
|
|
|
[cim_Endpoint_indexes]
|
|
definition = ()
|
|
|
|
[cim_Event_Signatures_indexes]
|
|
definition = ()
|
|
|
|
[cim_Interprocess_Messaging_indexes]
|
|
definition = ()
|
|
|
|
[cim_Intrusion_Detection_indexes]
|
|
definition = ()
|
|
|
|
[cim_JVM_indexes]
|
|
definition = ()
|
|
|
|
[cim_Malware_indexes]
|
|
definition = ()
|
|
|
|
[cim_Network_Resolution_indexes]
|
|
definition = ()
|
|
|
|
[cim_Network_Sessions_indexes]
|
|
definition = ()
|
|
|
|
[cim_Network_Traffic_indexes]
|
|
definition = ()
|
|
|
|
[cim_Performance_indexes]
|
|
definition = ()
|
|
|
|
[cim_Ticket_Management_indexes]
|
|
definition = ()
|
|
|
|
[cim_Updates_indexes]
|
|
definition = ()
|
|
|
|
[cim_Vulnerabilities_indexes]
|
|
definition = ()
|
|
|
|
[cim_Web_indexes]
|
|
definition = ()
|
|
|
|
[cim_datamodelinfo]
|
|
definition = rest /services/admin/summarization by_tstats=t splunk_server=local count=0 | eval key=replace('title',"tstats:DM_".'eai:acl.app'."_",""),datamodel=replace('summary.id',"DM_".'eai:acl.app'."_","") | join type=left key [| rest /services/data/models splunk_server=local count=0 | table title acceleration.cron_schedule eai:digest | rename title as key | rename acceleration.cron_schedule AS cron] | table datamodel eai:acl.app summary.access_time summary.is_inprogress summary.size summary.latest_time summary.complete summary.buckets_size summary.buckets cron summary.last_error summary.time_range summary.id summary.mod_time eai:digest summary.earliest_time summary.last_sid summary.access_count | rename summary.id AS summary_id, summary.time_range AS retention, summary.earliest_time as earliest, summary.latest_time as latest, eai:digest as digest | rename summary.* AS *, eai:acl.* AS * | sort datamodel
|