Skip to content

Commit b59991e

Browse files
patel-bhavinpatel-bhavin
authored
Merge pull request #278 from splunk/CRL-1700_ES_macros
CRL_1700 ES Macros
2 parents 1acf708 + f38a6b7 commit b59991e

File tree

193 files changed

+607
-606
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

193 files changed

+607
-606
lines changed

baselines/baseline_network_acl_modifications.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ baseline:
44
cron_schedule: ''
55
earliest_time: -30d@d
66
latest_time: -10m@m
7-
search: sourcetype=aws:cloudtrail `NetworkACLEvents` | spath output=arn path=userIdentity.arn
7+
search: sourcetype=aws:cloudtrail `network_acl_events` | spath output=arn path=userIdentity.arn
88
| bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls)
99
as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls,
1010
stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints,
@@ -31,7 +31,7 @@ eli5: Use this search to create a baseline for API calls related to network ACLs
3131
This table is stored in a lookup file.
3232
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
3333
and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail
34-
inputs. To add or remove API event names for network ACLs, edit the macro `NetworkACLEvents`.
34+
inputs. To add or remove API event names for network ACLs, edit the macro `network_acl_events`.
3535
id: fc0edd96-ff2b-4810-9f1f-63da3783fd63
3636
known_false_positives: ''
3737
maintainers:

baselines/baseline_security_group_activity_by_arn.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ baseline:
44
cron_schedule: ''
55
earliest_time: -90d@d
66
latest_time: -10m@m
7-
search: sourcetype=aws:cloudtrail `securityGroupAPIs` | spath output=arn path=userIdentity.arn
7+
search: sourcetype=aws:cloudtrail `security_group_api_calls` | spath output=arn path=userIdentity.arn
88
| bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls)
99
as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls,
1010
stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints,
@@ -31,7 +31,7 @@ eli5: Use this search to create a baseline for API calls related to security gro
3131
of data points for each ARN. This table is stored in a lookup file.
3232
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
3333
and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail
34-
inputs. To add or remove API event names for security groups, edit the macro `securityGroupAPIs`.
34+
inputs. To add or remove API event names for security groups, edit the macro `security_group_api_calls`.
3535
id: fc0edd96-ff2b-48b0-9f1f-63da3783fd63
3636
known_false_positives: ''
3737
maintainers:

baselines/discover_dns_records.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ baseline:
66
latest_time: -10m@m
77
search: '| inputlookup cim_corporate_email_domains.csv | inputlookup append=T
88
cim_corporate_web_domains.csv | inputlookup append=T cim_cloud_domains.csv |
9-
eval domain = trim(replace(domain, "\*", "")) | join domain [|tstats summariesonly=true
9+
eval domain = trim(replace(domain, "\*", "")) | join domain [|tstats `security_content_summariesonly`
1010
count values(DNS.record_type) as type, values(DNS.answer) as answer from datamodel=Network_Resolution
1111
where DNS.message_type=RESPONSE DNS.answer!="unknown" DNS.answer!="" by DNS.query
1212
| rename DNS.query as query | where query!="unknown" | rex field=query "(?<domain>\w+\.\w+?)(?:$|/)"]

baselines/identify_ports_on_network.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ baseline:
44
cron_schedule: ''
55
earliest_time: -30d@d
66
latest_time: -10m@m
7-
search: '| tstats `summariesonly` count dc(All_Traffic.src) as numberOfUniqueHosts
7+
search: '| tstats `security_content_summariesonly` count dc(All_Traffic.src) as numberOfUniqueHosts
88
from datamodel=Network_Traffic by All_Traffic.dest_port | `drop_dm_object_name("All_Traffic")`
99
| sort - count'
1010
creation_date: '2017-06-24'

baselines/identify_systems_creating_rdp_traffic.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ baseline:
44
cron_schedule: ''
55
earliest_time: -30d@d
66
latest_time: -10m@m
7-
search: '| tstats `summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=3389
7+
search: '| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=3389
88
by All_Traffic.src | `drop_dm_object_name("All_Traffic")` | sort - count'
99
creation_date: '2017-04-24'
1010
data_metadata:

baselines/identify_systems_receiving_rdp_traffic.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ baseline:
44
cron_schedule: ''
55
earliest_time: -30d@d
66
latest_time: -10m@m
7-
search: '| tstats `summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=3389
7+
search: '| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.dest_port=3389
88
by All_Traffic.dest | `drop_dm_object_name("All_Traffic")` | sort - count'
99
creation_date: '2017-04-24'
1010
data_metadata:

baselines/identify_systems_using_remote_desktop.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ baseline:
44
cron_schedule: ''
55
earliest_time: -30d@d
66
latest_time: -10m@m
7-
search: '| tstats `summariesonly` count from datamodel=Endpoint.Processes where
7+
search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where
88
Processes.process_name="*mstsc.exe*" by Processes.dest Processes.process_name
99
| `drop_dm_object_name(Processes)` | sort - count'
1010
creation_date: '2017-04-18'

baselines/monitor_successful_windows_updates.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ baseline:
44
cron_schedule: ''
55
earliest_time: -30d@d
66
latest_time: -10m@m
7-
search: '| tstats `summariesonly` dc(Updates.dest) as count FROM datamodel=Updates
7+
search: '| tstats `security_content_summariesonly` dc(Updates.dest) as count FROM datamodel=Updates
88
where Updates.vendor_product="Microsoft Windows" AND Updates.status=installed
99
by _time span=1d'
1010
creation_date: '2017-08-24'

baselines/monitor_unsuccessful_windows_updates.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ baseline:
44
cron_schedule: ''
55
earliest_time: -30d@d
66
latest_time: -10m@m
7-
search: '| tstats `summariesonly` dc(Updates.dest) as count FROM datamodel=Updates
7+
search: '| tstats `security_content_summariesonly` dc(Updates.dest) as count FROM datamodel=Updates
88
where Updates.vendor_product="Microsoft Windows" AND Updates.status=failure
99
by _time span=1d'
1010
creation_date: '2017-08-24'

baselines/previously_seen_aws_users.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ baseline:
66
latest_time: -10m@m
77
search: sourcetype=aws:cloudtrail eventName=ConsoleLogin | rename userIdentity.arn
88
as user | iplocation src | eval City=if(City LIKE "",src,City),Region=if(Region
9-
LIKE "",src,Region) | stats earliest(_time) as earliest latest(_time) as latest
9+
LIKE "",src,Region) | stats earliest(_time) as firstTime latest(_time) as lastTime
1010
by user src City Region Country | outputlookup previously_seen_users_console_logins.csv
1111
| stats count
1212
creation_date: '2018-02-23'

0 commit comments

Comments
 (0)