Audit:[timestamp=05-23-2022 20:23:58.052, user=admin, action=search, info=granted , search_id='ta_1653337438.311663', search='typeahead prefix="index=_audit source=audittrail sourcetype=audittrail search IN (\"*runshellscript*\", \"*collect*\",\"*delete*\", \"*fit*\", \"*outputcsv*\", \"*outputlookup*\", \"*run*\", \"*script*\", \"*sendalert*\", \"*sendemail*\", \"*tscollect*\") \\" max_time="1" count="50" use_cache=1', autojoin='0', buckets=0, ttl=10, max_count=50, maxtime=8640000, enable_lookups='0', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="N/A", mode="historical"] Audit:[timestamp=05-23-2022 20:23:56.823, user=admin, action=search, info=granted , search_id='ta_1653337436.311662', search='typeahead prefix="index=_audit source=audittrail sourcetype=audittrail search IN (\"*runshellscript*\", \"*collect*\",\"*delete*\", \"*fit*\", \"*outputcsv*\", \"*outputlookup*\", \"*run*\", \"*script*\", \"*sendalert*\", \"*sendemail*\", \"*tscollect*\") \\ head 5" max_time="1" count="50" use_cache=1', autojoin='0', buckets=0, ttl=10, max_count=50, maxtime=8640000, enable_lookups='0', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="N/A", mode="historical"] Audit:[timestamp=05-23-2022 20:23:43.456, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD5825a5f31cd00ec41_at_1653336000_73135', has_error_warn=false, fully_completed_search=true, total_run_time=4.38, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653337403, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", search_startup_time="1537", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_aa25291cb0d7997f", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=16, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=556, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*/i:* by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_icedid_rundll32_cmdline_filter`'] Audit:[timestamp=05-23-2022 20:23:29.133, user=admin, action=search, info=granted , search_id='1653337409.311652', search='search index=_audit source=audittrail sourcetype=audittrail search IN ("*runshellscript*", "*collect*","*delete*", "*fit*", "*outputcsv*", "*outputlookup*", "*run*", "*script*", "*sendalert*", "*sendemail*", "*tscollect*")', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='Mon May 23 00:00:00 2022', apiEndTime='Mon May 23 20:23:29 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"] Audit:[timestamp=05-23-2022 20:23:25.004, user=splunk-system-user, action=search, info=granted , search_id='scheduler__nobody_U3BsdW5rX1NBX0NJTQ__RMD5fe51f0ad1d9fe444_at_1653337380_73136', search='| summarize tstats=t override=partial manual_rebuilds=t max_time=3600 poll_buckets_until_maxtime=f id=DM_Splunk_SA_CIM_Authentication [ search (index=* OR index=_*) ((`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$)) | eval nodename = "Authentication"| eval action=if(isnull(action) OR action="","unknown",action), app=if(isnull(app) OR app="",sourcetype,app), src=if(isnull(src) OR src="","unknown",src), src_user=if(isnull(src_user) OR src_user="","unknown",src_user), dest=if(isnull(dest) OR dest="","unknown",dest), user=if(isnull(user) OR user="","unknown",user)| eval is_Failed_Authentication=if(searchmatch("(action=\"failure\")"),1,0), is_not_Failed_Authentication=1-is_Failed_Authentication, is_Successful_Authentication=if(searchmatch("(action=\"success\")"),1,0), is_not_Successful_Authentication=1-is_Successful_Authentication, is_Default_Authentication=if(searchmatch("(tag=\"default\")"),1,0), is_not_Default_Authentication=1-is_Default_Authentication, is_Insecure_Authentication=if(searchmatch("(tag=\"insecure\" OR tag=\"cleartext\")"),1,0), is_not_Insecure_Authentication=1-is_Insecure_Authentication, is_Privileged_Authentication=if(searchmatch("(tag=\"privileged\")"),1,0), is_not_Privileged_Authentication=1-is_Privileged_Authentication | eval nodename = if(nodename == "Authentication" AND searchmatch("(action=\"failure\")"), mvappend(nodename, "Authentication.Failed_Authentication"), nodename) | eval nodename = if(nodename == "Authentication" AND searchmatch("(action=\"success\")"), mvappend(nodename, "Authentication.Successful_Authentication"), nodename) | eval nodename = if(nodename == "Authentication" AND searchmatch("(tag=\"default\")"), mvappend(nodename, "Authentication.Default_Authentication"), nodename)| eval is_Failed_Default_Authentication=if(searchmatch("(action=\"failure\")"),1,0), is_not_Failed_Default_Authentication=1-is_Failed_Default_Authentication, is_Successful_Default_Authentication=if(searchmatch("(action=\"success\")"),1,0), is_not_Successful_Default_Authentication=1-is_Successful_Default_Authentication | eval nodename = if(nodename == "Authentication.Default_Authentication" AND searchmatch("(action=\"failure\")"), mvappend(nodename, "Authentication.Default_Authentication.Failed_Default_Authentication"), nodename) | eval nodename = if(nodename == "Authentication.Default_Authentication" AND searchmatch("(action=\"success\")"), mvappend(nodename, "Authentication.Default_Authentication.Successful_Default_Authentication"), nodename) | rename is_Failed_Default_Authentication AS Authentication.Default_Authentication.is_Failed_Default_Authentication is_not_Failed_Default_Authentication AS Authentication.Default_Authentication.is_not_Failed_Default_Authentication is_Successful_Default_Authentication AS Authentication.Default_Authentication.is_Successful_Default_Authentication is_not_Successful_Default_Authentication AS Authentication.Default_Authentication.is_not_Successful_Default_Authentication | eval nodename = if(nodename == "Authentication" AND searchmatch("(tag=\"insecure\" OR tag=\"cleartext\")"), mvappend(nodename, "Authentication.Insecure_Authentication"), nodename) | eval nodename = if(nodename == "Authentication" AND searchmatch("(tag=\"privileged\")"), mvappend(nodename, "Authentication.Privileged_Authentication"), nodename)| eval is_Failed_Privileged_Authentication=if(searchmatch("(action=\"failure\")"),1,0), is_not_Failed_Privileged_Authentication=1-is_Failed_Privileged_Authentication, is_Successful_Privileged_Authentication=if(searchmatch("(action=\"success\")"),1,0), is_not_Successful_Privileged_Authentication=1-is_Successful_Privileged_Authentication | eval nodename = if(nodename == "Authentication.Privileged_Authentication" AND searchmatch("(action=\"failure\")"), mvappend(nodename, "Authentication.Privileged_Authentication.Failed_Privileged_Authentication"), nodename) | eval nodename = if(nodename == "Authentication.Privileged_Authentication" AND searchmatch("(action=\"success\")"), mvappend(nodename, "Authentication.Privileged_Authentication.Successful_Privileged_Authentication"), nodename) | rename is_Failed_Privileged_Authentication AS Authentication.Privileged_Authentication.is_Failed_Privileged_Authentication is_not_Failed_Privileged_Authentication AS Authentication.Privileged_Authentication.is_not_Failed_Privileged_Authentication is_Successful_Privileged_Authentication AS Authentication.Privileged_Authentication.is_Successful_Privileged_Authentication is_not_Successful_Privileged_Authentication AS Authentication.Privileged_Authentication.is_not_Successful_Privileged_Authentication | rename authentication_method AS Authentication.authentication_method authentication_service AS Authentication.authentication_service dest_bunit AS Authentication.dest_bunit dest_category AS Authentication.dest_category dest_nt_domain AS Authentication.dest_nt_domain dest_priority AS Authentication.dest_priority duration AS Authentication.duration reason AS Authentication.reason response_time AS Authentication.response_time signature AS Authentication.signature signature_id AS Authentication.signature_id src_bunit AS Authentication.src_bunit src_category AS Authentication.src_category src_nt_domain AS Authentication.src_nt_domain src_priority AS Authentication.src_priority src_user_bunit AS Authentication.src_user_bunit src_user_category AS Authentication.src_user_category src_user_id AS Authentication.src_user_id src_user_priority AS Authentication.src_user_priority src_user_role AS Authentication.src_user_role src_user_type AS Authentication.src_user_type tag AS Authentication.tag user_agent AS Authentication.user_agent user_bunit AS Authentication.user_bunit user_category AS Authentication.user_category user_id AS Authentication.user_id user_priority AS Authentication.user_priority user_role AS Authentication.user_role user_type AS Authentication.user_type vendor_account AS Authentication.vendor_account action AS Authentication.action app AS Authentication.app src AS Authentication.src src_user AS Authentication.src_user dest AS Authentication.dest user AS Authentication.user is_Failed_Authentication AS Authentication.is_Failed_Authentication is_not_Failed_Authentication AS Authentication.is_not_Failed_Authentication is_Successful_Authentication AS Authentication.is_Successful_Authentication is_not_Successful_Authentication AS Authentication.is_not_Successful_Authentication is_Default_Authentication AS Authentication.is_Default_Authentication is_not_Default_Authentication AS Authentication.is_not_Default_Authentication is_Insecure_Authentication AS Authentication.is_Insecure_Authentication is_not_Insecure_Authentication AS Authentication.is_not_Insecure_Authentication is_Privileged_Authentication AS Authentication.is_Privileged_Authentication is_not_Privileged_Authentication AS Authentication.is_not_Privileged_Authentication | fields nodename, _time, host, source, sourcetype, Authentication.authentication_method, Authentication.authentication_service, Authentication.dest_bunit, Authentication.dest_category, Authentication.dest_nt_domain, Authentication.dest_priority, Authentication.duration, Authentication.reason, Authentication.response_time, Authentication.signature, Authentication.signature_id, Authentication.src_bunit, Authentication.src_category, Authentication.src_nt_domain, Authentication.src_priority, Authentication.src_user_bunit, Authentication.src_user_category, Authentication.src_user_id, Authentication.src_user_priority, Authentication.src_user_role, Authentication.src_user_type, Authentication.tag, Authentication.user_agent, Authentication.user_bunit, Authentication.user_category, Authentication.user_id, Authentication.user_priority, Authentication.user_role, Authentication.user_type, Authentication.vendor_account, Authentication.action, Authentication.app, Authentication.src, Authentication.src_user, Authentication.dest, Authentication.user, Authentication.is_Failed_Authentication, Aut (truncated)', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Sun May 23 20:23:00 2021', apiEndTime='Mon May 23 20:23:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="_ACCELERATE_DM_Splunk_SA_CIM_Authentication_ACCELERATE_", search_type="datamodel_acceleration", is_proxied=false, app="Splunk_SA_CIM", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:23:23.369, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD5825a5f31cd00ec41_at_1653336000_73135', search='| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*/i:* by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_icedid_rundll32_cmdline_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - Suspicious IcedID Rundll32 Cmdline - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:23:05.997, user=admin, action=search, info=granted , search_id='scheduler__admin_U0EtVGhyZWF0SW50ZWxsaWdlbmNl__RMD501805f07ae0aff07_at_1653337380_73125', search='| rest splunk_server=local count=0 "/servicesNS/-/-/saved/searches?listDefaultActionArgs=1" | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") OR match('action.notable', "1|[Tt]|[Tt][Rr][Uu][Ee]") OR match('action.risk', "1|[Tt]|[Tt][Rr][Uu][Ee]") | join type=left title [| rest splunk_server=local count=0 /services/configs/conf-analyticstories search="name=savedsearch* AND annotations=*" | eval title=replace(title, "savedsearch://", "") | table title,annotations] | join type=left max=0 title [| rest splunk_server=local count=0 /services/configs/conf-analyticstories search="name=analytic_story* AND searches=*" | eval analyticstories=replace(title, "analytic_story://", "") | spath input=searches path={} output=title | stats values(analyticstories) as analyticstories by title | eval analyticstories=mvjoin(analyticstories, "@@")] | eval analyticstories=split(analyticstories, "@@") | eval annotations=case(isnotnull('action.correlationsearch.annotations') AND 'action.correlationsearch.annotations'!="",'action.correlationsearch.annotations',isnotnull(annotations) AND annotations!="",annotations,1=1,null()),rule_name=if(isnotnull('action.correlationsearch.label'),'action.correlationsearch.label',title) | rename title as _key,action.notable.param.* as * | append [| rest splunk_server=local count=0 /servicesNS/-/-/configs/conf-correlationsearches | rename title as _key] | eval security_domain=if(security_domain="",null(),security_domain),severity=if(severity="",null(),severity),rule_name=if(rule_name="",null(),rule_name),description=if(description="",null(),description),rule_title=if(rule_title="",null(),rule_title),rule_description=if(rule_description="",null(),rule_description),drilldown_name=if(drilldown_name="",null(),drilldown_name),drilldown_search=if(drilldown_search="",null(),drilldown_search),drilldown_earliest_offset=if(drilldown_earliest_offset="",null(),drilldown_earliest_offset),drilldown_latest_offset=if(drilldown_latest_offset="",null(),drilldown_latest_offset),default_status=if(default_status="",null(),default_status),default_owner=if(default_owner="",null(),default_owner),default_disposition=if(default_disposition="",null(),default_disposition),next_steps=if(next_steps="",null(),next_steps),investigation_profiles=if(investigation_profiles="",null(),investigation_profiles),extract_artifacts=if(extract_artifacts="",null(),extract_artifacts),recommended_actions=if(recommended_actions="",null(),recommended_actions),analyticstories=if(analyticstories="",null(),analyticstories) | appendpipe [ where _key LIKE "%\"%" | eval _key=replace(_key, "\"", "_") ] | stats first(annotations) as annotations,first(security_domain) as security_domain,first(severity) as severity,first(rule_name) as rule_name,first(description) as description,first(rule_title) as rule_title,first(rule_description) as rule_description,first(drilldown_name) as drilldown_name,first(drilldown_search) as drilldown_search,first(drilldown_earliest_offset) as drilldown_earliest_offset,first(drilldown_latest_offset) as drilldown_latest_offset,first(default_status) as default_status,first(default_owner) as default_owner,first(next_steps) as next_steps,first(investigation_profiles) as investigation_profiles,first(extract_artifacts) as extract_artifacts,first(recommended_actions) as recommended_actions,values(analyticstories) as analyticstories by _key | outputlookup correlationsearches_lookup append=T key_field=_key | stats count', autojoin='1', buckets=0, ttl=120, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='Mon May 23 20:23:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="Threat - Correlation Searches - Lookup Gen", search_type="scheduled", is_proxied=false, app="SA-ThreatIntelligence", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:22:43.616, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD5b9ef3048736ee319_at_1653336000_73115', has_error_warn=true, fully_completed_search=true, total_run_time=3.77, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653337330, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - Attempt To Stop Security Service - Rule", search_startup_time="1223", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_471151f48c436231", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=16, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=410, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = sc.exe Processes.process="* stop *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`'] Audit:[timestamp=05-23-2022 20:22:43.505, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD554c6ae6c8d4f6768_at_1653336000_73117', has_error_warn=false, fully_completed_search=true, total_run_time=3.73, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653337336, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - Schtasks Run Task On Demand - Rule", search_startup_time="1150", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_f47e4209cf6e7af7", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=16, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=506, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "schtasks.exe" Processes.process = "*/run*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_run_task_on_demand_filter`'] Audit:[timestamp=05-23-2022 20:22:16.657, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD554c6ae6c8d4f6768_at_1653336000_73117', search='| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "schtasks.exe" Processes.process = "*/run*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `schtasks_run_task_on_demand_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - Schtasks Run Task On Demand - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:22:13.704, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD5d8b338a7065f976e_at_1653336000_73111', has_error_warn=false, fully_completed_search=true, total_run_time=1.88, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1653337327, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", search_startup_time="461", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_dabe392fbb67f9ef", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=7, eliminated_buckets=6, considered_events=1, total_slices=45361, decompressed_slices=1, duration.command.search.index=1, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=16, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__XmlWinEventLog=1, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='search `wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN ("*powershell.exe*", "*wscript.exe*", "*cscript.exe*", "*cmd.exe*", "*sh.exe*", "*ksh.exe*", "*zsh.exe*", "*bash.exe*", "*scrcons.exe*", "*pwsh.exe*") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_to_spawn_shell_filter`'] Audit:[timestamp=05-23-2022 20:22:13.701, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD56928fd717fdfa5c0_at_1653336000_73110', has_error_warn=false, fully_completed_search=true, total_run_time=3.75, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653337326, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", search_startup_time="1143", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_4015fc31c61bfb41", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=16, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=432, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*syssetup* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___syssetup_filter`'] Audit:[timestamp=05-23-2022 20:22:13.651, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD5d2931b6850833efe_at_1653336000_73101', has_error_warn=false, fully_completed_search=true, total_run_time=0.88, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653337310, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - Suspicious Java Classes - Rule", search_startup_time="378", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_eed822e04ce52272", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=7, eliminated_buckets=6, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='search `stream_http` http_method=POST http_content_length>1 | regex form_data="(?i)java\.lang\.(?:runtime|processbuilder)" | rename src_ip as src | stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent by src, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_java_classes_filter`'] Audit:[timestamp=05-23-2022 20:22:13.637, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD547269721c28f56d9_at_1653336000_73098', has_error_warn=false, fully_completed_search=true, total_run_time=2.92, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653337301, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - Spoolsv Spawning Rundll32 - Rule", search_startup_time="1107", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_269111873f935dad", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=16, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=302, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe `process_rundll32` by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_spawning_rundll32_filter`'] Audit:[timestamp=05-23-2022 20:22:13.514, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD53746a7b970b89eb7_at_1653336000_73104', has_error_warn=false, fully_completed_search=true, total_run_time=2.24, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653337316, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - Get DomainUser with PowerShell Script Block - Rule", search_startup_time="1412", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_4501d96dbb1d2cc2", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=7, eliminated_buckets=6, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='search `powershell` EventCode=4104 Message = "*Get-DomainUser*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_script_block_filter`'] Audit:[timestamp=05-23-2022 20:22:13.450, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD521a29e227547418c_at_1653336000_73112', has_error_warn=false, fully_completed_search=true, total_run_time=2.05, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1653337329, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - Windows Raw Access To Master Boot Record Drive - Rule", search_startup_time="1582", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_d7248ed2cf0075a6", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=7, eliminated_buckets=6, considered_events=1, total_slices=45366, decompressed_slices=1, duration.command.search.index=1, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=117, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='search `sysmon` EventCode=9 Device = \\Device\\Harddisk0\\DR0 NOT (Image IN("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer Image Device ProcessGuid ProcessId EventDescription EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_master_boot_record_drive_filter`'] Audit:[timestamp=05-23-2022 20:22:10.820, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD5b9ef3048736ee319_at_1653336000_73115', search='| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = sc.exe Processes.process="* stop *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - Attempt To Stop Security Service - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:22:10.373, user=splunk-system-user, action=search, info=granted , search_id='scheduler__nobody_U3BsdW5rX1NBX0NJTQ__RMD5ea35b39b15ead40d_at_1653337320_73114', search='| summarize tstats=t override=partial manual_rebuilds=t max_time=3600 poll_buckets_until_maxtime=f id=DM_Splunk_SA_CIM_Change [ search (index=* OR index=_*) ((`cim_Change_indexes`) tag=change NOT (object_category=file OR object_category=directory OR object_category=registry)) | eval nodename = "All_Changes"| eval change_type=if(isnull(change_type) OR change_type="","unknown",change_type), command=if(isnull(command) OR command="","unknown",if(sourcetype=="audittrail",Operation." ".ObjectName,command)), dest=if(isnull(dest) OR dest="","unknown",dest), dvc=if(isnull(dvc) OR dvc="","unknown",dvc), object=if(isnull(object) OR object="","unknown",object), object_attrs=if(isnull(object_attrs) OR object_attrs="","unknown",object_attrs), object_category=if(isnull(object_category) OR object_category="","unknown",object_category), object_id=if(isnull(object_id) OR object_id="","unknown",object_id), object_path=if(isnull(object_path) OR object_path="","unknown",object_path), status=if(isnull(status) OR status="","unknown",status), result=if(isnotnull(result) AND result!="",result,if(isnotnull(signature) AND signature!="",signature,"unknown")), result_id=if(isnotnull(result_id) AND result_id!="",result_id,if(isnotnull(signature_id) AND signature_id!="",signature_id,-1)), src=if(isnull(src) OR src="","unknown",src), user=if(isnull(user) OR user="","unknown",user), user_name=if(isnull(user_name) OR user_name="","unknown",user_name), vendor_product=case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!="unknown" AND isnotnull(product) AND product!="unknown",vendor." ".product,isnotnull(vendor) AND vendor!="unknown" AND (isnull(product) OR product="unknown"),vendor." unknown",(isnull(vendor) OR vendor="unknown") AND isnotnull(product) AND product!="unknown","unknown ".product,isnotnull(sourcetype),sourcetype,1=1,"unknown"), action=if(isnull(action) OR action="","unknown",action)| eval is_Auditing_Changes=if(searchmatch("(tag=audit)"),1,0), is_not_Auditing_Changes=1-is_Auditing_Changes, is_Endpoint_Changes=if(searchmatch("(tag=endpoint)"),1,0), is_not_Endpoint_Changes=1-is_Endpoint_Changes, is_Network_Changes=if(searchmatch("(tag=network)"),1,0), is_not_Network_Changes=1-is_Network_Changes, is_Account_Management=if(searchmatch("(tag=account)"),1,0), is_not_Account_Management=1-is_Account_Management, is_Instance_Changes=if(searchmatch("(tag=instance)"),1,0), is_not_Instance_Changes=1-is_Instance_Changes | eval nodename = if(nodename == "All_Changes" AND searchmatch("(tag=audit)"), mvappend(nodename, "All_Changes.Auditing_Changes"), nodename) | eval nodename = if(nodename == "All_Changes" AND searchmatch("(tag=endpoint)"), mvappend(nodename, "All_Changes.Endpoint_Changes"), nodename)| eval is_Endpoint_Restarts=if(searchmatch("(action=modified change_type=restart)"),1,0), is_not_Endpoint_Restarts=1-is_Endpoint_Restarts, is_Other_Endpoint_Changes=if(searchmatch("(NOT change_type=restart)"),1,0), is_not_Other_Endpoint_Changes=1-is_Other_Endpoint_Changes | eval nodename = if(nodename == "All_Changes.Endpoint_Changes" AND searchmatch("(action=modified change_type=restart)"), mvappend(nodename, "All_Changes.Endpoint_Changes.Endpoint_Restarts"), nodename) | eval nodename = if(nodename == "All_Changes.Endpoint_Changes" AND searchmatch("(NOT change_type=restart)"), mvappend(nodename, "All_Changes.Endpoint_Changes.Other_Endpoint_Changes"), nodename) | rename is_Endpoint_Restarts AS All_Changes.Endpoint_Changes.is_Endpoint_Restarts is_not_Endpoint_Restarts AS All_Changes.Endpoint_Changes.is_not_Endpoint_Restarts is_Other_Endpoint_Changes AS All_Changes.Endpoint_Changes.is_Other_Endpoint_Changes is_not_Other_Endpoint_Changes AS All_Changes.Endpoint_Changes.is_not_Other_Endpoint_Changes | eval nodename = if(nodename == "All_Changes" AND searchmatch("(tag=network)"), mvappend(nodename, "All_Changes.Network_Changes"), nodename)| eval is_Device_Restarts=if(searchmatch("(action=modified change_type=restart)"),1,0), is_not_Device_Restarts=1-is_Device_Restarts | eval nodename = if(nodename == "All_Changes.Network_Changes" AND searchmatch("(action=modified change_type=restart)"), mvappend(nodename, "All_Changes.Network_Changes.Device_Restarts"), nodename) | rename dest_ip_range AS All_Changes.Network_Changes.dest_ip_range dest_port_range AS All_Changes.Network_Changes.dest_port_range direction AS All_Changes.Network_Changes.direction protocol AS All_Changes.Network_Changes.protocol rule_action AS All_Changes.Network_Changes.rule_action src_ip_range AS All_Changes.Network_Changes.src_ip_range src_port_range AS All_Changes.Network_Changes.src_port_range is_Device_Restarts AS All_Changes.Network_Changes.is_Device_Restarts is_not_Device_Restarts AS All_Changes.Network_Changes.is_not_Device_Restarts | eval nodename = if(nodename == "All_Changes" AND searchmatch("(tag=account)"), mvappend(nodename, "All_Changes.Account_Management"), nodename)| eval dest_nt_domain=if(isnull(dest_nt_domain) OR dest_nt_domain="","unknown",dest_nt_domain), src_nt_domain=if(isnull(src_nt_domain) OR src_nt_domain="","unknown",src_nt_domain), src_user=if(isnull(src_user) OR src_user="","unknown",src_user), src_user_name=if(isnull(src_user_name) OR src_user_name="","unknown",src_user_name)| eval is_Accounts_Created=if(searchmatch("(action=\"created\")"),1,0), is_not_Accounts_Created=1-is_Accounts_Created, is_Accounts_Deleted=if(searchmatch("(action=\"deleted\")"),1,0), is_not_Accounts_Deleted=1-is_Accounts_Deleted, is_Account_Lockouts=if(searchmatch("(result=\"lockout\")"),1,0), is_not_Account_Lockouts=1-is_Account_Lockouts, is_Accounts_Updated=if(searchmatch("(action=\"updated\" OR action=\"modified\")"),1,0), is_not_Accounts_Updated=1-is_Accounts_Updated | eval nodename = if(nodename == "All_Changes.Account_Management" AND searchmatch("(action=\"created\")"), mvappend(nodename, "All_Changes.Account_Management.Accounts_Created"), nodename) | eval nodename = if(nodename == "All_Changes.Account_Management" AND searchmatch("(action=\"deleted\")"), mvappend(nodename, "All_Changes.Account_Management.Accounts_Deleted"), nodename) | eval nodename = if(nodename == "All_Changes.Account_Management" AND searchmatch("(result=\"lockout\")"), mvappend(nodename, "All_Changes.Account_Management.Account_Lockouts"), nodename) | eval nodename = if(nodename == "All_Changes.Account_Management" AND searchmatch("(action=\"updated\" OR action=\"modified\")"), mvappend(nodename, "All_Changes.Account_Management.Accounts_Updated"), nodename) | rename src_user_bunit AS All_Changes.Account_Management.src_user_bunit src_user_category AS All_Changes.Account_Management.src_user_category src_user_priority AS All_Changes.Account_Management.src_user_priority src_user_type AS All_Changes.Account_Management.src_user_type dest_nt_domain AS All_Changes.Account_Management.dest_nt_domain src_nt_domain AS All_Changes.Account_Management.src_nt_domain src_user AS All_Changes.Account_Management.src_user src_user_name AS All_Changes.Account_Management.src_user_name is_Accounts_Created AS All_Changes.Account_Management.is_Accounts_Created is_not_Accounts_Created AS All_Changes.Account_Management.is_not_Accounts_Created is_Accounts_Deleted AS All_Changes.Account_Management.is_Accounts_Deleted is_not_Accounts_Deleted AS All_Changes.Account_Management.is_not_Accounts_Deleted is_Account_Lockouts AS All_Changes.Account_Management.is_Account_Lockouts is_not_Account_Lockouts AS All_Changes.Account_Management.is_not_Account_Lockouts is_Accounts_Updated AS All_Changes.Account_Management.is_Accounts_Updated is_not_Accounts_Updated AS All_Changes.Account_Management.is_not_Accounts_Updated | eval nodename = if(nodename == "All_Changes" AND searchmatch("(tag=instance)"), mvappend(nodename, "All_Changes.Instance_Changes"), nodename)| eval image_id=if(isnull(image_id) OR image_id="","unknown",image_id), instance_type=if(isnull(instance_type) OR instance_type="","unknown",instance_type) | rename image_id AS All_Changes.Instance_Changes.image_id instance_typ (truncated)', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Sun May 23 20:22:00 2021', apiEndTime='Mon May 23 20:22:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="_ACCELERATE_DM_Splunk_SA_CIM_Change_ACCELERATE_", search_type="datamodel_acceleration", is_proxied=false, app="Splunk_SA_CIM", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:22:09.052, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD521a29e227547418c_at_1653336000_73112', search='search `sysmon` EventCode=9 Device = \\Device\\Harddisk0\\DR0 NOT (Image IN("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer Image Device ProcessGuid ProcessId EventDescription EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_master_boot_record_drive_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - Windows Raw Access To Master Boot Record Drive - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:22:07.400, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD5d8b338a7065f976e_at_1653336000_73111', search='search `wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN ("*powershell.exe*", "*wscript.exe*", "*cscript.exe*", "*cmd.exe*", "*sh.exe*", "*ksh.exe*", "*zsh.exe*", "*bash.exe*", "*scrcons.exe*", "*pwsh.exe*") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_to_spawn_shell_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - WinEvent Scheduled Task Created to Spawn Shell - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:22:05.971, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD56928fd717fdfa5c0_at_1653336000_73110', search='| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*syssetup* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___syssetup_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - Detect Rundll32 Application Control Bypass - syssetup - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:22:04.573, user=admin, action=search, info=granted , search_id='scheduler__admin_U0EtVGhyZWF0SW50ZWxsaWdlbmNl__RMD501805f07ae0aff07_at_1653337320_73109', search='| rest splunk_server=local count=0 "/servicesNS/-/-/saved/searches?listDefaultActionArgs=1" | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") OR match('action.notable', "1|[Tt]|[Tt][Rr][Uu][Ee]") OR match('action.risk', "1|[Tt]|[Tt][Rr][Uu][Ee]") | join type=left title [| rest splunk_server=local count=0 /services/configs/conf-analyticstories search="name=savedsearch* AND annotations=*" | eval title=replace(title, "savedsearch://", "") | table title,annotations] | join type=left max=0 title [| rest splunk_server=local count=0 /services/configs/conf-analyticstories search="name=analytic_story* AND searches=*" | eval analyticstories=replace(title, "analytic_story://", "") | spath input=searches path={} output=title | stats values(analyticstories) as analyticstories by title | eval analyticstories=mvjoin(analyticstories, "@@")] | eval analyticstories=split(analyticstories, "@@") | eval annotations=case(isnotnull('action.correlationsearch.annotations') AND 'action.correlationsearch.annotations'!="",'action.correlationsearch.annotations',isnotnull(annotations) AND annotations!="",annotations,1=1,null()),rule_name=if(isnotnull('action.correlationsearch.label'),'action.correlationsearch.label',title) | rename title as _key,action.notable.param.* as * | append [| rest splunk_server=local count=0 /servicesNS/-/-/configs/conf-correlationsearches | rename title as _key] | eval security_domain=if(security_domain="",null(),security_domain),severity=if(severity="",null(),severity),rule_name=if(rule_name="",null(),rule_name),description=if(description="",null(),description),rule_title=if(rule_title="",null(),rule_title),rule_description=if(rule_description="",null(),rule_description),drilldown_name=if(drilldown_name="",null(),drilldown_name),drilldown_search=if(drilldown_search="",null(),drilldown_search),drilldown_earliest_offset=if(drilldown_earliest_offset="",null(),drilldown_earliest_offset),drilldown_latest_offset=if(drilldown_latest_offset="",null(),drilldown_latest_offset),default_status=if(default_status="",null(),default_status),default_owner=if(default_owner="",null(),default_owner),default_disposition=if(default_disposition="",null(),default_disposition),next_steps=if(next_steps="",null(),next_steps),investigation_profiles=if(investigation_profiles="",null(),investigation_profiles),extract_artifacts=if(extract_artifacts="",null(),extract_artifacts),recommended_actions=if(recommended_actions="",null(),recommended_actions),analyticstories=if(analyticstories="",null(),analyticstories) | appendpipe [ where _key LIKE "%\"%" | eval _key=replace(_key, "\"", "_") ] | stats first(annotations) as annotations,first(security_domain) as security_domain,first(severity) as severity,first(rule_name) as rule_name,first(description) as description,first(rule_title) as rule_title,first(rule_description) as rule_description,first(drilldown_name) as drilldown_name,first(drilldown_search) as drilldown_search,first(drilldown_earliest_offset) as drilldown_earliest_offset,first(drilldown_latest_offset) as drilldown_latest_offset,first(default_status) as default_status,first(default_owner) as default_owner,first(next_steps) as next_steps,first(investigation_profiles) as investigation_profiles,first(extract_artifacts) as extract_artifacts,first(recommended_actions) as recommended_actions,values(analyticstories) as analyticstories by _key | outputlookup correlationsearches_lookup append=T key_field=_key | stats count', autojoin='1', buckets=0, ttl=120, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='Mon May 23 20:22:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="Threat - Correlation Searches - Lookup Gen", search_type="scheduled", is_proxied=false, app="SA-ThreatIntelligence", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:21:55.946, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD53746a7b970b89eb7_at_1653336000_73104', search='search `powershell` EventCode=4104 Message = "*Get-DomainUser*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domainuser_with_powershell_script_block_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - Get DomainUser with PowerShell Script Block - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:21:49.978, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD5d2931b6850833efe_at_1653336000_73101', search='search `stream_http` http_method=POST http_content_length>1 | regex form_data="(?i)java\.lang\.(?:runtime|processbuilder)" | rename src_ip as src | stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent by src, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_java_classes_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - Suspicious Java Classes - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:21:43.577, user=splunk-system-user, action=search, info=completed, search_id='scheduler__nobody_REEtRVNTLVRocmVhdEludGVsbGlnZW5jZQ__RMD561ef7423405d3912_at_1653337200_73094', has_error_warn=false, fully_completed_search=true, total_run_time=3.89, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653337281, api_et=N/A, api_lt=1653337200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=N/A, search_lt=1653337200.000000000, is_realtime=0, savedsearch_name="_ACCELERATE_DM_DA-ESS-ThreatIntelligence_Threat_Intelligence_ACCELERATE_", search_startup_time="3185", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DM_DA-ESS-ThreatIntelligence_Threat_Intelligence", app="DA-ESS-ThreatIntelligence", provenance="scheduler", mode="historical", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=datamodel_acceleration, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+splunk-system-role+user', search='| summarize tstats=t override=partial manual_rebuilds=t max_time=3600 poll_buckets_until_maxtime=f id=DM_DA-ESS-ThreatIntelligence_Threat_Intelligence [ search (index=* OR index=_*) (index=threat_activity) | eval nodename = "Threat_Activity"| eval dest=case(isnull(dest) OR dest="","unknown",mvcount(dest)=1,split(dest,"|"),1=1,dest), orig_sourcetype=if(mvcount(orig_sourcetype)=1,split(orig_sourcetype,"|"),orig_sourcetype), src=case(isnull(src) OR src="","unknown",mvcount(src)=1,split(src,"|"),1=1,src), src_user=case(isnull(src_user) OR src_user="","unknown",mvcount(src_user)=1,split(src_user,"|"),1=1,src_user), user=case(isnull(user) OR user="","unknown",mvcount(user)=1,split(user,"|"),1=1,user) | rename dest_bunit AS Threat_Activity.dest_bunit dest_category AS Threat_Activity.dest_category dest_priority AS Threat_Activity.dest_priority src_bunit AS Threat_Activity.src_bunit src_category AS Threat_Activity.src_category src_priority AS Threat_Activity.src_priority src_user_bunit AS Threat_Activity.src_user_bunit src_user_category AS Threat_Activity.src_user_category src_user_priority AS Threat_Activity.src_user_priority threat_match_field AS Threat_Activity.threat_match_field threat_match_value AS Threat_Activity.threat_match_value threat_collection AS Threat_Activity.threat_collection threat_collection_key AS Threat_Activity.threat_collection_key threat_key AS Threat_Activity.threat_key user_bunit AS Threat_Activity.user_bunit user_category AS Threat_Activity.user_category user_priority AS Threat_Activity.user_priority dest AS Threat_Activity.dest orig_sourcetype AS Threat_Activity.orig_sourcetype src AS Threat_Activity.src src_user AS Threat_Activity.src_user user AS Threat_Activity.user | fields nodename, _time, host, source, sourcetype, Threat_Activity.dest_bunit, Threat_Activity.dest_category, Threat_Activity.dest_priority, Threat_Activity.src_bunit, Threat_Activity.src_category, Threat_Activity.src_priority, Threat_Activity.src_user_bunit, Threat_Activity.src_user_category, Threat_Activity.src_user_priority, Threat_Activity.threat_match_field, Threat_Activity.threat_match_value, Threat_Activity.threat_collection, Threat_Activity.threat_collection_key, Threat_Activity.threat_key, Threat_Activity.user_bunit, Threat_Activity.user_category, Threat_Activity.user_priority, Threat_Activity.dest, Threat_Activity.orig_sourcetype, Threat_Activity.src, Threat_Activity.src_user, Threat_Activity.user ]'] Audit:[timestamp=05-23-2022 20:21:43.510, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD520345cd50aa07c7f_at_1653336000_73082', has_error_warn=false, fully_completed_search=true, total_run_time=22.34, event_count=12, result_count=6, available_count=0, scan_count=12, drop_count=0, exec_time=1653337252, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - Executables Or Script Creation In Suspicious Path - Rule", search_startup_time="1179", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_5e427ee15467b1ad", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=16, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=664, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='|tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = *.exe OR Filesystem.file_name = *.dll OR Filesystem.file_name = *.sys OR Filesystem.file_name = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name = *.js OR Filesystem.file_name = *.ps1 OR Filesystem.file_name = *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name = *.pif) AND ( Filesystem.file_path = *\\windows\\fonts\\* OR Filesystem.file_path = *\\windows\\temp\\* OR Filesystem.file_path = *\\users\\public\\* OR Filesystem.file_path = *\\windows\\debug\\* OR Filesystem.file_path = *\\Users\\Administrator\\Music\\* OR Filesystem.file_path = *\\Windows\\servicing\\* OR Filesystem.file_path = *\\Users\\Default\\* OR Filesystem.file_path = *Recycle.bin* OR Filesystem.file_path = *\\Windows\\Media\\* OR Filesystem.file_path = *\\Windows\\repair\\* OR Filesystem.file_path = *\\AppData\\Local\\Temp* OR Filesystem.file_path = *\\PerfLogs\\*) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `executables_or_script_creation_in_suspicious_path_filter`'] Audit:[timestamp=05-23-2022 20:21:43.499, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD5215fa93ae530806f_at_1653336000_73091', has_error_warn=false, fully_completed_search=true, total_run_time=6.11, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653337274, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - XSL Script Execution With WMIC - Rule", search_startup_time="2217", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_39cba774cba2c6d6", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=16, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=681, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process = "*os get*" Processes.process="*/format:*" Processes.process = "*.xsl*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `xsl_script_execution_with_wmic_filter`'] Audit:[timestamp=05-23-2022 20:21:41.203, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD547269721c28f56d9_at_1653336000_73098', search='| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe `process_rundll32` by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_spawning_rundll32_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - Spoolsv Spawning Rundll32 - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:21:20.647, user=splunk-system-user, action=search, info=granted , search_id='scheduler__nobody_REEtRVNTLVRocmVhdEludGVsbGlnZW5jZQ__RMD561ef7423405d3912_at_1653337200_73094', search='| summarize tstats=t override=partial manual_rebuilds=t max_time=3600 poll_buckets_until_maxtime=f id=DM_DA-ESS-ThreatIntelligence_Threat_Intelligence [ search (index=* OR index=_*) (index=threat_activity) | eval nodename = "Threat_Activity"| eval dest=case(isnull(dest) OR dest="","unknown",mvcount(dest)=1,split(dest,"|"),1=1,dest), orig_sourcetype=if(mvcount(orig_sourcetype)=1,split(orig_sourcetype,"|"),orig_sourcetype), src=case(isnull(src) OR src="","unknown",mvcount(src)=1,split(src,"|"),1=1,src), src_user=case(isnull(src_user) OR src_user="","unknown",mvcount(src_user)=1,split(src_user,"|"),1=1,src_user), user=case(isnull(user) OR user="","unknown",mvcount(user)=1,split(user,"|"),1=1,user) | rename dest_bunit AS Threat_Activity.dest_bunit dest_category AS Threat_Activity.dest_category dest_priority AS Threat_Activity.dest_priority src_bunit AS Threat_Activity.src_bunit src_category AS Threat_Activity.src_category src_priority AS Threat_Activity.src_priority src_user_bunit AS Threat_Activity.src_user_bunit src_user_category AS Threat_Activity.src_user_category src_user_priority AS Threat_Activity.src_user_priority threat_match_field AS Threat_Activity.threat_match_field threat_match_value AS Threat_Activity.threat_match_value threat_collection AS Threat_Activity.threat_collection threat_collection_key AS Threat_Activity.threat_collection_key threat_key AS Threat_Activity.threat_key user_bunit AS Threat_Activity.user_bunit user_category AS Threat_Activity.user_category user_priority AS Threat_Activity.user_priority dest AS Threat_Activity.dest orig_sourcetype AS Threat_Activity.orig_sourcetype src AS Threat_Activity.src src_user AS Threat_Activity.src_user user AS Threat_Activity.user | fields nodename, _time, host, source, sourcetype, Threat_Activity.dest_bunit, Threat_Activity.dest_category, Threat_Activity.dest_priority, Threat_Activity.src_bunit, Threat_Activity.src_category, Threat_Activity.src_priority, Threat_Activity.src_user_bunit, Threat_Activity.src_user_category, Threat_Activity.src_user_priority, Threat_Activity.threat_match_field, Threat_Activity.threat_match_value, Threat_Activity.threat_collection, Threat_Activity.threat_collection_key, Threat_Activity.threat_key, Threat_Activity.user_bunit, Threat_Activity.user_category, Threat_Activity.user_priority, Threat_Activity.dest, Threat_Activity.orig_sourcetype, Threat_Activity.src, Threat_Activity.src_user, Threat_Activity.user ]', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='Mon May 23 20:20:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="_ACCELERATE_DM_DA-ESS-ThreatIntelligence_Threat_Intelligence_ACCELERATE_", search_type="datamodel_acceleration", is_proxied=false, app="DA-ESS-ThreatIntelligence", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:21:13.620, user=splunk-system-user, action=search, info=completed, search_id='scheduler__nobody_U3BsdW5rX1NBX0NJTQ__RMD5fed6f9304b53adba_at_1653337200_73079', has_error_warn=false, fully_completed_search=true, total_run_time=0.53, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653337250, api_et=1621801200.000000000, api_lt=1653337200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1621801200.000000000, search_lt=1653337200.000000000, is_realtime=0, savedsearch_name="_ACCELERATE_DM_Splunk_SA_CIM_Ticket_Management_ACCELERATE_", search_startup_time="691", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DM_Splunk_SA_CIM_Ticket_Management", app="Splunk_SA_CIM", provenance="scheduler", mode="historical", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=datamodel_acceleration, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+splunk-system-role+user', search='| summarize tstats=t override=partial manual_rebuilds=t max_time=3600 poll_buckets_until_maxtime=f id=DM_Splunk_SA_CIM_Ticket_Management [ search (index=* OR index=_*) ((`cim_Ticket_Management_indexes`) tag=ticketing) | eval nodename = "All_Ticket_Management"| eval dest=if(isnull(dest) OR dest="","unknown",dest), ticket_id=if(isnull(ticket_id) OR ticket_id="","unknown",ticket_id)| eval is_Change=if(searchmatch("(tag=change)"),1,0), is_not_Change=1-is_Change, is_Incident=if(searchmatch("(tag=incident)"),1,0), is_not_Incident=1-is_Incident, is_Problem=if(searchmatch("(tag=problem)"),1,0), is_not_Problem=1-is_Problem | eval nodename = if(nodename == "All_Ticket_Management" AND searchmatch("(tag=change)"), mvappend(nodename, "All_Ticket_Management.Change"), nodename)| eval change=if(isnull(change) OR change="","unknown",change) | rename change AS All_Ticket_Management.Change.change | eval nodename = if(nodename == "All_Ticket_Management" AND searchmatch("(tag=incident)"), mvappend(nodename, "All_Ticket_Management.Incident"), nodename)| eval incident=if(isnull(incident) OR incident="","unknown",incident) | rename incident AS All_Ticket_Management.Incident.incident | eval nodename = if(nodename == "All_Ticket_Management" AND searchmatch("(tag=problem)"), mvappend(nodename, "All_Ticket_Management.Problem"), nodename)| eval problem=if(isnull(problem) OR problem="","unknown",problem) | rename problem AS All_Ticket_Management.Problem.problem | rename affect_dest AS All_Ticket_Management.affect_dest comments AS All_Ticket_Management.comments description AS All_Ticket_Management.description dest_bunit AS All_Ticket_Management.dest_bunit dest_category AS All_Ticket_Management.dest_category dest_priority AS All_Ticket_Management.dest_priority priority AS All_Ticket_Management.priority severity AS All_Ticket_Management.severity severity_id AS All_Ticket_Management.severity_id splunk_id AS All_Ticket_Management.splunk_id splunk_realm AS All_Ticket_Management.splunk_realm src_user AS All_Ticket_Management.src_user src_user_bunit AS All_Ticket_Management.src_user_bunit src_user_category AS All_Ticket_Management.src_user_category src_user_priority AS All_Ticket_Management.src_user_priority status AS All_Ticket_Management.status tag AS All_Ticket_Management.tag time_submitted AS All_Ticket_Management.time_submitted user AS All_Ticket_Management.user user_bunit AS All_Ticket_Management.user_bunit user_category AS All_Ticket_Management.user_category user_priority AS All_Ticket_Management.user_priority dest AS All_Ticket_Management.dest ticket_id AS All_Ticket_Management.ticket_id is_Change AS All_Ticket_Management.is_Change is_not_Change AS All_Ticket_Management.is_not_Change is_Incident AS All_Ticket_Management.is_Incident is_not_Incident AS All_Ticket_Management.is_not_Incident is_Problem AS All_Ticket_Management.is_Problem is_not_Problem AS All_Ticket_Management.is_not_Problem | fields nodename, _time, host, source, sourcetype, All_Ticket_Management.affect_dest, All_Ticket_Management.comments, All_Ticket_Management.description, All_Ticket_Management.dest_bunit, All_Ticket_Management.dest_category, All_Ticket_Management.dest_priority, All_Ticket_Management.priority, All_Ticket_Management.severity, All_Ticket_Management.severity_id, All_Ticket_Management.splunk_id, All_Ticket_Management.splunk_realm, All_Ticket_Management.src_user, All_Ticket_Management.src_user_bunit, All_Ticket_Management.src_user_category, All_Ticket_Management.src_user_priority, All_Ticket_Management.status, All_Ticket_Management.tag, All_Ticket_Management.time_submitted, All_Ticket_Management.user, All_Ticket_Management.user_bunit, All_Ticket_Management.user_category, All_Ticket_Management.user_priority, All_Ticket_Management.dest, All_Ticket_Management.ticket_id, All_Ticket_Management.is_Change, All_Ticket_Management.is_not_Change, All_Ticket_Management.is_Incident, All_Ticket_Management.is_not_Incident, All_Ticket_Management.is_Problem, All_Ticket_Management.is_not_Problem, All_Ticket_Management.Change.change, All_Ticket_Management.Incident.incident, All_Ticket_Management.Problem.problem ]'] Audit:[timestamp=05-23-2022 20:21:13.602, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD5215fa93ae530806f_at_1653336000_73091', search='| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process = "*os get*" Processes.process="*/format:*" Processes.process = "*.xsl*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `xsl_script_execution_with_wmic_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - XSL Script Execution With WMIC - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:21:05.254, user=admin, action=search, info=granted , search_id='scheduler__admin_U0EtVGhyZWF0SW50ZWxsaWdlbmNl__RMD501805f07ae0aff07_at_1653337260_73087', search='| rest splunk_server=local count=0 "/servicesNS/-/-/saved/searches?listDefaultActionArgs=1" | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") OR match('action.notable', "1|[Tt]|[Tt][Rr][Uu][Ee]") OR match('action.risk', "1|[Tt]|[Tt][Rr][Uu][Ee]") | join type=left title [| rest splunk_server=local count=0 /services/configs/conf-analyticstories search="name=savedsearch* AND annotations=*" | eval title=replace(title, "savedsearch://", "") | table title,annotations] | join type=left max=0 title [| rest splunk_server=local count=0 /services/configs/conf-analyticstories search="name=analytic_story* AND searches=*" | eval analyticstories=replace(title, "analytic_story://", "") | spath input=searches path={} output=title | stats values(analyticstories) as analyticstories by title | eval analyticstories=mvjoin(analyticstories, "@@")] | eval analyticstories=split(analyticstories, "@@") | eval annotations=case(isnotnull('action.correlationsearch.annotations') AND 'action.correlationsearch.annotations'!="",'action.correlationsearch.annotations',isnotnull(annotations) AND annotations!="",annotations,1=1,null()),rule_name=if(isnotnull('action.correlationsearch.label'),'action.correlationsearch.label',title) | rename title as _key,action.notable.param.* as * | append [| rest splunk_server=local count=0 /servicesNS/-/-/configs/conf-correlationsearches | rename title as _key] | eval security_domain=if(security_domain="",null(),security_domain),severity=if(severity="",null(),severity),rule_name=if(rule_name="",null(),rule_name),description=if(description="",null(),description),rule_title=if(rule_title="",null(),rule_title),rule_description=if(rule_description="",null(),rule_description),drilldown_name=if(drilldown_name="",null(),drilldown_name),drilldown_search=if(drilldown_search="",null(),drilldown_search),drilldown_earliest_offset=if(drilldown_earliest_offset="",null(),drilldown_earliest_offset),drilldown_latest_offset=if(drilldown_latest_offset="",null(),drilldown_latest_offset),default_status=if(default_status="",null(),default_status),default_owner=if(default_owner="",null(),default_owner),default_disposition=if(default_disposition="",null(),default_disposition),next_steps=if(next_steps="",null(),next_steps),investigation_profiles=if(investigation_profiles="",null(),investigation_profiles),extract_artifacts=if(extract_artifacts="",null(),extract_artifacts),recommended_actions=if(recommended_actions="",null(),recommended_actions),analyticstories=if(analyticstories="",null(),analyticstories) | appendpipe [ where _key LIKE "%\"%" | eval _key=replace(_key, "\"", "_") ] | stats first(annotations) as annotations,first(security_domain) as security_domain,first(severity) as severity,first(rule_name) as rule_name,first(description) as description,first(rule_title) as rule_title,first(rule_description) as rule_description,first(drilldown_name) as drilldown_name,first(drilldown_search) as drilldown_search,first(drilldown_earliest_offset) as drilldown_earliest_offset,first(drilldown_latest_offset) as drilldown_latest_offset,first(default_status) as default_status,first(default_owner) as default_owner,first(next_steps) as next_steps,first(investigation_profiles) as investigation_profiles,first(extract_artifacts) as extract_artifacts,first(recommended_actions) as recommended_actions,values(analyticstories) as analyticstories by _key | outputlookup correlationsearches_lookup append=T key_field=_key | stats count', autojoin='1', buckets=0, ttl=120, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='Mon May 23 20:21:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="Threat - Correlation Searches - Lookup Gen", search_type="scheduled", is_proxied=false, app="SA-ThreatIntelligence", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:20:58.714, user=splunk-system-user, action=search, info=granted , search_id='scheduler__nobody_U3BsdW5rX1NBX0NJTQ__RMD59cba5de3e5a67614_at_1653337200_73084', search='| summarize tstats=t override=partial manual_rebuilds=t max_time=3600 poll_buckets_until_maxtime=f id=DM_Splunk_SA_CIM_Splunk_Audit [ search (index=* OR index=_*) (index=_audit action=search search_id=*) | eval nodename = "Search_Activity"| rex field=_raw "user=(?[^,]+), action" max_match=1 | eval datamodel=case(match(savedsearch_name, "_ACCELERATE_DM_.*"), replace(savedsearch_name, "_ACCELERATE_DM_(.*)_ACCELERATE_", "\1"), match(search, "'?(\|\s+)?summarize.*?id=DM_"), replace(search, "'?(?:\|\s)?summarize.*?id=DM_([^\s]+).*", "\1"), 1=1, null()), search_id=trim(search_id, "'"), savedsearch_name=if(savedsearch_name="",null(),savedsearch_name), search=if(isnull(search) OR search="",null(),search), search_type=case(isnotnull(search_type) AND NOT search_type LIKE "case(%",search_type,savedsearch_name LIKE "_ACCELERATE_DM%", "dm_acceleration", search_id LIKE "scheduler%", "scheduled", search_id LIKE "rt%", "realtime", search_id LIKE "subsearch%", "subsearch", (search_id LIKE "SummaryDirector%" OR search_id LIKE "summarize_SummaryDirector%"), "summary_director", 1=1, "adhoc"), search_alias=case(isnotnull(datamodel) AND search_id LIKE "SummaryDirector%",datamodel." Data Model Summary Director",isnotnull(datamodel),datamodel." Data Model Acceleration",isnotnull(savedsearch_name),savedsearch_name,1=1,null())| eval is_Acceleration_Jobs=if(searchmatch("(search_type=\"dm_acceleration\" OR search_type=\"summary_director\")"),1,0), is_not_Acceleration_Jobs=1-is_Acceleration_Jobs, is_Adhoc_Jobs=if(searchmatch("(search_type=\"adhoc\")"),1,0), is_not_Adhoc_Jobs=1-is_Adhoc_Jobs, is_Failed_Jobs=if(searchmatch("(info=\"failed\")"),1,0), is_not_Failed_Jobs=1-is_Failed_Jobs, is_Realtime_Jobs=if(searchmatch("(search_type=\"realtime\")"),1,0), is_not_Realtime_Jobs=1-is_Realtime_Jobs, is_Scheduled_Jobs=if(searchmatch("(search_type=\"scheduled\")"),1,0), is_not_Scheduled_Jobs=1-is_Scheduled_Jobs, is_Subsearch_Jobs=if(searchmatch("(search_type=\"subsearch\")"),1,0), is_not_Subsearch_Jobs=1-is_Subsearch_Jobs | eval nodename = if(nodename == "Search_Activity" AND searchmatch("(search_type=\"dm_acceleration\" OR search_type=\"summary_director\")"), mvappend(nodename, "Search_Activity.Acceleration_Jobs"), nodename) | eval nodename = if(nodename == "Search_Activity" AND searchmatch("(search_type=\"adhoc\")"), mvappend(nodename, "Search_Activity.Adhoc_Jobs"), nodename) | eval nodename = if(nodename == "Search_Activity" AND searchmatch("(info=\"failed\")"), mvappend(nodename, "Search_Activity.Failed_Jobs"), nodename) | eval nodename = if(nodename == "Search_Activity" AND searchmatch("(search_type=\"realtime\")"), mvappend(nodename, "Search_Activity.Realtime_Jobs"), nodename) | eval nodename = if(nodename == "Search_Activity" AND searchmatch("(search_type=\"scheduled\")"), mvappend(nodename, "Search_Activity.Scheduled_Jobs"), nodename) | eval nodename = if(nodename == "Search_Activity" AND searchmatch("(search_type=\"subsearch\")"), mvappend(nodename, "Search_Activity.Subsearch_Jobs"), nodename) | rename info AS Search_Activity.info search_et AS Search_Activity.search_et search_lt AS Search_Activity.search_lt total_run_time AS Search_Activity.total_run_time user_bunit AS Search_Activity.user_bunit user_category AS Search_Activity.user_category user_priority AS Search_Activity.user_priority user AS Search_Activity.user datamodel AS Search_Activity.datamodel search_id AS Search_Activity.search_id savedsearch_name AS Search_Activity.savedsearch_name search AS Search_Activity.search search_type AS Search_Activity.search_type search_alias AS Search_Activity.search_alias is_Acceleration_Jobs AS Search_Activity.is_Acceleration_Jobs is_not_Acceleration_Jobs AS Search_Activity.is_not_Acceleration_Jobs is_Adhoc_Jobs AS Search_Activity.is_Adhoc_Jobs is_not_Adhoc_Jobs AS Search_Activity.is_not_Adhoc_Jobs is_Failed_Jobs AS Search_Activity.is_Failed_Jobs is_not_Failed_Jobs AS Search_Activity.is_not_Failed_Jobs is_Realtime_Jobs AS Search_Activity.is_Realtime_Jobs is_not_Realtime_Jobs AS Search_Activity.is_not_Realtime_Jobs is_Scheduled_Jobs AS Search_Activity.is_Scheduled_Jobs is_not_Scheduled_Jobs AS Search_Activity.is_not_Scheduled_Jobs is_Subsearch_Jobs AS Search_Activity.is_Subsearch_Jobs is_not_Subsearch_Jobs AS Search_Activity.is_not_Subsearch_Jobs | fields nodename, _time, host, source, sourcetype, Search_Activity.info, Search_Activity.search_et, Search_Activity.search_lt, Search_Activity.total_run_time, Search_Activity.user_bunit, Search_Activity.user_category, Search_Activity.user_priority, Search_Activity.user, Search_Activity.datamodel, Search_Activity.search_id, Search_Activity.savedsearch_name, Search_Activity.search, Search_Activity.search_type, Search_Activity.search_alias, Search_Activity.is_Acceleration_Jobs, Search_Activity.is_not_Acceleration_Jobs, Search_Activity.is_Adhoc_Jobs, Search_Activity.is_not_Adhoc_Jobs, Search_Activity.is_Failed_Jobs, Search_Activity.is_not_Failed_Jobs, Search_Activity.is_Realtime_Jobs, Search_Activity.is_not_Realtime_Jobs, Search_Activity.is_Scheduled_Jobs, Search_Activity.is_not_Scheduled_Jobs, Search_Activity.is_Subsearch_Jobs, Search_Activity.is_not_Subsearch_Jobs ]', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Sun May 23 20:20:00 2021', apiEndTime='Mon May 23 20:20:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="_ACCELERATE_DM_Splunk_SA_CIM_Splunk_Audit_ACCELERATE_", search_type="datamodel_acceleration", is_proxied=false, app="Splunk_SA_CIM", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:20:52.574, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD520345cd50aa07c7f_at_1653336000_73082', search='|tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = *.exe OR Filesystem.file_name = *.dll OR Filesystem.file_name = *.sys OR Filesystem.file_name = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name = *.js OR Filesystem.file_name = *.ps1 OR Filesystem.file_name = *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name = *.pif) AND ( Filesystem.file_path = *\\windows\\fonts\\* OR Filesystem.file_path = *\\windows\\temp\\* OR Filesystem.file_path = *\\users\\public\\* OR Filesystem.file_path = *\\windows\\debug\\* OR Filesystem.file_path = *\\Users\\Administrator\\Music\\* OR Filesystem.file_path = *\\Windows\\servicing\\* OR Filesystem.file_path = *\\Users\\Default\\* OR Filesystem.file_path = *Recycle.bin* OR Filesystem.file_path = *\\Windows\\Media\\* OR Filesystem.file_path = *\\Windows\\repair\\* OR Filesystem.file_path = *\\AppData\\Local\\Temp* OR Filesystem.file_path = *\\PerfLogs\\*) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `executables_or_script_creation_in_suspicious_path_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - Executables Or Script Creation In Suspicious Path - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:20:50.709, user=splunk-system-user, action=search, info=granted , search_id='scheduler__nobody_U3BsdW5rX1NBX0NJTQ__RMD5fed6f9304b53adba_at_1653337200_73079', search='| summarize tstats=t override=partial manual_rebuilds=t max_time=3600 poll_buckets_until_maxtime=f id=DM_Splunk_SA_CIM_Ticket_Management [ search (index=* OR index=_*) ((`cim_Ticket_Management_indexes`) tag=ticketing) | eval nodename = "All_Ticket_Management"| eval dest=if(isnull(dest) OR dest="","unknown",dest), ticket_id=if(isnull(ticket_id) OR ticket_id="","unknown",ticket_id)| eval is_Change=if(searchmatch("(tag=change)"),1,0), is_not_Change=1-is_Change, is_Incident=if(searchmatch("(tag=incident)"),1,0), is_not_Incident=1-is_Incident, is_Problem=if(searchmatch("(tag=problem)"),1,0), is_not_Problem=1-is_Problem | eval nodename = if(nodename == "All_Ticket_Management" AND searchmatch("(tag=change)"), mvappend(nodename, "All_Ticket_Management.Change"), nodename)| eval change=if(isnull(change) OR change="","unknown",change) | rename change AS All_Ticket_Management.Change.change | eval nodename = if(nodename == "All_Ticket_Management" AND searchmatch("(tag=incident)"), mvappend(nodename, "All_Ticket_Management.Incident"), nodename)| eval incident=if(isnull(incident) OR incident="","unknown",incident) | rename incident AS All_Ticket_Management.Incident.incident | eval nodename = if(nodename == "All_Ticket_Management" AND searchmatch("(tag=problem)"), mvappend(nodename, "All_Ticket_Management.Problem"), nodename)| eval problem=if(isnull(problem) OR problem="","unknown",problem) | rename problem AS All_Ticket_Management.Problem.problem | rename affect_dest AS All_Ticket_Management.affect_dest comments AS All_Ticket_Management.comments description AS All_Ticket_Management.description dest_bunit AS All_Ticket_Management.dest_bunit dest_category AS All_Ticket_Management.dest_category dest_priority AS All_Ticket_Management.dest_priority priority AS All_Ticket_Management.priority severity AS All_Ticket_Management.severity severity_id AS All_Ticket_Management.severity_id splunk_id AS All_Ticket_Management.splunk_id splunk_realm AS All_Ticket_Management.splunk_realm src_user AS All_Ticket_Management.src_user src_user_bunit AS All_Ticket_Management.src_user_bunit src_user_category AS All_Ticket_Management.src_user_category src_user_priority AS All_Ticket_Management.src_user_priority status AS All_Ticket_Management.status tag AS All_Ticket_Management.tag time_submitted AS All_Ticket_Management.time_submitted user AS All_Ticket_Management.user user_bunit AS All_Ticket_Management.user_bunit user_category AS All_Ticket_Management.user_category user_priority AS All_Ticket_Management.user_priority dest AS All_Ticket_Management.dest ticket_id AS All_Ticket_Management.ticket_id is_Change AS All_Ticket_Management.is_Change is_not_Change AS All_Ticket_Management.is_not_Change is_Incident AS All_Ticket_Management.is_Incident is_not_Incident AS All_Ticket_Management.is_not_Incident is_Problem AS All_Ticket_Management.is_Problem is_not_Problem AS All_Ticket_Management.is_not_Problem | fields nodename, _time, host, source, sourcetype, All_Ticket_Management.affect_dest, All_Ticket_Management.comments, All_Ticket_Management.description, All_Ticket_Management.dest_bunit, All_Ticket_Management.dest_category, All_Ticket_Management.dest_priority, All_Ticket_Management.priority, All_Ticket_Management.severity, All_Ticket_Management.severity_id, All_Ticket_Management.splunk_id, All_Ticket_Management.splunk_realm, All_Ticket_Management.src_user, All_Ticket_Management.src_user_bunit, All_Ticket_Management.src_user_category, All_Ticket_Management.src_user_priority, All_Ticket_Management.status, All_Ticket_Management.tag, All_Ticket_Management.time_submitted, All_Ticket_Management.user, All_Ticket_Management.user_bunit, All_Ticket_Management.user_category, All_Ticket_Management.user_priority, All_Ticket_Management.dest, All_Ticket_Management.ticket_id, All_Ticket_Management.is_Change, All_Ticket_Management.is_not_Change, All_Ticket_Management.is_Incident, All_Ticket_Management.is_not_Incident, All_Ticket_Management.is_Problem, All_Ticket_Management.is_not_Problem, All_Ticket_Management.Change.change, All_Ticket_Management.Incident.incident, All_Ticket_Management.Problem.problem ]', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Sun May 23 20:20:00 2021', apiEndTime='Mon May 23 20:20:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="_ACCELERATE_DM_Splunk_SA_CIM_Ticket_Management_ACCELERATE_", search_type="datamodel_acceleration", is_proxied=false, app="Splunk_SA_CIM", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:20:45.734, user=splunk-system-user, action=search, info=granted , search_id='scheduler__nobody_U0EtVGhyZWF0SW50ZWxsaWdlbmNl__RMD53e331fc1b7a17595_at_1653337200_73077', search='| summarize tstats=t override=partial manual_rebuilds=t max_time=3600 poll_buckets_until_maxtime=f id=DM_SA-ThreatIntelligence_Risk [ search (index=* OR index=_*) index=risk | eval tag=mvdedup(mvappend(tag,NULL,orig_tag)), governance_lookup_type="default" | lookup governance_lookup savedsearch as source, lookup_type as governance_lookup_type OUTPUT governance, control | eval governance_lookup_type="tag" | lookup governance_lookup savedsearch as source, tag, lookup_type as governance_lookup_type OUTPUT governance as governance_tag, control as control_tag | eval "governance"=mvappend('governance',NULL,'governance_tag'),"control"=mvappend('control',NULL,'control_tag') | fields - governance_lookup_type,governance_tag,control_tag | eval nodename = "All_Risk"| eval description=case(isnotnull(description),description,isnotnull(savedsearch_description),savedsearch_description,1=1,"unknown"), risk_object=if(isnull(risk_object),"unknown",risk_object), risk_object_type=if(isnull(risk_object_type),"unknown",risk_object_type), risk_score=if(isnull(risk_score),0,risk_score), threat_object_type=if(isnotnull(threat_object) AND isnull(threat_object_type),"unknown",threat_object_type), risk_factor_add=0.0, risk_factor_add_matched="", risk_factor_mult=if(match('source',"Threat - Amazon GuardDuty and AWS Security Hub.*- Risk Gen - Rule") AND 'severity'="critical",2.5,1.0)*if(match('source',"Threat - Amazon GuardDuty and AWS Security Hub.*- Risk Gen - Rule") AND 'severity'="high",2.0,1.0)*if(match('source',"Threat - Amazon GuardDuty and AWS Security Hub.*- Risk Gen - Rule") AND 'severity'="informational",0.1,1.0)*if(match('source',"Threat - Amazon GuardDuty and AWS Security Hub.*- Risk Gen - Rule") AND 'severity'="low",0.2,1.0)*if(match('source',"Threat - Amazon GuardDuty and AWS Security Hub.*- Risk Gen - Rule") AND 'severity'="medium",1.0,1.0), risk_factor_mult_matched=mvappend(if(match('source',"Threat - Amazon GuardDuty and AWS Security Hub.*- Risk Gen - Rule") AND 'severity'="critical","Critical Severity Alert",null),if(match('source',"Threat - Amazon GuardDuty and AWS Security Hub.*- Risk Gen - Rule") AND 'severity'="high","High Severity Alert",null),if(match('source',"Threat - Amazon GuardDuty and AWS Security Hub.*- Risk Gen - Rule") AND 'severity'="informational","Informational Severity Alert",null),if(match('source',"Threat - Amazon GuardDuty and AWS Security Hub.*- Risk Gen - Rule") AND 'severity'="low","Low Severity Alert",null),if(match('source',"Threat - Amazon GuardDuty and AWS Security Hub.*- Risk Gen - Rule") AND 'severity'="medium","Medium Severity Alert",null),null), calculated_risk_score=(risk_score + risk_factor_add) * risk_factor_mult, risk_message=case(isnotnull(risk_message),risk_message,isnotnull(description),description,isnotnull(savedsearch_description),savedsearch_description,1=1,"unknown") | rename analyticstories AS All_Risk.analyticstories annotations AS All_Risk.annotations annotations._all AS All_Risk.annotations._all annotations._frameworks AS All_Risk.annotations._frameworks annotations.cis20 AS All_Risk.annotations.cis20 annotations.kill_chain_phases AS All_Risk.annotations.kill_chain_phases annotations.mitre_attack AS All_Risk.annotations.mitre_attack annotations.mitre_attack.mitre_description AS All_Risk.annotations.mitre_attack.mitre_description annotations.mitre_attack.mitre_detection AS All_Risk.annotations.mitre_attack.mitre_detection annotations.mitre_attack.mitre_tactic AS All_Risk.annotations.mitre_attack.mitre_tactic annotations.mitre_attack.mitre_tactic_id AS All_Risk.annotations.mitre_attack.mitre_tactic_id annotations.mitre_attack.mitre_technique AS All_Risk.annotations.mitre_attack.mitre_technique annotations.mitre_attack.mitre_technique_id AS All_Risk.annotations.mitre_attack.mitre_technique_id annotations.mitre_attack.mitre_threat_group_name AS All_Risk.annotations.mitre_attack.mitre_threat_group_name annotations.nist AS All_Risk.annotations.nist control AS All_Risk.control creator AS All_Risk.creator dest AS All_Risk.dest dest_bunit AS All_Risk.dest_bunit dest_category AS All_Risk.dest_category dest_priority AS All_Risk.dest_priority governance AS All_Risk.governance risk_object_bunit AS All_Risk.risk_object_bunit risk_object_category AS All_Risk.risk_object_category risk_object_priority AS All_Risk.risk_object_priority savedsearch_description AS All_Risk.savedsearch_description src AS All_Risk.src src_bunit AS All_Risk.src_bunit src_category AS All_Risk.src_category src_priority AS All_Risk.src_priority tag AS All_Risk.tag threat_object AS All_Risk.threat_object user AS All_Risk.user user_bunit AS All_Risk.user_bunit user_category AS All_Risk.user_category user_priority AS All_Risk.user_priority description AS All_Risk.description risk_object AS All_Risk.risk_object risk_object_type AS All_Risk.risk_object_type risk_score AS All_Risk.risk_score threat_object_type AS All_Risk.threat_object_type risk_factor_add AS All_Risk.risk_factor_add risk_factor_add_matched AS All_Risk.risk_factor_add_matched risk_factor_mult AS All_Risk.risk_factor_mult risk_factor_mult_matched AS All_Risk.risk_factor_mult_matched calculated_risk_score AS All_Risk.calculated_risk_score risk_message AS All_Risk.risk_message | fields nodename, _time, host, source, sourcetype, All_Risk.analyticstories, All_Risk.annotations, All_Risk.annotations._all, All_Risk.annotations._frameworks, All_Risk.annotations.cis20, All_Risk.annotations.kill_chain_phases, All_Risk.annotations.mitre_attack, All_Risk.annotations.mitre_attack.mitre_description, All_Risk.annotations.mitre_attack.mitre_detection, All_Risk.annotations.mitre_attack.mitre_tactic, All_Risk.annotations.mitre_attack.mitre_tactic_id, All_Risk.annotations.mitre_attack.mitre_technique, All_Risk.annotations.mitre_attack.mitre_technique_id, All_Risk.annotations.mitre_attack.mitre_threat_group_name, All_Risk.annotations.nist, All_Risk.control, All_Risk.creator, All_Risk.dest, All_Risk.dest_bunit, All_Risk.dest_category, All_Risk.dest_priority, All_Risk.governance, All_Risk.risk_object_bunit, All_Risk.risk_object_category, All_Risk.risk_object_priority, All_Risk.savedsearch_description, All_Risk.src, All_Risk.src_bunit, All_Risk.src_category, All_Risk.src_priority, All_Risk.tag, All_Risk.threat_object, All_Risk.user, All_Risk.user_bunit, All_Risk.user_category, All_Risk.user_priority, All_Risk.description, All_Risk.risk_object, All_Risk.risk_object_type, All_Risk.risk_score, All_Risk.threat_object_type, All_Risk.risk_factor_add, All_Risk.risk_factor_add_matched, All_Risk.risk_factor_mult, All_Risk.risk_factor_mult_matched, All_Risk.calculated_risk_score, All_Risk.risk_message ]', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='Mon May 23 20:20:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="_ACCELERATE_DM_SA-ThreatIntelligence_Risk_ACCELERATE_", search_type="datamodel_acceleration", is_proxied=false, app="SA-ThreatIntelligence", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:20:43.712, user=admin, action=search, info=completed, search_id='subsearch_scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD56fdbd6870256b788_at_1653336000_73067_1653337234.3', has_error_warn=false, fully_completed_search=true, total_run_time=1.52, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653337234, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="", search_startup_time="513", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_6b3322fc65faf32b", app="DA-ESS-ContentUpdate", provenance="N/A", mode="historical_batch", is_proxied=false, searched_buckets=7, eliminated_buckets=7, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='search sourcetype=aws:cloudtrail (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Region | eval newRegion=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newRegion=1 | table Region'] Audit:[timestamp=05-23-2022 20:20:43.704, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD56fdbd6870256b788_at_1653336000_73067', has_error_warn=false, fully_completed_search=true, total_run_time=2.90, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653337233, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - AWS Cloud Provisioning From Previously Unseen Region - Rule", search_startup_time="2896", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_dcdc0ff9ab8db942", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=7, eliminated_buckets=7, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Region | eval newRegion=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newRegion=1 | table Region] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Region, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_region_filter`'] Audit:[timestamp=05-23-2022 20:20:43.680, user=admin, action=search, info=completed, search_id='scheduler__admin_U0EtTmV0d29ya1Byb3RlY3Rpb24__RMD5ee8d785f4bcf4e4c_at_1653337200_73057', has_error_warn=false, fully_completed_search=true, total_run_time=2.77, event_count=0, result_count=1, available_count=0, scan_count=0, drop_count=0, exec_time=1653337217, api_et=1653333000.000000000, api_lt=1653337200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653333000.000000000, search_lt=1653337200.000000000, is_realtime=0, savedsearch_name="Network - Vulnerability Signature Reference - Lookup Gen", search_startup_time="3933", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_SA-NetworkProtection_admin_9f4e0cc389bf07d9", app="SA-NetworkProtection", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='| tstats `summariesonly` min(_time) as firstTime,max(_time) as lastTime,values(Vulnerabilities.bugtraq) as bugtraq,values(Vulnerabilities.cert) as cert,values(Vulnerabilities.cve) as cve,values(Vulnerabilities.msft) as msft,values(Vulnerabilities.mskb) as mskb,values(Vulnerabilities.xref) as xref from datamodel=Vulnerabilities.Vulnerabilities by Vulnerabilities.signature,Vulnerabilities.vendor_product | `drop_dm_object_name("Vulnerabilities")` | inputlookup append=T vuln_signature_reference | `makemv(bugtraq)` | `makemv(cert)` | `makemv(cve)` | `makemv(msft)` | `makemv(mskb)` | `makemv(xref)` | stats min(firstTime) as firstTime,max(lastTime) as lastTime,values(cve) as cve,values(bugtraq) as bugtraq,values(cert) as cert,values(msft) as msft,values(mskb) as mskb,values(xref) as xref by signature,vendor_product | `makesv(bugtraq)` | `makesv(cert)` | `makesv(cve)` | `makesv(msft)` | `makesv(mskb)` | `makesv(xref)` | outputlookup override_if_empty=false vuln_signature_reference | stats count'] Audit:[timestamp=05-23-2022 20:20:43.626, user=admin, action=search, info=completed, search_id='scheduler__admin__SplunkEnterpriseSecuritySuite__RMD5cc8fbb6063874056_at_1653337200_73062', has_error_warn=false, fully_completed_search=true, total_run_time=2.89, event_count=0, result_count=1, available_count=0, scan_count=0, drop_count=0, exec_time=1653337227, api_et=1653335700.000000000, api_lt=1653337200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653335700.000000000, search_lt=1653337200.000000000, is_realtime=0, savedsearch_name="ES-AWS - Account ID List - Lookup Gen", search_startup_time="2913", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_SplunkEnterpriseSecuritySuite_admin_cfa5d58970c4285c", app="SplunkEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='search `aws-index` | eval account_id = mvdedup(mvappend(aws_account_id, recipientAccountId, AwsAccountId, vendor_account)) | where account_id != "unknown" | inputlookup append=T aws_all_account_ids | stats count by account_id | fields - count | outputlookup override_if_empty=false aws_all_account_ids | stats count'] Audit:[timestamp=05-23-2022 20:20:43.607, user=admin, action=search, info=completed, search_id='scheduler__admin__SplunkEnterpriseSecuritySuite__RMD551cdb06b5c6a21a9_at_1653337200_73061', has_error_warn=false, fully_completed_search=true, total_run_time=2.40, event_count=0, result_count=1, available_count=0, scan_count=0, drop_count=0, exec_time=1653337225, api_et=1653335700.000000000, api_lt=1653337200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653335700.000000000, search_lt=1653337200.000000000, is_realtime=0, savedsearch_name="ES-AWS - Actions List - Lookup Gen", search_startup_time="2002", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_SplunkEnterpriseSecuritySuite_admin_57d89d2e67fb8485", app="SplunkEnterpriseSecuritySuite", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='search `aws-index` NOT command IN ("Get*", "Describe*" "List*") | eval cloud_service_provider="aws" | inputlookup append=T actions | stats count by command, cloud_service_provider, change_type | fields - count | outputlookup override_if_empty=false actions | stats count'] Audit:[timestamp=05-23-2022 20:20:43.595, user=admin, action=search, info=completed, search_id='scheduler__admin_U0EtRW5kcG9pbnRQcm90ZWN0aW9u__RMD5a764635f76e33232_at_1653337200_73059', has_error_warn=false, fully_completed_search=true, total_run_time=9.73, event_count=0, result_count=1, available_count=0, scan_count=151, drop_count=0, exec_time=1653337221, api_et=1653333000.000000000, api_lt=1653337200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653333000.000000000, search_lt=1653337200.000000000, is_realtime=0, savedsearch_name="Endpoint - System Version Tracker - Lookup Gen", search_startup_time="3588", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_SA-EndpointProtection_admin_b469c8a83a5f8933", app="SA-EndpointProtection", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=16, eliminated_buckets=0, considered_events=151, total_slices=561015, decompressed_slices=1077, duration.command.search.index=554, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=436, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='| tstats summariesonly=false max("_time") as "_time" from datamodel="Compute_Inventory"."All_Inventory" where nodename="All_Inventory.OS" by "All_Inventory.dest","All_Inventory.OS.os" | rename "All_Inventory.dest" as "dest","All_Inventory.OS.os" as "os" | inputlookup append=T "system_version_tracker" | stats max("_time") as "_time" by "dest","os" | outputlookup override_if_empty=false "system_version_tracker" | stats count'] Audit:[timestamp=05-23-2022 20:20:43.556, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD5061c9a5ab3371ac1_at_1653336000_73069', has_error_warn=false, fully_completed_search=true, total_run_time=1.37, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653337236, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653332400.000000000, search_lt=1653337236.899738000, is_realtime=0, savedsearch_name="ESCU - EC2 Instance Started In Previously Unseen Region - Rule", search_startup_time="587", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_e0b83d6db8bd1548", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=7, eliminated_buckets=7, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='search `cloudtrail` earliest=-1h StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion | inputlookup append=t previously_seen_aws_regions.csv | stats min(earliest) as earliest max(latest) as latest by awsRegion | outputlookup previously_seen_aws_regions.csv | eval regionStatus=if(earliest >= relative_time(now(),"-1d@d"), "Instance Started in a New Region","Previously Seen Region") | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where regionStatus="Instance Started in a New Region" | `ec2_instance_started_in_previously_unseen_region_filter`'] Audit:[timestamp=05-23-2022 20:20:43.472, user=admin, action=search, info=completed, search_id='scheduler__admin__SplunkEnterpriseSecuritySuite__RMD5a6d54b4f1c421eaa_at_1653337200_73052', has_error_warn=false, fully_completed_search=true, total_run_time=12.88, event_count=627, result_count=1, available_count=0, scan_count=627, drop_count=0, exec_time=1653337212, api_et=1653163200.000000000, api_lt=1653337200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653163200.000000000, search_lt=1653337200.000000000, is_realtime=0, savedsearch_name="ESS - Notable Events", search_startup_time="10884", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_SplunkEnterpriseSecuritySuite_admin_f95ac5e7fbc97d96", app="SplunkEnterpriseSecuritySuite", provenance="scheduler", mode="historical", is_proxied=false, searched_buckets=1, eliminated_buckets=0, considered_events=627, total_slices=20, decompressed_slices=6, duration.command.search.index=2, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=177, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__stash=627, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='search `notable` | search NOT `suppression` | eval timeDiff_type=case(_time>=relative_time(now(), "-24h@h"),"current", 1=1, "historical") | expandtoken rule_title | table _time,event_id,security_domain,urgency,rule_name,rule_title,src,dest,src_user,user,dvc,status,status_group,owner,timeDiff_type,governance,control | outputlookup es_notable_events | stats count'] Audit:[timestamp=05-23-2022 20:20:43.452, user=splunk-system-user, action=search, info=completed, search_id='scheduler__nobody_U3BsdW5rX1NBX0NJTQ__RMD5b63315d8c5a60cfd_at_1653337200_73054', has_error_warn=false, fully_completed_search=true, total_run_time=9.40, event_count=0, result_count=74, available_count=0, scan_count=0, drop_count=0, exec_time=1653337213, api_et=N/A, api_lt=1653337200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=N/A, search_lt=1653337200.000000000, is_realtime=0, savedsearch_name="_ACCELERATE_DM_Splunk_SA_CIM_Alerts_ACCELERATE_", search_startup_time="5023", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DM_Splunk_SA_CIM_Alerts", app="Splunk_SA_CIM", provenance="scheduler", mode="historical", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=datamodel_acceleration, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+splunk-system-role+user', search='| summarize tstats=t override=partial manual_rebuilds=t max_time=3600 poll_buckets_until_maxtime=f id=DM_Splunk_SA_CIM_Alerts [ search (index=* OR index=_*) ((`cim_Alerts_indexes`) tag=alert) | eval nodename = "Alerts"| eval app=if(isnull(app) OR app="",sourcetype,app), dest=if(isnull(dest) OR dest="","unknown",dest), severity=if(isnull(severity) OR severity="","unknown",severity), signature_id=if(isnull(signature_id) OR signature_id="","unknown",signature_id), src=if(isnull(src) OR src="","unknown",src), type=if(isnull(type) OR type="","unknown",type), user=if(isnull(user) OR user="","unknown",user), user_name=if(isnull(user_name) OR user_name="","unknown",user_name) | rename body AS Alerts.body description AS Alerts.description dest_bunit AS Alerts.dest_bunit dest_category AS Alerts.dest_category dest_priority AS Alerts.dest_priority dest_type AS Alerts.dest_type id AS Alerts.id mitre_technique_id AS Alerts.mitre_technique_id severity_id AS Alerts.severity_id signature AS Alerts.signature src_bunit AS Alerts.src_bunit src_category AS Alerts.src_category src_priority AS Alerts.src_priority src_type AS Alerts.src_type subject AS Alerts.subject tag AS Alerts.tag user_bunit AS Alerts.user_bunit user_category AS Alerts.user_category user_priority AS Alerts.user_priority vendor_account AS Alerts.vendor_account vendor_region AS Alerts.vendor_region app AS Alerts.app dest AS Alerts.dest severity AS Alerts.severity signature_id AS Alerts.signature_id src AS Alerts.src type AS Alerts.type user AS Alerts.user user_name AS Alerts.user_name | fields nodename, _time, host, source, sourcetype, Alerts.body, Alerts.description, Alerts.dest_bunit, Alerts.dest_category, Alerts.dest_priority, Alerts.dest_type, Alerts.id, Alerts.mitre_technique_id, Alerts.severity_id, Alerts.signature, Alerts.src_bunit, Alerts.src_category, Alerts.src_priority, Alerts.src_type, Alerts.subject, Alerts.tag, Alerts.user_bunit, Alerts.user_category, Alerts.user_priority, Alerts.vendor_account, Alerts.vendor_region, Alerts.app, Alerts.dest, Alerts.severity, Alerts.signature_id, Alerts.src, Alerts.type, Alerts.user, Alerts.user_name ]'] Audit:[timestamp=05-23-2022 20:20:36.340, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD5061c9a5ab3371ac1_at_1653336000_73069', search='search `cloudtrail` earliest=-1h StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion | inputlookup append=t previously_seen_aws_regions.csv | stats min(earliest) as earliest max(latest) as latest by awsRegion | outputlookup previously_seen_aws_regions.csv | eval regionStatus=if(earliest >= relative_time(now(),"-1d@d"), "Instance Started in a New Region","Previously Seen Region") | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where regionStatus="Instance Started in a New Region" | `ec2_instance_started_in_previously_unseen_region_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - EC2 Instance Started In Previously Unseen Region - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:20:32.820, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD56fdbd6870256b788_at_1653336000_73067', search='search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Region | eval newRegion=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newRegion=1 | table Region] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Region, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_region_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - AWS Cloud Provisioning From Previously Unseen Region - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:20:30.229, user=splunk-system-user, action=search, info=granted , search_id='scheduler__nobody_U3BsdW5rX1NBX0NJTQ__RMD5d8f29e948a1c1d53_at_1653337200_73064', search='| summarize tstats=t override=partial manual_rebuilds=t max_time=3600 poll_buckets_until_maxtime=f id=DM_Splunk_SA_CIM_Databases [ search (index=* OR index=_*) ((`cim_Databases_indexes`) tag=database) | eval nodename = "All_Databases"| eval vendor_product=case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!="unknown" AND isnotnull(product) AND product!="unknown",vendor." ".product,isnotnull(vendor) AND vendor!="unknown" AND (isnull(product) OR product="unknown"),vendor." unknown",(isnull(vendor) OR vendor="unknown") AND isnotnull(product) AND product!="unknown","unknown ".product,isnotnull(sourcetype),sourcetype,1=1,"unknown")| eval is_Database_Instance=if(searchmatch("(tag=instance)"),1,0), is_not_Database_Instance=1-is_Database_Instance, is_Database_Query=if(searchmatch("(tag=query)"),1,0), is_not_Database_Query=1-is_Database_Query | eval nodename = if(nodename == "All_Databases" AND searchmatch("(tag=instance)"), mvappend(nodename, "All_Databases.Database_Instance"), nodename)| eval is_Instance_Stats=if(searchmatch("(tag=stats)"),1,0), is_not_Instance_Stats=1-is_Instance_Stats, is_Session_Info=if(searchmatch("(tag=session)"),1,0), is_not_Session_Info=1-is_Session_Info, is_Lock_Info=if(searchmatch("(tag=lock)"),1,0), is_not_Lock_Info=1-is_Lock_Info | eval nodename = if(nodename == "All_Databases.Database_Instance" AND searchmatch("(tag=stats)"), mvappend(nodename, "All_Databases.Database_Instance.Instance_Stats"), nodename) | rename start_time AS All_Databases.Database_Instance.Instance_Stats.start_time availability AS All_Databases.Database_Instance.Instance_Stats.availability sessions AS All_Databases.Database_Instance.Instance_Stats.sessions processes AS All_Databases.Database_Instance.Instance_Stats.processes dump_area_used AS All_Databases.Database_Instance.Instance_Stats.dump_area_used tablespace_used AS All_Databases.Database_Instance.Instance_Stats.tablespace_used number_of_users AS All_Databases.Database_Instance.Instance_Stats.number_of_users avg_executions AS All_Databases.Database_Instance.Instance_Stats.avg_executions instance_reads AS All_Databases.Database_Instance.Instance_Stats.instance_reads instance_writes AS All_Databases.Database_Instance.Instance_Stats.instance_writes sga_buffer_cache_size AS All_Databases.Database_Instance.Instance_Stats.sga_buffer_cache_size sga_shared_pool_size AS All_Databases.Database_Instance.Instance_Stats.sga_shared_pool_size sga_redo_log_buffer_size AS All_Databases.Database_Instance.Instance_Stats.sga_redo_log_buffer_size sga_library_cache_size AS All_Databases.Database_Instance.Instance_Stats.sga_library_cache_size sga_fixed_area_size AS All_Databases.Database_Instance.Instance_Stats.sga_fixed_area_size sga_sql_area_size AS All_Databases.Database_Instance.Instance_Stats.sga_sql_area_size sga_buffer_hit_limit AS All_Databases.Database_Instance.Instance_Stats.sga_buffer_hit_limit sga_data_dict_hit_ratio AS All_Databases.Database_Instance.Instance_Stats.sga_data_dict_hit_ratio sga_free_memory AS All_Databases.Database_Instance.Instance_Stats.sga_free_memory | eval nodename = if(nodename == "All_Databases.Database_Instance" AND searchmatch("(tag=session)"), mvappend(nodename, "All_Databases.Database_Instance.Session_Info"), nodename) | rename session_id AS All_Databases.Database_Instance.Session_Info.session_id session_status AS All_Databases.Database_Instance.Session_Info.session_status machine AS All_Databases.Database_Instance.Session_Info.machine elapsed_time AS All_Databases.Database_Instance.Session_Info.elapsed_time cpu_used AS All_Databases.Database_Instance.Session_Info.cpu_used memory_sorts AS All_Databases.Database_Instance.Session_Info.memory_sorts table_scans AS All_Databases.Database_Instance.Session_Info.table_scans physical_reads AS All_Databases.Database_Instance.Session_Info.physical_reads logical_reads AS All_Databases.Database_Instance.Session_Info.logical_reads commits AS All_Databases.Database_Instance.Session_Info.commits cursor AS All_Databases.Database_Instance.Session_Info.cursor buffer_cache_hit_ratio AS All_Databases.Database_Instance.Session_Info.buffer_cache_hit_ratio wait_state AS All_Databases.Database_Instance.Session_Info.wait_state wait_time AS All_Databases.Database_Instance.Session_Info.wait_time seconds_in_wait AS All_Databases.Database_Instance.Session_Info.seconds_in_wait | eval nodename = if(nodename == "All_Databases.Database_Instance" AND searchmatch("(tag=lock)"), mvappend(nodename, "All_Databases.Database_Instance.Lock_Info"), nodename) | rename obj_name AS All_Databases.Database_Instance.Lock_Info.obj_name lock_session_id AS All_Databases.Database_Instance.Lock_Info.lock_session_id serial_num AS All_Databases.Database_Instance.Lock_Info.serial_num lock_mode AS All_Databases.Database_Instance.Lock_Info.lock_mode os_pid AS All_Databases.Database_Instance.Lock_Info.os_pid last_call_minute AS All_Databases.Database_Instance.Lock_Info.last_call_minute logon_time AS All_Databases.Database_Instance.Lock_Info.logon_time | rename instance_name AS All_Databases.Database_Instance.instance_name instance_version AS All_Databases.Database_Instance.instance_version session_limit AS All_Databases.Database_Instance.session_limit process_limit AS All_Databases.Database_Instance.process_limit is_Instance_Stats AS All_Databases.Database_Instance.is_Instance_Stats is_not_Instance_Stats AS All_Databases.Database_Instance.is_not_Instance_Stats is_Session_Info AS All_Databases.Database_Instance.is_Session_Info is_not_Session_Info AS All_Databases.Database_Instance.is_not_Session_Info is_Lock_Info AS All_Databases.Database_Instance.is_Lock_Info is_not_Lock_Info AS All_Databases.Database_Instance.is_not_Lock_Info | eval nodename = if(nodename == "All_Databases" AND searchmatch("(tag=query)"), mvappend(nodename, "All_Databases.Database_Query"), nodename)| eval is_Tablespace=if(searchmatch("(tag=tablespace)"),1,0), is_not_Tablespace=1-is_Tablespace, is_Query_Stats=if(searchmatch("(tag=stats)"),1,0), is_not_Query_Stats=1-is_Query_Stats | eval nodename = if(nodename == "All_Databases.Database_Query" AND searchmatch("(tag=tablespace)"), mvappend(nodename, "All_Databases.Database_Query.Tablespace"), nodename) | rename tablespace_name AS All_Databases.Database_Query.Tablespace.tablespace_name tablespace_status AS All_Databases.Database_Query.Tablespace.tablespace_status free_bytes AS All_Databases.Database_Query.Tablespace.free_bytes tablespace_reads AS All_Databases.Database_Query.Tablespace.tablespace_reads tablespace_writes AS All_Databases.Database_Query.Tablespace.tablespace_writes | eval nodename = if(nodename == "All_Databases.Database_Query" AND searchmatch("(tag=stats)"), mvappend(nodename, "All_Databases.Database_Query.Query_Stats"), nodename) | rename stored_procedures_called AS All_Databases.Database_Query.Query_Stats.stored_procedures_called tables_hit AS All_Databases.Database_Query.Query_Stats.tables_hit indexes_hit AS All_Databases.Database_Query.Query_Stats.indexes_hit query_plan_hit AS All_Databases.Database_Query.Query_Stats.query_plan_hit | rename query AS All_Databases.Database_Query.query query_id AS All_Databases.Database_Query.query_id query_time AS All_Databases.Database_Query.query_time records_affected AS All_Databases.Database_Query.records_affected is_Tablespace AS All_Databases.Database_Query.is_Tablespace is_not_Tablespace AS All_Databases.Database_Query.is_not_Tablespace is_Query_Stats AS All_Databases.Database_Query.is_Query_Stats is_not_Query_Stats AS All_Databases.Database_Query.is_not_Query_Stats | rename dest AS All_Databases.dest dest_bunit AS All_Databases.dest_bunit dest_category AS All_Databases.dest_category dest_priority AS All_Databases.dest_priority duration AS All_Databases.duration object AS All_Databases.object response_time AS All_Databases.response_time src AS All_Databases.src src_bunit AS All_Databases.src_bunit src_category AS All_Databases.src_category src_priority AS All_Databases.src_priority tag AS All_Databa (truncated)', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='Mon May 23 20:20:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="_ACCELERATE_DM_Splunk_SA_CIM_Databases_ACCELERATE_", search_type="datamodel_acceleration", is_proxied=false, app="Splunk_SA_CIM", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:20:25.876, user=admin, action=search, info=granted , search_id='scheduler__admin__SplunkEnterpriseSecuritySuite__RMD5cc8fbb6063874056_at_1653337200_73062', search='search `aws-index` | eval account_id = mvdedup(mvappend(aws_account_id, recipientAccountId, AwsAccountId, vendor_account)) | where account_id != "unknown" | inputlookup append=T aws_all_account_ids | stats count by account_id | fields - count | outputlookup override_if_empty=false aws_all_account_ids | stats count', autojoin='1', buckets=0, ttl=2400, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Mon May 23 19:55:00 2022', apiEndTime='Mon May 23 20:20:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ES-AWS - Account ID List - Lookup Gen", search_type="scheduled", is_proxied=false, app="SplunkEnterpriseSecuritySuite", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:20:24.809, user=admin, action=search, info=granted , search_id='scheduler__admin__SplunkEnterpriseSecuritySuite__RMD551cdb06b5c6a21a9_at_1653337200_73061', search='search `aws-index` NOT command IN ("Get*", "Describe*" "List*") | eval cloud_service_provider="aws" | inputlookup append=T actions | stats count by command, cloud_service_provider, change_type | fields - count | outputlookup override_if_empty=false actions | stats count', autojoin='1', buckets=0, ttl=2400, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Mon May 23 19:55:00 2022', apiEndTime='Mon May 23 20:20:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ES-AWS - Actions List - Lookup Gen", search_type="scheduled", is_proxied=false, app="SplunkEnterpriseSecuritySuite", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:20:23.600, user=splunk-system-user, action=search, info=granted , search_id='scheduler__nobody_U3BsdW5rX1NBX0NJTQ__RMD58565409e08e07808_at_1653337200_73060', search='| summarize tstats=t override=partial manual_rebuilds=t max_time=3600 poll_buckets_until_maxtime=f id=DM_Splunk_SA_CIM_Compute_Inventory [ search (index=* OR index=_*) ((`cim_Compute_Inventory_indexes`) tag=inventory (tag=cpu OR tag=memory OR tag=network OR tag=storage OR (tag=system tag=version) OR tag=user OR tag=virtual)) | eval nodename = "All_Inventory"| eval dest=if(isnull(dest) OR dest="","unknown",dest), vendor_product=case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!="unknown" AND isnotnull(product) AND product!="unknown",vendor." ".product,isnotnull(vendor) AND vendor!="unknown" AND (isnull(product) OR product="unknown"),vendor." unknown",(isnull(vendor) OR vendor="unknown") AND isnotnull(product) AND product!="unknown","unknown ".product,isnotnull(sourcetype),sourcetype,1=1,"unknown")| eval is_CPU=if(searchmatch("(tag=cpu)"),1,0), is_not_CPU=1-is_CPU, is_Memory=if(searchmatch("(tag=memory)"),1,0), is_not_Memory=1-is_Memory, is_Network=if(searchmatch("(tag=network)"),1,0), is_not_Network=1-is_Network, is_Storage=if(searchmatch("(tag=storage)"),1,0), is_not_Storage=1-is_Storage, is_OS=if(searchmatch("(tag=system tag=version)"),1,0), is_not_OS=1-is_OS, is_User=if(searchmatch("(tag=user)"),1,0), is_not_User=1-is_User, is_Virtual_OS=if(searchmatch("(tag=virtual)"),1,0), is_not_Virtual_OS=1-is_Virtual_OS | eval nodename = if(nodename == "All_Inventory" AND searchmatch("(tag=cpu)"), mvappend(nodename, "All_Inventory.CPU"), nodename) | rename cpu_cores AS All_Inventory.CPU.cpu_cores cpu_count AS All_Inventory.CPU.cpu_count cpu_mhz AS All_Inventory.CPU.cpu_mhz | eval nodename = if(nodename == "All_Inventory" AND searchmatch("(tag=memory)"), mvappend(nodename, "All_Inventory.Memory"), nodename) | rename mem AS All_Inventory.Memory.mem | eval nodename = if(nodename == "All_Inventory" AND searchmatch("(tag=network)"), mvappend(nodename, "All_Inventory.Network"), nodename) | rename dns AS All_Inventory.Network.dns interface AS All_Inventory.Network.interface ip AS All_Inventory.Network.ip dest_ip AS All_Inventory.Network.dest_ip src_ip AS All_Inventory.Network.src_ip mac AS All_Inventory.Network.mac lb_method AS All_Inventory.Network.lb_method node AS All_Inventory.Network.node inline_nat AS All_Inventory.Network.inline_nat vip_port AS All_Inventory.Network.vip_port node_port AS All_Inventory.Network.node_port name AS All_Inventory.Network.name | eval nodename = if(nodename == "All_Inventory" AND searchmatch("(tag=storage)"), mvappend(nodename, "All_Inventory.Storage"), nodename) | rename array AS All_Inventory.Storage.array blocksize AS All_Inventory.Storage.blocksize cluster AS All_Inventory.Storage.cluster fd_max AS All_Inventory.Storage.fd_max latency AS All_Inventory.Storage.latency mount AS All_Inventory.Storage.mount parent AS All_Inventory.Storage.parent read_blocks AS All_Inventory.Storage.read_blocks read_latency AS All_Inventory.Storage.read_latency read_ops AS All_Inventory.Storage.read_ops storage AS All_Inventory.Storage.storage write_blocks AS All_Inventory.Storage.write_blocks write_latency AS All_Inventory.Storage.write_latency write_ops AS All_Inventory.Storage.write_ops | eval nodename = if(nodename == "All_Inventory" AND searchmatch("(tag=system tag=version)"), mvappend(nodename, "All_Inventory.OS"), nodename)| eval os=if(isnotnull(os) AND os!="",replace(replace(os,"(?:\(R\)|\\\\xA8)",""),"^(?:MS)?\s*Windows","Microsoft Windows"),"unknown") | rename os AS All_Inventory.OS.os | eval nodename = if(nodename == "All_Inventory" AND searchmatch("(tag=user)"), mvappend(nodename, "All_Inventory.User"), nodename)| eval interactive=case(isnotnull(interactive) AND interactive!="",interactive,tag="interactive","true",1=1,"false"), password=if((password=="*" OR password=="x" OR password==""),null(),password), user=if(isnull(user) OR user="","unknown",user)| eval is_Cleartext_Passwords=if(searchmatch("(password=*)"),1,0), is_not_Cleartext_Passwords=1-is_Cleartext_Passwords, is_Default_Accounts=if(searchmatch("(tag=default)"),1,0), is_not_Default_Accounts=1-is_Default_Accounts | eval nodename = if(nodename == "All_Inventory.User" AND searchmatch("(password=*)"), mvappend(nodename, "All_Inventory.User.Cleartext_Passwords"), nodename) | eval nodename = if(nodename == "All_Inventory.User" AND searchmatch("(tag=default)"), mvappend(nodename, "All_Inventory.User.Default_Accounts"), nodename) | rename shell AS All_Inventory.User.shell user_bunit AS All_Inventory.User.user_bunit user_category AS All_Inventory.User.user_category user_id AS All_Inventory.User.user_id user_priority AS All_Inventory.User.user_priority interactive AS All_Inventory.User.interactive password AS All_Inventory.User.password user AS All_Inventory.User.user is_Cleartext_Passwords AS All_Inventory.User.is_Cleartext_Passwords is_not_Cleartext_Passwords AS All_Inventory.User.is_not_Cleartext_Passwords is_Default_Accounts AS All_Inventory.User.is_Default_Accounts is_not_Default_Accounts AS All_Inventory.User.is_not_Default_Accounts | eval nodename = if(nodename == "All_Inventory" AND searchmatch("(tag=virtual)"), mvappend(nodename, "All_Inventory.Virtual_OS"), nodename)| eval is_Snapshot=if(searchmatch("(tag=snapshot)"),1,0), is_not_Snapshot=1-is_Snapshot, is_Tools=if(searchmatch("(tag=tools)"),1,0), is_not_Tools=1-is_Tools | eval nodename = if(nodename == "All_Inventory.Virtual_OS" AND searchmatch("(tag=snapshot)"), mvappend(nodename, "All_Inventory.Virtual_OS.Snapshot"), nodename) | rename size AS All_Inventory.Virtual_OS.Snapshot.size snapshot AS All_Inventory.Virtual_OS.Snapshot.snapshot time AS All_Inventory.Virtual_OS.Snapshot.time | eval nodename = if(nodename == "All_Inventory.Virtual_OS" AND searchmatch("(tag=tools)"), mvappend(nodename, "All_Inventory.Virtual_OS.Tools"), nodename) | rename hypervisor AS All_Inventory.Virtual_OS.hypervisor is_Snapshot AS All_Inventory.Virtual_OS.is_Snapshot is_not_Snapshot AS All_Inventory.Virtual_OS.is_not_Snapshot is_Tools AS All_Inventory.Virtual_OS.is_Tools is_not_Tools AS All_Inventory.Virtual_OS.is_not_Tools | rename description AS All_Inventory.description dest_bunit AS All_Inventory.dest_bunit dest_category AS All_Inventory.dest_category dest_priority AS All_Inventory.dest_priority enabled AS All_Inventory.enabled family AS All_Inventory.family hypervisor_id AS All_Inventory.hypervisor_id serial AS All_Inventory.serial status AS All_Inventory.status version AS All_Inventory.version tag AS All_Inventory.tag dest AS All_Inventory.dest vendor_product AS All_Inventory.vendor_product is_CPU AS All_Inventory.is_CPU is_not_CPU AS All_Inventory.is_not_CPU is_Memory AS All_Inventory.is_Memory is_not_Memory AS All_Inventory.is_not_Memory is_Network AS All_Inventory.is_Network is_not_Network AS All_Inventory.is_not_Network is_Storage AS All_Inventory.is_Storage is_not_Storage AS All_Inventory.is_not_Storage is_OS AS All_Inventory.is_OS is_not_OS AS All_Inventory.is_not_OS is_User AS All_Inventory.is_User is_not_User AS All_Inventory.is_not_User is_Virtual_OS AS All_Inventory.is_Virtual_OS is_not_Virtual_OS AS All_Inventory.is_not_Virtual_OS | fields nodename, _time, host, source, sourcetype, All_Inventory.description, All_Inventory.dest_bunit, All_Inventory.dest_category, All_Inventory.dest_priority, All_Inventory.enabled, All_Inventory.family, All_Inventory.hypervisor_id, All_Inventory.serial, All_Inventory.status, All_Inventory.version, All_Inventory.tag, All_Inventory.dest, All_Inventory.vendor_product, All_Inventory.is_CPU, All_Inventory.is_not_CPU, All_Inventory.is_Memory, All_Inventory.is_not_Memory, All_Inventory.is_Network, All_Inventory.is_not_Network, All_Inventory.is_Storage, All_Inventory.is_not_Storage, All_Inventory.is_OS, All_Inventory.is_not_OS, All_Inventory.is_User, All_Inventory.is_not_User, All_Inventory.is_Virtual_OS, All_Inventory.is_not_Virtual_OS, All_Inventory.CPU.cpu_cores, All_Inventory.CPU.cpu_count, All_Inventory.CPU.cpu_mhz, All_Inventory.Memory.mem, All_Inventory.Network.dns, All_Invento (truncated)', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='Mon May 23 20:20:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="_ACCELERATE_DM_Splunk_SA_CIM_Compute_Inventory_ACCELERATE_", search_type="datamodel_acceleration", is_proxied=false, app="Splunk_SA_CIM", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:20:20.508, user=admin, action=search, info=granted , search_id='scheduler__admin_U0EtRW5kcG9pbnRQcm90ZWN0aW9u__RMD5a764635f76e33232_at_1653337200_73059', search='| tstats summariesonly=false max("_time") as "_time" from datamodel="Compute_Inventory"."All_Inventory" where nodename="All_Inventory.OS" by "All_Inventory.dest","All_Inventory.OS.os" | rename "All_Inventory.dest" as "dest","All_Inventory.OS.os" as "os" | inputlookup append=T "system_version_tracker" | stats max("_time") as "_time" by "dest","os" | outputlookup override_if_empty=false "system_version_tracker" | stats count', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Mon May 23 19:10:00 2022', apiEndTime='Mon May 23 20:20:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="Endpoint - System Version Tracker - Lookup Gen", search_type="scheduled", is_proxied=false, app="SA-EndpointProtection", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:20:16.187, user=admin, action=search, info=granted , search_id='scheduler__admin_U0EtTmV0d29ya1Byb3RlY3Rpb24__RMD5ee8d785f4bcf4e4c_at_1653337200_73057', search='| tstats `summariesonly` min(_time) as firstTime,max(_time) as lastTime,values(Vulnerabilities.bugtraq) as bugtraq,values(Vulnerabilities.cert) as cert,values(Vulnerabilities.cve) as cve,values(Vulnerabilities.msft) as msft,values(Vulnerabilities.mskb) as mskb,values(Vulnerabilities.xref) as xref from datamodel=Vulnerabilities.Vulnerabilities by Vulnerabilities.signature,Vulnerabilities.vendor_product | `drop_dm_object_name("Vulnerabilities")` | inputlookup append=T vuln_signature_reference | `makemv(bugtraq)` | `makemv(cert)` | `makemv(cve)` | `makemv(msft)` | `makemv(mskb)` | `makemv(xref)` | stats min(firstTime) as firstTime,max(lastTime) as lastTime,values(cve) as cve,values(bugtraq) as bugtraq,values(cert) as cert,values(msft) as msft,values(mskb) as mskb,values(xref) as xref by signature,vendor_product | `makesv(bugtraq)` | `makesv(cert)` | `makesv(cve)` | `makesv(msft)` | `makesv(mskb)` | `makesv(xref)` | outputlookup override_if_empty=false vuln_signature_reference | stats count', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Mon May 23 19:10:00 2022', apiEndTime='Mon May 23 20:20:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="Network - Vulnerability Signature Reference - Lookup Gen", search_type="scheduled", is_proxied=false, app="SA-NetworkProtection", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:20:14.052, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD59b635ed5a9fea570_at_1653336000_73039', has_error_warn=false, fully_completed_search=true, total_run_time=2.58, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653337187, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - AWS Cloud Provisioning From Previously Unseen IP Address - Rule", search_startup_time="3391", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_0cced991925b030d", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='search `cloudtrail` (eventName=Run* OR eventName=Create*) [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress | eval newIP=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newIP=1 | table sourceIPAddress] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_ip_address_filter`'] Audit:[timestamp=05-23-2022 20:20:14.049, user=splunk-system-user, action=search, info=completed, search_id='_c3BsdW5rLXN5c3RlbS11c2Vy__nobody_REEtRVNTLVRocmVhdEludGVsbGlnZW5jZQ__RMD56c54cc9c1045b223_1653337202.311466', has_error_warn=false, fully_completed_search=true, total_run_time=4.08, event_count=381, result_count=0, available_count=0, scan_count=381, drop_count=0, exec_time=1653337202, api_et=1653334800.000000000, api_lt=1653336600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653334800.000000000, search_lt=1653336600.000000000, is_realtime=0, savedsearch_name="threatmatch://http_user_agent", search_startup_time="4311", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ThreatIntelligence_nobody_7795f28fe6b1cd8e", app="DA-ESS-ThreatIntelligence", provenance="N/A", mode="historical_batch", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+splunk-system-role+user', search='| tstats prestats=true summariesonly=true values("sourcetype"),values("Web.src"),values("Web.dest"),values("Web.user") from datamodel="Web"."Web" by "Web.http_user_agent" | lookup "threatintel_by_http_user_agent" value as "Web.http_user_agent" OUTPUT threat_collection as tc0,threat_collection_key as tck0 | lookup "threatintel_by_http_user_agent_wildcard" value as "Web.http_user_agent" OUTPUT threat_collection as tc1,threat_collection_key as tck1 | where isnotnull('tck0') OR isnotnull('tck1') | eval intelzip0=mvzip('tc0','tck0',"@@") | eval intelzip1=mvzip('tc1','tck1',"@@") | eval threat_collection_key=mvappend(intelzip0,intelzip1) | `sistats_values_rename(sourcetype,sourcetype)` | `sistats_values_rename(Web.src,src)` | `sistats_values_rename(Web.dest,dest)` | `sistats_values_rename(Web.user,user)` | eval "threat_match_field"=if(isnull('threat_match_field'),"http_user_agent",'threat_match_field') | eval "threat_match_value"=if(isnull('threat_match_value'),'Web.http_user_agent','threat_match_value') | mvexpand threat_collection_key | stats values("dest") as "dest",values("sourcetype") as "sourcetype",values("src") as "src",values("user") as "user" by threat_match_field,threat_match_value,threat_collection_key | rex field=threat_collection_key "^(?.*)@@(?.*)$" | eval "dest"=mvindex('dest',0,10-1) | eval "sourcetype"=mvindex('sourcetype',0,10-1) | eval "src"=mvindex('src',0,10-1) | eval "user"=mvindex('user',0,10-1) | eval certificate_intel_key=if(threat_collection="certificate_intel",'threat_collection_key',null()) | eval email_intel_key=if(threat_collection="email_intel",'threat_collection_key',null()) | eval file_intel_key=if(threat_collection="file_intel",'threat_collection_key',null()) | eval http_intel_key=if(threat_collection="http_intel",'threat_collection_key',null()) | eval ip_intel_key=if(threat_collection="ip_intel",'threat_collection_key',null()) | eval process_intel_key=if(threat_collection="process_intel",'threat_collection_key',null()) | eval registry_intel_key=if(threat_collection="registry_intel",'threat_collection_key',null()) | eval service_intel_key=if(threat_collection="service_intel",'threat_collection_key',null()) | eval user_intel_key=if(threat_collection="user_intel",'threat_collection_key',null()) | lookup "certificate_intel" _key as "certificate_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "email_intel" _key as "email_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "file_intel" _key as "file_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "http_intel" _key as "http_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "ip_intel" _key as "ip_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "process_intel" _key as "process_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "registry_intel" _key as "registry_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "service_intel" _key as "service_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "user_intel" _key as "user_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup threat_group_intel _key as threat_key OUTPUTNEW description,weight | eval weight=if(isnum(weight),weight,60) | fields - intelzip*,"certificate_intel_key","email_intel_key","file_intel_key","http_intel_key","ip_intel_key","process_intel_key","registry_intel_key","service_intel_key","user_intel_key" | `threatintel_outputlookup_exclusions` | dedup threat_match_field,threat_match_value,threat_key | collectthreat source="threatmatch://http_user_agent"'] Audit:[timestamp=05-23-2022 20:20:14.047, user=splunk-system-user, action=search, info=completed, search_id='scheduler__nobody_U3BsdW5rX1NBX0NJTQ__RMD5021246a350b56653_at_1653337080_73020', has_error_warn=false, fully_completed_search=true, total_run_time=51.22, event_count=0, result_count=74, available_count=0, scan_count=86168, drop_count=0, exec_time=1653337134, api_et=1650745080.000000000, api_lt=1653337080.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1650745080.000000000, search_lt=1653337080.000000000, is_realtime=0, savedsearch_name="_ACCELERATE_DM_Splunk_SA_CIM_Endpoint.Services_ACCELERATE_", search_startup_time="2599", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DM_Splunk_SA_CIM_Endpoint.Services", app="Splunk_SA_CIM", provenance="scheduler", mode="historical", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=datamodel_acceleration, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+splunk-system-role+user', search='| summarize tstats=t override=partial manual_rebuilds=t max_time=3600 poll_buckets_until_maxtime=f id=DM_Splunk_SA_CIM_Endpoint.Services [ search (index=* OR index=_*) (`cim_Endpoint_indexes`) tag=service tag=report | eval nodename = "Services"| eval dest=if(isnull(dest) OR dest="","unknown",dest), service=if(isnull(service) OR service="","unknown",service), service_name=if(isnull(service_name) OR service_name="","unknown",service_name), service_id=if(isnull(service_id) OR service_id="","unknown",service_id), start_mode=if(isnull(start_mode) OR start_mode="","unknown",start_mode), status=if(isnull(status) OR status="","unknown",status), user=if(isnull(user) OR user="","unknown",user), vendor_product=case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!="unknown" AND isnotnull(product) AND product!="unknown",vendor." ".product,isnotnull(vendor) AND vendor!="unknown" AND (isnull(product) OR product="unknown"),vendor." unknown",(isnull(vendor) OR vendor="unknown") AND isnotnull(product) AND product!="unknown","unknown ".product,isnotnull(sourcetype),sourcetype,1=1,"unknown") | rename description AS Services.description dest_bunit AS Services.dest_bunit dest_category AS Services.dest_category dest_is_expected AS Services.dest_is_expected dest_priority AS Services.dest_priority dest_requires_av AS Services.dest_requires_av dest_should_timesync AS Services.dest_should_timesync dest_should_update AS Services.dest_should_update process_guid AS Services.process_guid process_id AS Services.process_id service_dll AS Services.service_dll service_dll_path AS Services.service_dll_path service_dll_hash AS Services.service_dll_hash service_dll_signature_exists AS Services.service_dll_signature_exists service_dll_signature_verified AS Services.service_dll_signature_verified service_exec AS Services.service_exec service_hash AS Services.service_hash service_path AS Services.service_path service_signature_exists AS Services.service_signature_exists service_signature_verified AS Services.service_signature_verified tag AS Services.tag user_bunit AS Services.user_bunit user_category AS Services.user_category user_priority AS Services.user_priority dest AS Services.dest service AS Services.service service_name AS Services.service_name service_id AS Services.service_id start_mode AS Services.start_mode status AS Services.status user AS Services.user vendor_product AS Services.vendor_product | fields nodename, _time, host, source, sourcetype, Services.description, Services.dest_bunit, Services.dest_category, Services.dest_is_expected, Services.dest_priority, Services.dest_requires_av, Services.dest_should_timesync, Services.dest_should_update, Services.process_guid, Services.process_id, Services.service_dll, Services.service_dll_path, Services.service_dll_hash, Services.service_dll_signature_exists, Services.service_dll_signature_verified, Services.service_exec, Services.service_hash, Services.service_path, Services.service_signature_exists, Services.service_signature_verified, Services.tag, Services.user_bunit, Services.user_category, Services.user_priority, Services.dest, Services.service, Services.service_name, Services.service_id, Services.start_mode, Services.status, Services.user, Services.vendor_product ]'] Audit:[timestamp=05-23-2022 20:20:13.944, user=admin, action=search, info=completed, search_id='scheduler__admin_U0EtVGhyZWF0SW50ZWxsaWdlbmNl__RMD51dbc70e0e18846c9_at_1653337200_73048', has_error_warn=false, fully_completed_search=true, total_run_time=2.02, event_count=0, result_count=1, available_count=0, scan_count=0, drop_count=0, exec_time=1653337208, api_et=N/A, api_lt=1653337200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=N/A, search_lt=1653337200.000000000, is_realtime=0, savedsearch_name="Threat - Notable Owners - Lookup Gen", search_startup_time="2740", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_SA-ThreatIntelligence_admin_1683551a91b566f5", app="SA-ThreatIntelligence", provenance="scheduler", mode="historical", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='| rest splunk_server=local count=0 /services/authentication/users | search capabilities="can_own_notable_events" | rename title as owner | append [| makeresults | eval owner="unassigned" ] | eval _key=owner | eval realname=if(isnull(realname) or realname="", null(), realname) | table _key owner realname | outputlookup notable_owners_lookup | stats count'] Audit:[timestamp=05-23-2022 20:20:13.893, user=admin, action=search, info=completed, search_id='subsearch_scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD59b635ed5a9fea570_at_1653336000_73039_1653337188.1', has_error_warn=false, fully_completed_search=true, total_run_time=1.70, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653337188, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="", search_startup_time="707", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_70b712a4f6c4799e", app="DA-ESS-ContentUpdate", provenance="N/A", mode="historical_batch", is_proxied=false, searched_buckets=7, eliminated_buckets=7, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='search sourcetype=aws:cloudtrail (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress | eval newIP=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newIP=1 | table sourceIPAddress'] Audit:[timestamp=05-23-2022 20:20:13.868, user=admin, action=search, info=completed, search_id='scheduler__admin_U0EtVXRpbHM__RMD5495078187e88a4c3_at_1653337200_73046', has_error_warn=false, fully_completed_search=true, total_run_time=1.57, event_count=0, result_count=1, available_count=0, scan_count=0, drop_count=0, exec_time=1653337207, api_et=N/A, api_lt=1653337200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=N/A, search_lt=1653337200.000000000, is_realtime=0, savedsearch_name="Utils - User Realnames - Lookup Gen", search_startup_time="2011", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_SA-Utils_admin_1683551a91b566f5", app="SA-Utils", provenance="scheduler", mode="historical", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='| rest splunk_server=local count=0 /services/authentication/users | rename title as user | eval _key=user | dedup _key | eval realname=if(isnull(realname) or realname="", null(), realname) | table _key user realname | outputlookup key_field=_key user_realnames_lookup | stats count'] Audit:[timestamp=05-23-2022 20:20:13.866, user=splunk-system-user, action=search, info=completed, search_id='_c3BsdW5rLXN5c3RlbS11c2Vy__nobody_REEtRVNTLVRocmVhdEludGVsbGlnZW5jZQ__RMD542095c95ae0ea321_1653337202.311467', has_error_warn=false, fully_completed_search=true, total_run_time=9.34, event_count=2230, result_count=0, available_count=0, scan_count=2230, drop_count=0, exec_time=1653337203, api_et=1653334800.000000000, api_lt=1653336600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653334800.000000000, search_lt=1653336600.000000000, is_realtime=0, savedsearch_name="threatmatch://dest", search_startup_time="9806", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ThreatIntelligence_nobody_63eab2828e16d804", app="DA-ESS-ThreatIntelligence", provenance="N/A", mode="historical", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+splunk-system-role+user', search='| multisearch [ | tstats prestats=true summariesonly=true values("sourcetype"),values("DNS.src") from datamodel="Network_Resolution"."DNS" by "DNS.answer" | `truncate_domain_dedup(DNS.answer, DNS.answer_truncated)` | lookup "threatintel_by_cidr" value as "DNS.answer" OUTPUT threat_collection as tc0,threat_collection_key as tck0 | lookup "threatintel_by_domain" value as "DNS.answer" OUTPUT threat_collection as tc1,threat_collection_key as tck1 | lookup "threatintel_by_domain" value as "DNS.answer_truncated" OUTPUT threat_collection as tc2,threat_collection_key as tck2 | lookup "threatintel_by_system" value as "DNS.answer" OUTPUT threat_collection as tc3,threat_collection_key as tck3 | where isnotnull('tck0') OR isnotnull('tck1') OR isnotnull('tck2') OR isnotnull('tck3') | eval intelzip0=mvzip('tc0','tck0',"@@") | eval intelzip1=mvzip('tc1','tck1',"@@") | eval intelzip2=mvzip('tc2','tck2',"@@") | eval intelzip3=mvzip('tc3','tck3',"@@") | eval threat_collection_key=mvappend(intelzip0,intelzip1,intelzip2,intelzip3) | `sistats_values_rename(sourcetype,sourcetype)` | `sistats_values_rename(DNS.src,src)` | eval "threat_match_field"=if(isnull('threat_match_field'),"dest",'threat_match_field') | eval "threat_match_value"=if(isnull('threat_match_value'),'DNS.answer','threat_match_value') ][ | tstats prestats=true summariesonly=true values("sourcetype"),values("All_Traffic.src"),values("All_Traffic.user") from datamodel="Network_Traffic"."All_Traffic" where "All_Traffic.action"="allowed" by "All_Traffic.dest" | `truncate_domain_dedup(All_Traffic.dest, All_Traffic.dest_truncated)` | lookup "threatintel_by_cidr" value as "All_Traffic.dest" OUTPUT threat_collection as tc0,threat_collection_key as tck0 | lookup "threatintel_by_domain" value as "All_Traffic.dest" OUTPUT threat_collection as tc1,threat_collection_key as tck1 | lookup "threatintel_by_domain" value as "All_Traffic.dest_truncated" OUTPUT threat_collection as tc2,threat_collection_key as tck2 | lookup "threatintel_by_system" value as "All_Traffic.dest" OUTPUT threat_collection as tc3,threat_collection_key as tck3 | where isnotnull('tck0') OR isnotnull('tck1') OR isnotnull('tck2') OR isnotnull('tck3') | eval intelzip0=mvzip('tc0','tck0',"@@") | eval intelzip1=mvzip('tc1','tck1',"@@") | eval intelzip2=mvzip('tc2','tck2',"@@") | eval intelzip3=mvzip('tc3','tck3',"@@") | eval threat_collection_key=mvappend(intelzip0,intelzip1,intelzip2,intelzip3) | `sistats_values_rename(sourcetype,sourcetype)` | `sistats_values_rename(All_Traffic.src,src)` | `sistats_values_rename(All_Traffic.user,user)` | eval "threat_match_field"=if(isnull('threat_match_field'),"dest",'threat_match_field') | eval "threat_match_value"=if(isnull('threat_match_value'),'All_Traffic.dest','threat_match_value') ][ | tstats prestats=true summariesonly=true values("sourcetype"),values("IDS_Attacks.src"),values("IDS_Attacks.user") from datamodel="Intrusion_Detection"."IDS_Attacks" by "IDS_Attacks.dest" | `truncate_domain_dedup(IDS_Attacks.dest, IDS_Attacks.dest_truncated)` | lookup "threatintel_by_cidr" value as "IDS_Attacks.dest" OUTPUT threat_collection as tc0,threat_collection_key as tck0 | lookup "threatintel_by_domain" value as "IDS_Attacks.dest" OUTPUT threat_collection as tc1,threat_collection_key as tck1 | lookup "threatintel_by_domain" value as "IDS_Attacks.dest_truncated" OUTPUT threat_collection as tc2,threat_collection_key as tck2 | lookup "threatintel_by_system" value as "IDS_Attacks.dest" OUTPUT threat_collection as tc3,threat_collection_key as tck3 | where isnotnull('tck0') OR isnotnull('tck1') OR isnotnull('tck2') OR isnotnull('tck3') | eval intelzip0=mvzip('tc0','tck0',"@@") | eval intelzip1=mvzip('tc1','tck1',"@@") | eval intelzip2=mvzip('tc2','tck2',"@@") | eval intelzip3=mvzip('tc3','tck3',"@@") | eval threat_collection_key=mvappend(intelzip0,intelzip1,intelzip2,intelzip3) | `sistats_values_rename(sourcetype,sourcetype)` | `sistats_values_rename(IDS_Attacks.src,src)` | `sistats_values_rename(IDS_Attacks.user,user)` | eval "threat_match_field"=if(isnull('threat_match_field'),"dest",'threat_match_field') | eval "threat_match_value"=if(isnull('threat_match_value'),'IDS_Attacks.dest','threat_match_value') ][ | tstats prestats=true summariesonly=true values("sourcetype"),values("Web.src"),values("Web.user") from datamodel="Web"."Web" by "Web.dest" | `truncate_domain_dedup(Web.dest, Web.dest_truncated)` | lookup "threatintel_by_cidr" value as "Web.dest" OUTPUT threat_collection as tc0,threat_collection_key as tck0 | lookup "threatintel_by_domain" value as "Web.dest" OUTPUT threat_collection as tc1,threat_collection_key as tck1 | lookup "threatintel_by_domain" value as "Web.dest_truncated" OUTPUT threat_collection as tc2,threat_collection_key as tck2 | lookup "threatintel_by_system" value as "Web.dest" OUTPUT threat_collection as tc3,threat_collection_key as tck3 | where isnotnull('tck0') OR isnotnull('tck1') OR isnotnull('tck2') OR isnotnull('tck3') | eval intelzip0=mvzip('tc0','tck0',"@@") | eval intelzip1=mvzip('tc1','tck1',"@@") | eval intelzip2=mvzip('tc2','tck2',"@@") | eval intelzip3=mvzip('tc3','tck3',"@@") | eval threat_collection_key=mvappend(intelzip0,intelzip1,intelzip2,intelzip3) | `sistats_values_rename(sourcetype,sourcetype)` | `sistats_values_rename(Web.src,src)` | `sistats_values_rename(Web.user,user)` | eval "threat_match_field"=if(isnull('threat_match_field'),"dest",'threat_match_field') | eval "threat_match_value"=if(isnull('threat_match_value'),'Web.dest','threat_match_value')] | mvexpand threat_collection_key | stats values("sourcetype") as "sourcetype",values("src") as "src",values("user") as "user" by threat_match_field,threat_match_value,threat_collection_key | rex field=threat_collection_key "^(?.*)@@(?.*)$" | eval "sourcetype"=mvindex('sourcetype',0,10-1) | eval "src"=mvindex('src',0,10-1) | eval "user"=mvindex('user',0,10-1) | eval certificate_intel_key=if(threat_collection="certificate_intel",'threat_collection_key',null()) | eval email_intel_key=if(threat_collection="email_intel",'threat_collection_key',null()) | eval file_intel_key=if(threat_collection="file_intel",'threat_collection_key',null()) | eval http_intel_key=if(threat_collection="http_intel",'threat_collection_key',null()) | eval ip_intel_key=if(threat_collection="ip_intel",'threat_collection_key',null()) | eval process_intel_key=if(threat_collection="process_intel",'threat_collection_key',null()) | eval registry_intel_key=if(threat_collection="registry_intel",'threat_collection_key',null()) | eval service_intel_key=if(threat_collection="service_intel",'threat_collection_key',null()) | eval user_intel_key=if(threat_collection="user_intel",'threat_collection_key',null()) | lookup "certificate_intel" _key as "certificate_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "email_intel" _key as "email_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "file_intel" _key as "file_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "http_intel" _key as "http_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "ip_intel" _key as "ip_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "process_intel" _key as "process_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "registry_intel" _key as "registry_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "service_intel" _key as "service_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "user_intel" _key as "user_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup threat_group_intel _key as threat_key OUTPUTNEW description,weight | eval weight=if(isnum(weight),weight,60) | fields - intelzip*,"certificate_intel_key","email_intel_key","file_intel_key","http_intel_key","ip_intel_key","process_intel_key","registry_intel_key","service_intel_key","user_intel_key" | `threatintel_outputlookup_exclusions` | dedup threat_match_field,threat_match_value,threat_key | collectthreat source="threatmatch://dest"'] Audit:[timestamp=05-23-2022 20:20:13.775, user=splunk-system-user, action=search, info=completed, search_id='_c3BsdW5rLXN5c3RlbS11c2Vy__nobody_REEtRVNTLVRocmVhdEludGVsbGlnZW5jZQ__RMD5512a5e1102b73d8c_1653337202.311468', has_error_warn=false, fully_completed_search=true, total_run_time=9.12, event_count=2230, result_count=0, available_count=0, scan_count=2230, drop_count=0, exec_time=1653337203, api_et=1653334800.000000000, api_lt=1653336600.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653334800.000000000, search_lt=1653336600.000000000, is_realtime=0, savedsearch_name="threatmatch://src", search_startup_time="0", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ThreatIntelligence_nobody_9f7bb060607c95c7", app="DA-ESS-ThreatIntelligence", provenance="N/A", mode="historical", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+splunk-system-role+user', search='| multisearch [ | tstats prestats=true summariesonly=true values("sourcetype"),values("DNS.dest") from datamodel="Network_Resolution"."DNS" by "DNS.query" | `truncate_domain_dedup(DNS.query, DNS.query_truncated)` | lookup "threatintel_by_cidr" value as "DNS.query" OUTPUT threat_collection as tc0,threat_collection_key as tck0 | lookup "threatintel_by_domain" value as "DNS.query" OUTPUT threat_collection as tc1,threat_collection_key as tck1 | lookup "threatintel_by_domain" value as "DNS.query_truncated" OUTPUT threat_collection as tc2,threat_collection_key as tck2 | lookup "threatintel_by_system" value as "DNS.query" OUTPUT threat_collection as tc3,threat_collection_key as tck3 | where isnotnull('tck0') OR isnotnull('tck1') OR isnotnull('tck2') OR isnotnull('tck3') | eval intelzip0=mvzip('tc0','tck0',"@@") | eval intelzip1=mvzip('tc1','tck1',"@@") | eval intelzip2=mvzip('tc2','tck2',"@@") | eval intelzip3=mvzip('tc3','tck3',"@@") | eval threat_collection_key=mvappend(intelzip0,intelzip1,intelzip2,intelzip3) | `sistats_values_rename(sourcetype,sourcetype)` | `sistats_values_rename(DNS.dest,dest)` | eval "threat_match_field"=if(isnull('threat_match_field'),"src",'threat_match_field') | eval "threat_match_value"=if(isnull('threat_match_value'),'DNS.query','threat_match_value') ][ | tstats prestats=true summariesonly=true values("sourcetype"),values("All_Traffic.dest"),values("All_Traffic.user") from datamodel="Network_Traffic"."All_Traffic" where "All_Traffic.action"="allowed" by "All_Traffic.src" | `truncate_domain_dedup(All_Traffic.src, All_Traffic.src_truncated)` | lookup "threatintel_by_cidr" value as "All_Traffic.src" OUTPUT threat_collection as tc0,threat_collection_key as tck0 | lookup "threatintel_by_domain" value as "All_Traffic.src" OUTPUT threat_collection as tc1,threat_collection_key as tck1 | lookup "threatintel_by_domain" value as "All_Traffic.src_truncated" OUTPUT threat_collection as tc2,threat_collection_key as tck2 | lookup "threatintel_by_system" value as "All_Traffic.src" OUTPUT threat_collection as tc3,threat_collection_key as tck3 | where isnotnull('tck0') OR isnotnull('tck1') OR isnotnull('tck2') OR isnotnull('tck3') | eval intelzip0=mvzip('tc0','tck0',"@@") | eval intelzip1=mvzip('tc1','tck1',"@@") | eval intelzip2=mvzip('tc2','tck2',"@@") | eval intelzip3=mvzip('tc3','tck3',"@@") | eval threat_collection_key=mvappend(intelzip0,intelzip1,intelzip2,intelzip3) | `sistats_values_rename(sourcetype,sourcetype)` | `sistats_values_rename(All_Traffic.dest,dest)` | `sistats_values_rename(All_Traffic.user,user)` | eval "threat_match_field"=if(isnull('threat_match_field'),"src",'threat_match_field') | eval "threat_match_value"=if(isnull('threat_match_value'),'All_Traffic.src','threat_match_value') ][ | tstats prestats=true summariesonly=true values("sourcetype"),values("IDS_Attacks.dest"),values("IDS_Attacks.user") from datamodel="Intrusion_Detection"."IDS_Attacks" by "IDS_Attacks.src" | `truncate_domain_dedup(IDS_Attacks.src, IDS_Attacks.src_truncated)` | lookup "threatintel_by_cidr" value as "IDS_Attacks.src" OUTPUT threat_collection as tc0,threat_collection_key as tck0 | lookup "threatintel_by_domain" value as "IDS_Attacks.src" OUTPUT threat_collection as tc1,threat_collection_key as tck1 | lookup "threatintel_by_domain" value as "IDS_Attacks.src_truncated" OUTPUT threat_collection as tc2,threat_collection_key as tck2 | lookup "threatintel_by_system" value as "IDS_Attacks.src" OUTPUT threat_collection as tc3,threat_collection_key as tck3 | where isnotnull('tck0') OR isnotnull('tck1') OR isnotnull('tck2') OR isnotnull('tck3') | eval intelzip0=mvzip('tc0','tck0',"@@") | eval intelzip1=mvzip('tc1','tck1',"@@") | eval intelzip2=mvzip('tc2','tck2',"@@") | eval intelzip3=mvzip('tc3','tck3',"@@") | eval threat_collection_key=mvappend(intelzip0,intelzip1,intelzip2,intelzip3) | `sistats_values_rename(sourcetype,sourcetype)` | `sistats_values_rename(IDS_Attacks.dest,dest)` | `sistats_values_rename(IDS_Attacks.user,user)` | eval "threat_match_field"=if(isnull('threat_match_field'),"src",'threat_match_field') | eval "threat_match_value"=if(isnull('threat_match_value'),'IDS_Attacks.src','threat_match_value') ][ | tstats prestats=true summariesonly=true values("sourcetype"),values("Web.dest"),values("Web.user") from datamodel="Web"."Web" by "Web.src" | `truncate_domain_dedup(Web.src, Web.src_truncated)` | lookup "threatintel_by_cidr" value as "Web.src" OUTPUT threat_collection as tc0,threat_collection_key as tck0 | lookup "threatintel_by_domain" value as "Web.src" OUTPUT threat_collection as tc1,threat_collection_key as tck1 | lookup "threatintel_by_domain" value as "Web.src_truncated" OUTPUT threat_collection as tc2,threat_collection_key as tck2 | lookup "threatintel_by_system" value as "Web.src" OUTPUT threat_collection as tc3,threat_collection_key as tck3 | where isnotnull('tck0') OR isnotnull('tck1') OR isnotnull('tck2') OR isnotnull('tck3') | eval intelzip0=mvzip('tc0','tck0',"@@") | eval intelzip1=mvzip('tc1','tck1',"@@") | eval intelzip2=mvzip('tc2','tck2',"@@") | eval intelzip3=mvzip('tc3','tck3',"@@") | eval threat_collection_key=mvappend(intelzip0,intelzip1,intelzip2,intelzip3) | `sistats_values_rename(sourcetype,sourcetype)` | `sistats_values_rename(Web.dest,dest)` | `sistats_values_rename(Web.user,user)` | eval "threat_match_field"=if(isnull('threat_match_field'),"src",'threat_match_field') | eval "threat_match_value"=if(isnull('threat_match_value'),'Web.src','threat_match_value')] | mvexpand threat_collection_key | stats values("dest") as "dest",values("sourcetype") as "sourcetype",values("user") as "user" by threat_match_field,threat_match_value,threat_collection_key | rex field=threat_collection_key "^(?.*)@@(?.*)$" | eval "dest"=mvindex('dest',0,10-1) | eval "sourcetype"=mvindex('sourcetype',0,10-1) | eval "user"=mvindex('user',0,10-1) | eval certificate_intel_key=if(threat_collection="certificate_intel",'threat_collection_key',null()) | eval email_intel_key=if(threat_collection="email_intel",'threat_collection_key',null()) | eval file_intel_key=if(threat_collection="file_intel",'threat_collection_key',null()) | eval http_intel_key=if(threat_collection="http_intel",'threat_collection_key',null()) | eval ip_intel_key=if(threat_collection="ip_intel",'threat_collection_key',null()) | eval process_intel_key=if(threat_collection="process_intel",'threat_collection_key',null()) | eval registry_intel_key=if(threat_collection="registry_intel",'threat_collection_key',null()) | eval service_intel_key=if(threat_collection="service_intel",'threat_collection_key',null()) | eval user_intel_key=if(threat_collection="user_intel",'threat_collection_key',null()) | lookup "certificate_intel" _key as "certificate_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "email_intel" _key as "email_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "file_intel" _key as "file_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "http_intel" _key as "http_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "ip_intel" _key as "ip_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "process_intel" _key as "process_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "registry_intel" _key as "registry_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "service_intel" _key as "service_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "user_intel" _key as "user_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup threat_group_intel _key as threat_key OUTPUTNEW description,weight | eval weight=if(isnum(weight),weight,60) | fields - intelzip*,"certificate_intel_key","email_intel_key","file_intel_key","http_intel_key","ip_intel_key","process_intel_key","registry_intel_key","service_intel_key","user_intel_key" | `threatintel_outputlookup_exclusions` | dedup threat_match_field,threat_match_value,threat_key | collectthreat source="threatmatch://src"'] Audit:[timestamp=05-23-2022 20:20:13.449, user=splunk-system-user, action=search, info=completed, search_id='scheduler__nobody_U3BsdW5rX1NBX0NJTQ__RMD59a7ba9265413a852_at_1653337200_73045', has_error_warn=false, fully_completed_search=true, total_run_time=1.67, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653337207, api_et=N/A, api_lt=1653337200.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=N/A, search_lt=1653337200.000000000, is_realtime=0, savedsearch_name="_ACCELERATE_DM_Splunk_SA_CIM_JVM_ACCELERATE_", search_startup_time="2417", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DM_Splunk_SA_CIM_JVM", app="Splunk_SA_CIM", provenance="scheduler", mode="historical", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=datamodel_acceleration, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+splunk-system-role+user', search='| summarize tstats=t override=partial manual_rebuilds=t max_time=3600 poll_buckets_until_maxtime=f id=DM_Splunk_SA_CIM_JVM [ search (index=* OR index=_*) ((`cim_JVM_indexes`) tag=jvm) | eval nodename = "JVM"| eval is_Threading=if(searchmatch("(tag=threading)"),1,0), is_not_Threading=1-is_Threading, is_Runtime=if(searchmatch("(tag=runtime)"),1,0), is_not_Runtime=1-is_Runtime, is_OS=if(searchmatch("(tag=os)"),1,0), is_not_OS=1-is_OS, is_Compilation=if(searchmatch("(tag=compilation)"),1,0), is_not_Compilation=1-is_Compilation, is_Classloading=if(searchmatch("(tag=classloading)"),1,0), is_not_Classloading=1-is_Classloading, is_Memory=if(searchmatch("(tag=memory)"),1,0), is_not_Memory=1-is_Memory | eval nodename = if(nodename == "JVM" AND searchmatch("(tag=threading)"), mvappend(nodename, "JVM.Threading"), nodename) | rename threads_started AS JVM.Threading.threads_started cpu_time_enabled AS JVM.Threading.cpu_time_enabled thread_count AS JVM.Threading.thread_count cm_supported AS JVM.Threading.cm_supported cm_enabled AS JVM.Threading.cm_enabled synch_supported AS JVM.Threading.synch_supported peak_thread_count AS JVM.Threading.peak_thread_count omu_supported AS JVM.Threading.omu_supported daemon_thread_count AS JVM.Threading.daemon_thread_count current_user_time AS JVM.Threading.current_user_time cpu_time_supported AS JVM.Threading.cpu_time_supported current_cpu_time AS JVM.Threading.current_cpu_time | eval nodename = if(nodename == "JVM" AND searchmatch("(tag=runtime)"), mvappend(nodename, "JVM.Runtime"), nodename)| eval vendor_product=case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!="unknown" AND isnotnull(product) AND product!="unknown",vendor." ".product,isnotnull(vendor) AND vendor!="unknown" AND (isnull(product) OR product="unknown"),vendor." unknown",(isnull(vendor) OR vendor="unknown") AND isnotnull(product) AND product!="unknown","unknown ".product,isnotnull(sourcetype),sourcetype,1=1,"unknown") | rename version AS JVM.Runtime.version uptime AS JVM.Runtime.uptime start_time AS JVM.Runtime.start_time process_name AS JVM.Runtime.process_name vendor_product AS JVM.Runtime.vendor_product | eval nodename = if(nodename == "JVM" AND searchmatch("(tag=os)"), mvappend(nodename, "JVM.OS"), nodename) | rename os_version AS JVM.OS.os_version swap_space AS JVM.OS.swap_space physical_memory AS JVM.OS.physical_memory system_load AS JVM.OS.system_load cpu_time AS JVM.OS.cpu_time os AS JVM.OS.os open_file_descriptors AS JVM.OS.open_file_descriptors max_file_descriptors AS JVM.OS.max_file_descriptors free_swap AS JVM.OS.free_swap free_physical_memory AS JVM.OS.free_physical_memory committed_memory AS JVM.OS.committed_memory total_processors AS JVM.OS.total_processors os_architecture AS JVM.OS.os_architecture | eval nodename = if(nodename == "JVM" AND searchmatch("(tag=compilation)"), mvappend(nodename, "JVM.Compilation"), nodename) | rename compilation_time AS JVM.Compilation.compilation_time | eval nodename = if(nodename == "JVM" AND searchmatch("(tag=classloading)"), mvappend(nodename, "JVM.Classloading"), nodename) | rename total_loaded AS JVM.Classloading.total_loaded current_loaded AS JVM.Classloading.current_loaded total_unloaded AS JVM.Classloading.total_unloaded | eval nodename = if(nodename == "JVM" AND searchmatch("(tag=memory)"), mvappend(nodename, "JVM.Memory"), nodename) | rename non_heap_used AS JVM.Memory.non_heap_used non_heap_max AS JVM.Memory.non_heap_max non_heap_initial AS JVM.Memory.non_heap_initial non_heap_committed AS JVM.Memory.non_heap_committed heap_used AS JVM.Memory.heap_used heap_max AS JVM.Memory.heap_max heap_initial AS JVM.Memory.heap_initial heap_committed AS JVM.Memory.heap_committed objects_pending AS JVM.Memory.objects_pending | rename jvm_description AS JVM.jvm_description tag AS JVM.tag is_Threading AS JVM.is_Threading is_not_Threading AS JVM.is_not_Threading is_Runtime AS JVM.is_Runtime is_not_Runtime AS JVM.is_not_Runtime is_OS AS JVM.is_OS is_not_OS AS JVM.is_not_OS is_Compilation AS JVM.is_Compilation is_not_Compilation AS JVM.is_not_Compilation is_Classloading AS JVM.is_Classloading is_not_Classloading AS JVM.is_not_Classloading is_Memory AS JVM.is_Memory is_not_Memory AS JVM.is_not_Memory | fields nodename, _time, host, source, sourcetype, JVM.jvm_description, JVM.tag, JVM.is_Threading, JVM.is_not_Threading, JVM.is_Runtime, JVM.is_not_Runtime, JVM.is_OS, JVM.is_not_OS, JVM.is_Compilation, JVM.is_not_Compilation, JVM.is_Classloading, JVM.is_not_Classloading, JVM.is_Memory, JVM.is_not_Memory, JVM.Threading.threads_started, JVM.Threading.cpu_time_enabled, JVM.Threading.thread_count, JVM.Threading.cm_supported, JVM.Threading.cm_enabled, JVM.Threading.synch_supported, JVM.Threading.peak_thread_count, JVM.Threading.omu_supported, JVM.Threading.daemon_thread_count, JVM.Threading.current_user_time, JVM.Threading.cpu_time_supported, JVM.Threading.current_cpu_time, JVM.Runtime.version, JVM.Runtime.uptime, JVM.Runtime.start_time, JVM.Runtime.process_name, JVM.Runtime.vendor_product, JVM.OS.os_version, JVM.OS.swap_space, JVM.OS.physical_memory, JVM.OS.system_load, JVM.OS.cpu_time, JVM.OS.os, JVM.OS.open_file_descriptors, JVM.OS.max_file_descriptors, JVM.OS.free_swap, JVM.OS.free_physical_memory, JVM.OS.committed_memory, JVM.OS.total_processors, JVM.OS.os_architecture, JVM.Compilation.compilation_time, JVM.Classloading.total_loaded, JVM.Classloading.current_loaded, JVM.Classloading.total_unloaded, JVM.Memory.non_heap_used, JVM.Memory.non_heap_max, JVM.Memory.non_heap_initial, JVM.Memory.non_heap_committed, JVM.Memory.heap_used, JVM.Memory.heap_max, JVM.Memory.heap_initial, JVM.Memory.heap_committed, JVM.Memory.objects_pending ]'] Audit:[timestamp=05-23-2022 20:20:13.446, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD543dffd3a9d7e0d6b_at_1653336000_73043', has_error_warn=false, fully_completed_search=true, total_run_time=2.96, event_count=0, result_count=0, available_count=0, scan_count=2, drop_count=0, exec_time=1653337199, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - GetCurrent User with PowerShell Script Block - Rule", search_startup_time="1199", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_798b9528d9e56567", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=7, eliminated_buckets=6, considered_events=2, total_slices=45117, decompressed_slices=2, duration.command.search.index=21, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=150, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='search `powershell` EventCode=4104 (Message = "*[System.Security.Principal.WindowsIdentity]*" AND Message = "*GetCurrent()*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `getcurrent_user_with_powershell_script_block_filter`'] Audit:[timestamp=05-23-2022 20:20:12.853, user=splunk-system-user, action=search, info=granted , search_id='scheduler__nobody_U3BsdW5rX1NBX0NJTQ__RMD5b63315d8c5a60cfd_at_1653337200_73054', search='| summarize tstats=t override=partial manual_rebuilds=t max_time=3600 poll_buckets_until_maxtime=f id=DM_Splunk_SA_CIM_Alerts [ search (index=* OR index=_*) ((`cim_Alerts_indexes`) tag=alert) | eval nodename = "Alerts"| eval app=if(isnull(app) OR app="",sourcetype,app), dest=if(isnull(dest) OR dest="","unknown",dest), severity=if(isnull(severity) OR severity="","unknown",severity), signature_id=if(isnull(signature_id) OR signature_id="","unknown",signature_id), src=if(isnull(src) OR src="","unknown",src), type=if(isnull(type) OR type="","unknown",type), user=if(isnull(user) OR user="","unknown",user), user_name=if(isnull(user_name) OR user_name="","unknown",user_name) | rename body AS Alerts.body description AS Alerts.description dest_bunit AS Alerts.dest_bunit dest_category AS Alerts.dest_category dest_priority AS Alerts.dest_priority dest_type AS Alerts.dest_type id AS Alerts.id mitre_technique_id AS Alerts.mitre_technique_id severity_id AS Alerts.severity_id signature AS Alerts.signature src_bunit AS Alerts.src_bunit src_category AS Alerts.src_category src_priority AS Alerts.src_priority src_type AS Alerts.src_type subject AS Alerts.subject tag AS Alerts.tag user_bunit AS Alerts.user_bunit user_category AS Alerts.user_category user_priority AS Alerts.user_priority vendor_account AS Alerts.vendor_account vendor_region AS Alerts.vendor_region app AS Alerts.app dest AS Alerts.dest severity AS Alerts.severity signature_id AS Alerts.signature_id src AS Alerts.src type AS Alerts.type user AS Alerts.user user_name AS Alerts.user_name | fields nodename, _time, host, source, sourcetype, Alerts.body, Alerts.description, Alerts.dest_bunit, Alerts.dest_category, Alerts.dest_priority, Alerts.dest_type, Alerts.id, Alerts.mitre_technique_id, Alerts.severity_id, Alerts.signature, Alerts.src_bunit, Alerts.src_category, Alerts.src_priority, Alerts.src_type, Alerts.subject, Alerts.tag, Alerts.user_bunit, Alerts.user_category, Alerts.user_priority, Alerts.vendor_account, Alerts.vendor_region, Alerts.app, Alerts.dest, Alerts.severity, Alerts.signature_id, Alerts.src, Alerts.type, Alerts.user, Alerts.user_name ]', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='Mon May 23 20:20:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="_ACCELERATE_DM_Splunk_SA_CIM_Alerts_ACCELERATE_", search_type="datamodel_acceleration", is_proxied=false, app="Splunk_SA_CIM", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:20:11.460, user=admin, action=search, info=granted , search_id='scheduler__admin_U0EtVGhyZWF0SW50ZWxsaWdlbmNl__RMD501805f07ae0aff07_at_1653337200_73053', search='| rest splunk_server=local count=0 "/servicesNS/-/-/saved/searches?listDefaultActionArgs=1" | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") OR match('action.notable', "1|[Tt]|[Tt][Rr][Uu][Ee]") OR match('action.risk', "1|[Tt]|[Tt][Rr][Uu][Ee]") | join type=left title [| rest splunk_server=local count=0 /services/configs/conf-analyticstories search="name=savedsearch* AND annotations=*" | eval title=replace(title, "savedsearch://", "") | table title,annotations] | join type=left max=0 title [| rest splunk_server=local count=0 /services/configs/conf-analyticstories search="name=analytic_story* AND searches=*" | eval analyticstories=replace(title, "analytic_story://", "") | spath input=searches path={} output=title | stats values(analyticstories) as analyticstories by title | eval analyticstories=mvjoin(analyticstories, "@@")] | eval analyticstories=split(analyticstories, "@@") | eval annotations=case(isnotnull('action.correlationsearch.annotations') AND 'action.correlationsearch.annotations'!="",'action.correlationsearch.annotations',isnotnull(annotations) AND annotations!="",annotations,1=1,null()),rule_name=if(isnotnull('action.correlationsearch.label'),'action.correlationsearch.label',title) | rename title as _key,action.notable.param.* as * | append [| rest splunk_server=local count=0 /servicesNS/-/-/configs/conf-correlationsearches | rename title as _key] | eval security_domain=if(security_domain="",null(),security_domain),severity=if(severity="",null(),severity),rule_name=if(rule_name="",null(),rule_name),description=if(description="",null(),description),rule_title=if(rule_title="",null(),rule_title),rule_description=if(rule_description="",null(),rule_description),drilldown_name=if(drilldown_name="",null(),drilldown_name),drilldown_search=if(drilldown_search="",null(),drilldown_search),drilldown_earliest_offset=if(drilldown_earliest_offset="",null(),drilldown_earliest_offset),drilldown_latest_offset=if(drilldown_latest_offset="",null(),drilldown_latest_offset),default_status=if(default_status="",null(),default_status),default_owner=if(default_owner="",null(),default_owner),default_disposition=if(default_disposition="",null(),default_disposition),next_steps=if(next_steps="",null(),next_steps),investigation_profiles=if(investigation_profiles="",null(),investigation_profiles),extract_artifacts=if(extract_artifacts="",null(),extract_artifacts),recommended_actions=if(recommended_actions="",null(),recommended_actions),analyticstories=if(analyticstories="",null(),analyticstories) | appendpipe [ where _key LIKE "%\"%" | eval _key=replace(_key, "\"", "_") ] | stats first(annotations) as annotations,first(security_domain) as security_domain,first(severity) as severity,first(rule_name) as rule_name,first(description) as description,first(rule_title) as rule_title,first(rule_description) as rule_description,first(drilldown_name) as drilldown_name,first(drilldown_search) as drilldown_search,first(drilldown_earliest_offset) as drilldown_earliest_offset,first(drilldown_latest_offset) as drilldown_latest_offset,first(default_status) as default_status,first(default_owner) as default_owner,first(next_steps) as next_steps,first(investigation_profiles) as investigation_profiles,first(extract_artifacts) as extract_artifacts,first(recommended_actions) as recommended_actions,values(analyticstories) as analyticstories by _key | outputlookup correlationsearches_lookup append=T key_field=_key | stats count', autojoin='1', buckets=0, ttl=120, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='Mon May 23 20:20:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="Threat - Correlation Searches - Lookup Gen", search_type="scheduled", is_proxied=false, app="SA-ThreatIntelligence", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:20:11.300, user=admin, action=search, info=granted , search_id='scheduler__admin__SplunkEnterpriseSecuritySuite__RMD5a6d54b4f1c421eaa_at_1653337200_73052', search='search `notable` | search NOT `suppression` | eval timeDiff_type=case(_time>=relative_time(now(), "-24h@h"),"current", 1=1, "historical") | expandtoken rule_title | table _time,event_id,security_domain,urgency,rule_name,rule_title,src,dest,src_user,user,dvc,status,status_group,owner,timeDiff_type,governance,control | outputlookup es_notable_events | stats count', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Sat May 21 20:00:00 2022', apiEndTime='Mon May 23 20:20:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESS - Notable Events", search_type="scheduled", is_proxied=false, app="SplunkEnterpriseSecuritySuite", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:20:07.028, user=admin, action=search, info=granted , search_id='scheduler__admin_U0EtVGhyZWF0SW50ZWxsaWdlbmNl__RMD51dbc70e0e18846c9_at_1653337200_73048', search='| rest splunk_server=local count=0 /services/authentication/users | search capabilities="can_own_notable_events" | rename title as owner | append [| makeresults | eval owner="unassigned" ] | eval _key=owner | eval realname=if(isnull(realname) or realname="", null(), realname) | table _key owner realname | outputlookup notable_owners_lookup | stats count', autojoin='1', buckets=0, ttl=1200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='Mon May 23 20:20:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="Threat - Notable Owners - Lookup Gen", search_type="scheduled", is_proxied=false, app="SA-ThreatIntelligence", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:20:06.840, user=admin, action=search, info=granted , search_id='scheduler__admin_U0EtVXRpbHM__RMD5495078187e88a4c3_at_1653337200_73046', search='| rest splunk_server=local count=0 /services/authentication/users | rename title as user | eval _key=user | dedup _key | eval realname=if(isnull(realname) or realname="", null(), realname) | table _key user realname | outputlookup key_field=_key user_realnames_lookup | stats count', autojoin='1', buckets=0, ttl=1200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='Mon May 23 20:20:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="Utils - User Realnames - Lookup Gen", search_type="scheduled", is_proxied=false, app="SA-Utils", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:20:06.759, user=splunk-system-user, action=search, info=granted , search_id='scheduler__nobody_U3BsdW5rX1NBX0NJTQ__RMD59a7ba9265413a852_at_1653337200_73045', search='| summarize tstats=t override=partial manual_rebuilds=t max_time=3600 poll_buckets_until_maxtime=f id=DM_Splunk_SA_CIM_JVM [ search (index=* OR index=_*) ((`cim_JVM_indexes`) tag=jvm) | eval nodename = "JVM"| eval is_Threading=if(searchmatch("(tag=threading)"),1,0), is_not_Threading=1-is_Threading, is_Runtime=if(searchmatch("(tag=runtime)"),1,0), is_not_Runtime=1-is_Runtime, is_OS=if(searchmatch("(tag=os)"),1,0), is_not_OS=1-is_OS, is_Compilation=if(searchmatch("(tag=compilation)"),1,0), is_not_Compilation=1-is_Compilation, is_Classloading=if(searchmatch("(tag=classloading)"),1,0), is_not_Classloading=1-is_Classloading, is_Memory=if(searchmatch("(tag=memory)"),1,0), is_not_Memory=1-is_Memory | eval nodename = if(nodename == "JVM" AND searchmatch("(tag=threading)"), mvappend(nodename, "JVM.Threading"), nodename) | rename threads_started AS JVM.Threading.threads_started cpu_time_enabled AS JVM.Threading.cpu_time_enabled thread_count AS JVM.Threading.thread_count cm_supported AS JVM.Threading.cm_supported cm_enabled AS JVM.Threading.cm_enabled synch_supported AS JVM.Threading.synch_supported peak_thread_count AS JVM.Threading.peak_thread_count omu_supported AS JVM.Threading.omu_supported daemon_thread_count AS JVM.Threading.daemon_thread_count current_user_time AS JVM.Threading.current_user_time cpu_time_supported AS JVM.Threading.cpu_time_supported current_cpu_time AS JVM.Threading.current_cpu_time | eval nodename = if(nodename == "JVM" AND searchmatch("(tag=runtime)"), mvappend(nodename, "JVM.Runtime"), nodename)| eval vendor_product=case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!="unknown" AND isnotnull(product) AND product!="unknown",vendor." ".product,isnotnull(vendor) AND vendor!="unknown" AND (isnull(product) OR product="unknown"),vendor." unknown",(isnull(vendor) OR vendor="unknown") AND isnotnull(product) AND product!="unknown","unknown ".product,isnotnull(sourcetype),sourcetype,1=1,"unknown") | rename version AS JVM.Runtime.version uptime AS JVM.Runtime.uptime start_time AS JVM.Runtime.start_time process_name AS JVM.Runtime.process_name vendor_product AS JVM.Runtime.vendor_product | eval nodename = if(nodename == "JVM" AND searchmatch("(tag=os)"), mvappend(nodename, "JVM.OS"), nodename) | rename os_version AS JVM.OS.os_version swap_space AS JVM.OS.swap_space physical_memory AS JVM.OS.physical_memory system_load AS JVM.OS.system_load cpu_time AS JVM.OS.cpu_time os AS JVM.OS.os open_file_descriptors AS JVM.OS.open_file_descriptors max_file_descriptors AS JVM.OS.max_file_descriptors free_swap AS JVM.OS.free_swap free_physical_memory AS JVM.OS.free_physical_memory committed_memory AS JVM.OS.committed_memory total_processors AS JVM.OS.total_processors os_architecture AS JVM.OS.os_architecture | eval nodename = if(nodename == "JVM" AND searchmatch("(tag=compilation)"), mvappend(nodename, "JVM.Compilation"), nodename) | rename compilation_time AS JVM.Compilation.compilation_time | eval nodename = if(nodename == "JVM" AND searchmatch("(tag=classloading)"), mvappend(nodename, "JVM.Classloading"), nodename) | rename total_loaded AS JVM.Classloading.total_loaded current_loaded AS JVM.Classloading.current_loaded total_unloaded AS JVM.Classloading.total_unloaded | eval nodename = if(nodename == "JVM" AND searchmatch("(tag=memory)"), mvappend(nodename, "JVM.Memory"), nodename) | rename non_heap_used AS JVM.Memory.non_heap_used non_heap_max AS JVM.Memory.non_heap_max non_heap_initial AS JVM.Memory.non_heap_initial non_heap_committed AS JVM.Memory.non_heap_committed heap_used AS JVM.Memory.heap_used heap_max AS JVM.Memory.heap_max heap_initial AS JVM.Memory.heap_initial heap_committed AS JVM.Memory.heap_committed objects_pending AS JVM.Memory.objects_pending | rename jvm_description AS JVM.jvm_description tag AS JVM.tag is_Threading AS JVM.is_Threading is_not_Threading AS JVM.is_not_Threading is_Runtime AS JVM.is_Runtime is_not_Runtime AS JVM.is_not_Runtime is_OS AS JVM.is_OS is_not_OS AS JVM.is_not_OS is_Compilation AS JVM.is_Compilation is_not_Compilation AS JVM.is_not_Compilation is_Classloading AS JVM.is_Classloading is_not_Classloading AS JVM.is_not_Classloading is_Memory AS JVM.is_Memory is_not_Memory AS JVM.is_not_Memory | fields nodename, _time, host, source, sourcetype, JVM.jvm_description, JVM.tag, JVM.is_Threading, JVM.is_not_Threading, JVM.is_Runtime, JVM.is_not_Runtime, JVM.is_OS, JVM.is_not_OS, JVM.is_Compilation, JVM.is_not_Compilation, JVM.is_Classloading, JVM.is_not_Classloading, JVM.is_Memory, JVM.is_not_Memory, JVM.Threading.threads_started, JVM.Threading.cpu_time_enabled, JVM.Threading.thread_count, JVM.Threading.cm_supported, JVM.Threading.cm_enabled, JVM.Threading.synch_supported, JVM.Threading.peak_thread_count, JVM.Threading.omu_supported, JVM.Threading.daemon_thread_count, JVM.Threading.current_user_time, JVM.Threading.cpu_time_supported, JVM.Threading.current_cpu_time, JVM.Runtime.version, JVM.Runtime.uptime, JVM.Runtime.start_time, JVM.Runtime.process_name, JVM.Runtime.vendor_product, JVM.OS.os_version, JVM.OS.swap_space, JVM.OS.physical_memory, JVM.OS.system_load, JVM.OS.cpu_time, JVM.OS.os, JVM.OS.open_file_descriptors, JVM.OS.max_file_descriptors, JVM.OS.free_swap, JVM.OS.free_physical_memory, JVM.OS.committed_memory, JVM.OS.total_processors, JVM.OS.os_architecture, JVM.Compilation.compilation_time, JVM.Classloading.total_loaded, JVM.Classloading.current_loaded, JVM.Classloading.total_unloaded, JVM.Memory.non_heap_used, JVM.Memory.non_heap_max, JVM.Memory.non_heap_initial, JVM.Memory.non_heap_committed, JVM.Memory.heap_used, JVM.Memory.heap_max, JVM.Memory.heap_initial, JVM.Memory.heap_committed, JVM.Memory.objects_pending ]', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='Mon May 23 20:20:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="_ACCELERATE_DM_Splunk_SA_CIM_JVM_ACCELERATE_", search_type="datamodel_acceleration", is_proxied=false, app="Splunk_SA_CIM", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:20:02.741, user=splunk-system-user, action=search, info=granted , search_id='_c3BsdW5rLXN5c3RlbS11c2Vy__nobody_REEtRVNTLVRocmVhdEludGVsbGlnZW5jZQ__RMD5512a5e1102b73d8c_1653337202.311468', search='| multisearch [ | tstats prestats=true summariesonly=true values("sourcetype"),values("DNS.dest") from datamodel="Network_Resolution"."DNS" by "DNS.query" | `truncate_domain_dedup(DNS.query, DNS.query_truncated)` | lookup "threatintel_by_cidr" value as "DNS.query" OUTPUT threat_collection as tc0,threat_collection_key as tck0 | lookup "threatintel_by_domain" value as "DNS.query" OUTPUT threat_collection as tc1,threat_collection_key as tck1 | lookup "threatintel_by_domain" value as "DNS.query_truncated" OUTPUT threat_collection as tc2,threat_collection_key as tck2 | lookup "threatintel_by_system" value as "DNS.query" OUTPUT threat_collection as tc3,threat_collection_key as tck3 | where isnotnull('tck0') OR isnotnull('tck1') OR isnotnull('tck2') OR isnotnull('tck3') | eval intelzip0=mvzip('tc0','tck0',"@@") | eval intelzip1=mvzip('tc1','tck1',"@@") | eval intelzip2=mvzip('tc2','tck2',"@@") | eval intelzip3=mvzip('tc3','tck3',"@@") | eval threat_collection_key=mvappend(intelzip0,intelzip1,intelzip2,intelzip3) | `sistats_values_rename(sourcetype,sourcetype)` | `sistats_values_rename(DNS.dest,dest)` | eval "threat_match_field"=if(isnull('threat_match_field'),"src",'threat_match_field') | eval "threat_match_value"=if(isnull('threat_match_value'),'DNS.query','threat_match_value') ][ | tstats prestats=true summariesonly=true values("sourcetype"),values("All_Traffic.dest"),values("All_Traffic.user") from datamodel="Network_Traffic"."All_Traffic" where "All_Traffic.action"="allowed" by "All_Traffic.src" | `truncate_domain_dedup(All_Traffic.src, All_Traffic.src_truncated)` | lookup "threatintel_by_cidr" value as "All_Traffic.src" OUTPUT threat_collection as tc0,threat_collection_key as tck0 | lookup "threatintel_by_domain" value as "All_Traffic.src" OUTPUT threat_collection as tc1,threat_collection_key as tck1 | lookup "threatintel_by_domain" value as "All_Traffic.src_truncated" OUTPUT threat_collection as tc2,threat_collection_key as tck2 | lookup "threatintel_by_system" value as "All_Traffic.src" OUTPUT threat_collection as tc3,threat_collection_key as tck3 | where isnotnull('tck0') OR isnotnull('tck1') OR isnotnull('tck2') OR isnotnull('tck3') | eval intelzip0=mvzip('tc0','tck0',"@@") | eval intelzip1=mvzip('tc1','tck1',"@@") | eval intelzip2=mvzip('tc2','tck2',"@@") | eval intelzip3=mvzip('tc3','tck3',"@@") | eval threat_collection_key=mvappend(intelzip0,intelzip1,intelzip2,intelzip3) | `sistats_values_rename(sourcetype,sourcetype)` | `sistats_values_rename(All_Traffic.dest,dest)` | `sistats_values_rename(All_Traffic.user,user)` | eval "threat_match_field"=if(isnull('threat_match_field'),"src",'threat_match_field') | eval "threat_match_value"=if(isnull('threat_match_value'),'All_Traffic.src','threat_match_value') ][ | tstats prestats=true summariesonly=true values("sourcetype"),values("IDS_Attacks.dest"),values("IDS_Attacks.user") from datamodel="Intrusion_Detection"."IDS_Attacks" by "IDS_Attacks.src" | `truncate_domain_dedup(IDS_Attacks.src, IDS_Attacks.src_truncated)` | lookup "threatintel_by_cidr" value as "IDS_Attacks.src" OUTPUT threat_collection as tc0,threat_collection_key as tck0 | lookup "threatintel_by_domain" value as "IDS_Attacks.src" OUTPUT threat_collection as tc1,threat_collection_key as tck1 | lookup "threatintel_by_domain" value as "IDS_Attacks.src_truncated" OUTPUT threat_collection as tc2,threat_collection_key as tck2 | lookup "threatintel_by_system" value as "IDS_Attacks.src" OUTPUT threat_collection as tc3,threat_collection_key as tck3 | where isnotnull('tck0') OR isnotnull('tck1') OR isnotnull('tck2') OR isnotnull('tck3') | eval intelzip0=mvzip('tc0','tck0',"@@") | eval intelzip1=mvzip('tc1','tck1',"@@") | eval intelzip2=mvzip('tc2','tck2',"@@") | eval intelzip3=mvzip('tc3','tck3',"@@") | eval threat_collection_key=mvappend(intelzip0,intelzip1,intelzip2,intelzip3) | `sistats_values_rename(sourcetype,sourcetype)` | `sistats_values_rename(IDS_Attacks.dest,dest)` | `sistats_values_rename(IDS_Attacks.user,user)` | eval "threat_match_field"=if(isnull('threat_match_field'),"src",'threat_match_field') | eval "threat_match_value"=if(isnull('threat_match_value'),'IDS_Attacks.src','threat_match_value') ][ | tstats prestats=true summariesonly=true values("sourcetype"),values("Web.dest"),values("Web.user") from datamodel="Web"."Web" by "Web.src" | `truncate_domain_dedup(Web.src, Web.src_truncated)` | lookup "threatintel_by_cidr" value as "Web.src" OUTPUT threat_collection as tc0,threat_collection_key as tck0 | lookup "threatintel_by_domain" value as "Web.src" OUTPUT threat_collection as tc1,threat_collection_key as tck1 | lookup "threatintel_by_domain" value as "Web.src_truncated" OUTPUT threat_collection as tc2,threat_collection_key as tck2 | lookup "threatintel_by_system" value as "Web.src" OUTPUT threat_collection as tc3,threat_collection_key as tck3 | where isnotnull('tck0') OR isnotnull('tck1') OR isnotnull('tck2') OR isnotnull('tck3') | eval intelzip0=mvzip('tc0','tck0',"@@") | eval intelzip1=mvzip('tc1','tck1',"@@") | eval intelzip2=mvzip('tc2','tck2',"@@") | eval intelzip3=mvzip('tc3','tck3',"@@") | eval threat_collection_key=mvappend(intelzip0,intelzip1,intelzip2,intelzip3) | `sistats_values_rename(sourcetype,sourcetype)` | `sistats_values_rename(Web.dest,dest)` | `sistats_values_rename(Web.user,user)` | eval "threat_match_field"=if(isnull('threat_match_field'),"src",'threat_match_field') | eval "threat_match_value"=if(isnull('threat_match_value'),'Web.src','threat_match_value')] | mvexpand threat_collection_key | stats values("dest") as "dest",values("sourcetype") as "sourcetype",values("user") as "user" by threat_match_field,threat_match_value,threat_collection_key | rex field=threat_collection_key "^(?.*)@@(?.*)$" | eval "dest"=mvindex('dest',0,10-1) | eval "sourcetype"=mvindex('sourcetype',0,10-1) | eval "user"=mvindex('user',0,10-1) | eval certificate_intel_key=if(threat_collection="certificate_intel",'threat_collection_key',null()) | eval email_intel_key=if(threat_collection="email_intel",'threat_collection_key',null()) | eval file_intel_key=if(threat_collection="file_intel",'threat_collection_key',null()) | eval http_intel_key=if(threat_collection="http_intel",'threat_collection_key',null()) | eval ip_intel_key=if(threat_collection="ip_intel",'threat_collection_key',null()) | eval process_intel_key=if(threat_collection="process_intel",'threat_collection_key',null()) | eval registry_intel_key=if(threat_collection="registry_intel",'threat_collection_key',null()) | eval service_intel_key=if(threat_collection="service_intel",'threat_collection_key',null()) | eval user_intel_key=if(threat_collection="user_intel",'threat_collection_key',null()) | lookup "certificate_intel" _key as "certificate_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "email_intel" _key as "email_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "file_intel" _key as "file_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "http_intel" _key as "http_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "ip_intel" _key as "ip_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "process_intel" _key as "process_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "registry_intel" _key as "registry_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "service_intel" _key as "service_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "user_intel" _key as "user_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup threat_group_intel _key as thr (truncated)', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Mon May 23 19:40:00 2022', apiEndTime='Mon May 23 20:10:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="threatmatch://src", is_proxied=false, app="DA-ESS-ThreatIntelligence", provenance="N/A", mode="historical"] Audit:[timestamp=05-23-2022 20:20:02.669, user=splunk-system-user, action=search, info=granted , search_id='_c3BsdW5rLXN5c3RlbS11c2Vy__nobody_REEtRVNTLVRocmVhdEludGVsbGlnZW5jZQ__RMD542095c95ae0ea321_1653337202.311467', search='| multisearch [ | tstats prestats=true summariesonly=true values("sourcetype"),values("DNS.src") from datamodel="Network_Resolution"."DNS" by "DNS.answer" | `truncate_domain_dedup(DNS.answer, DNS.answer_truncated)` | lookup "threatintel_by_cidr" value as "DNS.answer" OUTPUT threat_collection as tc0,threat_collection_key as tck0 | lookup "threatintel_by_domain" value as "DNS.answer" OUTPUT threat_collection as tc1,threat_collection_key as tck1 | lookup "threatintel_by_domain" value as "DNS.answer_truncated" OUTPUT threat_collection as tc2,threat_collection_key as tck2 | lookup "threatintel_by_system" value as "DNS.answer" OUTPUT threat_collection as tc3,threat_collection_key as tck3 | where isnotnull('tck0') OR isnotnull('tck1') OR isnotnull('tck2') OR isnotnull('tck3') | eval intelzip0=mvzip('tc0','tck0',"@@") | eval intelzip1=mvzip('tc1','tck1',"@@") | eval intelzip2=mvzip('tc2','tck2',"@@") | eval intelzip3=mvzip('tc3','tck3',"@@") | eval threat_collection_key=mvappend(intelzip0,intelzip1,intelzip2,intelzip3) | `sistats_values_rename(sourcetype,sourcetype)` | `sistats_values_rename(DNS.src,src)` | eval "threat_match_field"=if(isnull('threat_match_field'),"dest",'threat_match_field') | eval "threat_match_value"=if(isnull('threat_match_value'),'DNS.answer','threat_match_value') ][ | tstats prestats=true summariesonly=true values("sourcetype"),values("All_Traffic.src"),values("All_Traffic.user") from datamodel="Network_Traffic"."All_Traffic" where "All_Traffic.action"="allowed" by "All_Traffic.dest" | `truncate_domain_dedup(All_Traffic.dest, All_Traffic.dest_truncated)` | lookup "threatintel_by_cidr" value as "All_Traffic.dest" OUTPUT threat_collection as tc0,threat_collection_key as tck0 | lookup "threatintel_by_domain" value as "All_Traffic.dest" OUTPUT threat_collection as tc1,threat_collection_key as tck1 | lookup "threatintel_by_domain" value as "All_Traffic.dest_truncated" OUTPUT threat_collection as tc2,threat_collection_key as tck2 | lookup "threatintel_by_system" value as "All_Traffic.dest" OUTPUT threat_collection as tc3,threat_collection_key as tck3 | where isnotnull('tck0') OR isnotnull('tck1') OR isnotnull('tck2') OR isnotnull('tck3') | eval intelzip0=mvzip('tc0','tck0',"@@") | eval intelzip1=mvzip('tc1','tck1',"@@") | eval intelzip2=mvzip('tc2','tck2',"@@") | eval intelzip3=mvzip('tc3','tck3',"@@") | eval threat_collection_key=mvappend(intelzip0,intelzip1,intelzip2,intelzip3) | `sistats_values_rename(sourcetype,sourcetype)` | `sistats_values_rename(All_Traffic.src,src)` | `sistats_values_rename(All_Traffic.user,user)` | eval "threat_match_field"=if(isnull('threat_match_field'),"dest",'threat_match_field') | eval "threat_match_value"=if(isnull('threat_match_value'),'All_Traffic.dest','threat_match_value') ][ | tstats prestats=true summariesonly=true values("sourcetype"),values("IDS_Attacks.src"),values("IDS_Attacks.user") from datamodel="Intrusion_Detection"."IDS_Attacks" by "IDS_Attacks.dest" | `truncate_domain_dedup(IDS_Attacks.dest, IDS_Attacks.dest_truncated)` | lookup "threatintel_by_cidr" value as "IDS_Attacks.dest" OUTPUT threat_collection as tc0,threat_collection_key as tck0 | lookup "threatintel_by_domain" value as "IDS_Attacks.dest" OUTPUT threat_collection as tc1,threat_collection_key as tck1 | lookup "threatintel_by_domain" value as "IDS_Attacks.dest_truncated" OUTPUT threat_collection as tc2,threat_collection_key as tck2 | lookup "threatintel_by_system" value as "IDS_Attacks.dest" OUTPUT threat_collection as tc3,threat_collection_key as tck3 | where isnotnull('tck0') OR isnotnull('tck1') OR isnotnull('tck2') OR isnotnull('tck3') | eval intelzip0=mvzip('tc0','tck0',"@@") | eval intelzip1=mvzip('tc1','tck1',"@@") | eval intelzip2=mvzip('tc2','tck2',"@@") | eval intelzip3=mvzip('tc3','tck3',"@@") | eval threat_collection_key=mvappend(intelzip0,intelzip1,intelzip2,intelzip3) | `sistats_values_rename(sourcetype,sourcetype)` | `sistats_values_rename(IDS_Attacks.src,src)` | `sistats_values_rename(IDS_Attacks.user,user)` | eval "threat_match_field"=if(isnull('threat_match_field'),"dest",'threat_match_field') | eval "threat_match_value"=if(isnull('threat_match_value'),'IDS_Attacks.dest','threat_match_value') ][ | tstats prestats=true summariesonly=true values("sourcetype"),values("Web.src"),values("Web.user") from datamodel="Web"."Web" by "Web.dest" | `truncate_domain_dedup(Web.dest, Web.dest_truncated)` | lookup "threatintel_by_cidr" value as "Web.dest" OUTPUT threat_collection as tc0,threat_collection_key as tck0 | lookup "threatintel_by_domain" value as "Web.dest" OUTPUT threat_collection as tc1,threat_collection_key as tck1 | lookup "threatintel_by_domain" value as "Web.dest_truncated" OUTPUT threat_collection as tc2,threat_collection_key as tck2 | lookup "threatintel_by_system" value as "Web.dest" OUTPUT threat_collection as tc3,threat_collection_key as tck3 | where isnotnull('tck0') OR isnotnull('tck1') OR isnotnull('tck2') OR isnotnull('tck3') | eval intelzip0=mvzip('tc0','tck0',"@@") | eval intelzip1=mvzip('tc1','tck1',"@@") | eval intelzip2=mvzip('tc2','tck2',"@@") | eval intelzip3=mvzip('tc3','tck3',"@@") | eval threat_collection_key=mvappend(intelzip0,intelzip1,intelzip2,intelzip3) | `sistats_values_rename(sourcetype,sourcetype)` | `sistats_values_rename(Web.src,src)` | `sistats_values_rename(Web.user,user)` | eval "threat_match_field"=if(isnull('threat_match_field'),"dest",'threat_match_field') | eval "threat_match_value"=if(isnull('threat_match_value'),'Web.dest','threat_match_value')] | mvexpand threat_collection_key | stats values("sourcetype") as "sourcetype",values("src") as "src",values("user") as "user" by threat_match_field,threat_match_value,threat_collection_key | rex field=threat_collection_key "^(?.*)@@(?.*)$" | eval "sourcetype"=mvindex('sourcetype',0,10-1) | eval "src"=mvindex('src',0,10-1) | eval "user"=mvindex('user',0,10-1) | eval certificate_intel_key=if(threat_collection="certificate_intel",'threat_collection_key',null()) | eval email_intel_key=if(threat_collection="email_intel",'threat_collection_key',null()) | eval file_intel_key=if(threat_collection="file_intel",'threat_collection_key',null()) | eval http_intel_key=if(threat_collection="http_intel",'threat_collection_key',null()) | eval ip_intel_key=if(threat_collection="ip_intel",'threat_collection_key',null()) | eval process_intel_key=if(threat_collection="process_intel",'threat_collection_key',null()) | eval registry_intel_key=if(threat_collection="registry_intel",'threat_collection_key',null()) | eval service_intel_key=if(threat_collection="service_intel",'threat_collection_key',null()) | eval user_intel_key=if(threat_collection="user_intel",'threat_collection_key',null()) | lookup "certificate_intel" _key as "certificate_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "email_intel" _key as "email_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "file_intel" _key as "file_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "http_intel" _key as "http_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "ip_intel" _key as "ip_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "process_intel" _key as "process_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "registry_intel" _key as "registry_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "service_intel" _key as "service_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "user_intel" _key as "user_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup threat_gro (truncated)', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Mon May 23 19:40:00 2022', apiEndTime='Mon May 23 20:10:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="threatmatch://dest", is_proxied=false, app="DA-ESS-ThreatIntelligence", provenance="N/A", mode="historical"] Audit:[timestamp=05-23-2022 20:20:02.358, user=splunk-system-user, action=search, info=granted , search_id='_c3BsdW5rLXN5c3RlbS11c2Vy__nobody_REEtRVNTLVRocmVhdEludGVsbGlnZW5jZQ__RMD56c54cc9c1045b223_1653337202.311466', search='| tstats prestats=true summariesonly=true values("sourcetype"),values("Web.src"),values("Web.dest"),values("Web.user") from datamodel="Web"."Web" by "Web.http_user_agent" | lookup "threatintel_by_http_user_agent" value as "Web.http_user_agent" OUTPUT threat_collection as tc0,threat_collection_key as tck0 | lookup "threatintel_by_http_user_agent_wildcard" value as "Web.http_user_agent" OUTPUT threat_collection as tc1,threat_collection_key as tck1 | where isnotnull('tck0') OR isnotnull('tck1') | eval intelzip0=mvzip('tc0','tck0',"@@") | eval intelzip1=mvzip('tc1','tck1',"@@") | eval threat_collection_key=mvappend(intelzip0,intelzip1) | `sistats_values_rename(sourcetype,sourcetype)` | `sistats_values_rename(Web.src,src)` | `sistats_values_rename(Web.dest,dest)` | `sistats_values_rename(Web.user,user)` | eval "threat_match_field"=if(isnull('threat_match_field'),"http_user_agent",'threat_match_field') | eval "threat_match_value"=if(isnull('threat_match_value'),'Web.http_user_agent','threat_match_value') | mvexpand threat_collection_key | stats values("dest") as "dest",values("sourcetype") as "sourcetype",values("src") as "src",values("user") as "user" by threat_match_field,threat_match_value,threat_collection_key | rex field=threat_collection_key "^(?.*)@@(?.*)$" | eval "dest"=mvindex('dest',0,10-1) | eval "sourcetype"=mvindex('sourcetype',0,10-1) | eval "src"=mvindex('src',0,10-1) | eval "user"=mvindex('user',0,10-1) | eval certificate_intel_key=if(threat_collection="certificate_intel",'threat_collection_key',null()) | eval email_intel_key=if(threat_collection="email_intel",'threat_collection_key',null()) | eval file_intel_key=if(threat_collection="file_intel",'threat_collection_key',null()) | eval http_intel_key=if(threat_collection="http_intel",'threat_collection_key',null()) | eval ip_intel_key=if(threat_collection="ip_intel",'threat_collection_key',null()) | eval process_intel_key=if(threat_collection="process_intel",'threat_collection_key',null()) | eval registry_intel_key=if(threat_collection="registry_intel",'threat_collection_key',null()) | eval service_intel_key=if(threat_collection="service_intel",'threat_collection_key',null()) | eval user_intel_key=if(threat_collection="user_intel",'threat_collection_key',null()) | lookup "certificate_intel" _key as "certificate_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "email_intel" _key as "email_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "file_intel" _key as "file_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "http_intel" _key as "http_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "ip_intel" _key as "ip_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "process_intel" _key as "process_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "registry_intel" _key as "registry_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "service_intel" _key as "service_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup "user_intel" _key as "user_intel_key" OUTPUTNEW "description","threat_key","weight","disabled" | lookup threat_group_intel _key as threat_key OUTPUTNEW description,weight | eval weight=if(isnum(weight),weight,60) | fields - intelzip*,"certificate_intel_key","email_intel_key","file_intel_key","http_intel_key","ip_intel_key","process_intel_key","registry_intel_key","service_intel_key","user_intel_key" | `threatintel_outputlookup_exclusions` | dedup threat_match_field,threat_match_value,threat_key | collectthreat source="threatmatch://http_user_agent"', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Mon May 23 19:40:00 2022', apiEndTime='Mon May 23 20:10:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="threatmatch://http_user_agent", is_proxied=false, app="DA-ESS-ThreatIntelligence", provenance="N/A", mode="historical"] Audit:[timestamp=05-23-2022 20:19:59.568, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD543dffd3a9d7e0d6b_at_1653336000_73043', search='search `powershell` EventCode=4104 (Message = "*[System.Security.Principal.WindowsIdentity]*" AND Message = "*GetCurrent()*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `getcurrent_user_with_powershell_script_block_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - GetCurrent User with PowerShell Script Block - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:19:46.866, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD59b635ed5a9fea570_at_1653336000_73039', search='search `cloudtrail` (eventName=Run* OR eventName=Create*) [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress | eval newIP=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newIP=1 | table sourceIPAddress] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_ip_address_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - AWS Cloud Provisioning From Previously Unseen IP Address - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:19:43.541, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD5ec1d8fe57cbc67ea_at_1653336000_73032', has_error_warn=false, fully_completed_search=true, total_run_time=1.92, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653337168, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - Get ADUser with PowerShell Script Block - Rule", search_startup_time="798", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_ab1d5a5e2c497322", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=7, eliminated_buckets=6, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=2, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='search `powershell` EventCode=4104 Message = "*get-aduser*" Message = "*-filter*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_script_block_filter`'] Audit:[timestamp=05-23-2022 20:19:43.472, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD51c326b48c47e6c51_at_1653336000_73034', has_error_warn=false, fully_completed_search=true, total_run_time=1.74, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653337178, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - Get-DomainTrust with PowerShell Script Block - Rule", search_startup_time="1653", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_939b8cb644f3650a", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=7, eliminated_buckets=6, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=1, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='search `powershell` EventCode=4104 Message = "*get-foresttrust*" | stats count min(_time) as firstTime max(_time) as lastTime by Message ComputerName User EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_script_block_filter`'] Audit:[timestamp=05-23-2022 20:19:38.150, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD51c326b48c47e6c51_at_1653336000_73034', search='search `powershell` EventCode=4104 Message = "*get-foresttrust*" | stats count min(_time) as firstTime max(_time) as lastTime by Message ComputerName User EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_script_block_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - Get-DomainTrust with PowerShell Script Block - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:19:27.971, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD5ec1d8fe57cbc67ea_at_1653336000_73032', search='search `powershell` EventCode=4104 Message = "*get-aduser*" Message = "*-filter*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_aduser_with_powershell_script_block_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - Get ADUser with PowerShell Script Block - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:19:07.026, user=admin, action=search, info=granted , search_id='scheduler__admin_U0EtVGhyZWF0SW50ZWxsaWdlbmNl__RMD501805f07ae0aff07_at_1653337140_73025', search='| rest splunk_server=local count=0 "/servicesNS/-/-/saved/searches?listDefaultActionArgs=1" | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") OR match('action.notable', "1|[Tt]|[Tt][Rr][Uu][Ee]") OR match('action.risk', "1|[Tt]|[Tt][Rr][Uu][Ee]") | join type=left title [| rest splunk_server=local count=0 /services/configs/conf-analyticstories search="name=savedsearch* AND annotations=*" | eval title=replace(title, "savedsearch://", "") | table title,annotations] | join type=left max=0 title [| rest splunk_server=local count=0 /services/configs/conf-analyticstories search="name=analytic_story* AND searches=*" | eval analyticstories=replace(title, "analytic_story://", "") | spath input=searches path={} output=title | stats values(analyticstories) as analyticstories by title | eval analyticstories=mvjoin(analyticstories, "@@")] | eval analyticstories=split(analyticstories, "@@") | eval annotations=case(isnotnull('action.correlationsearch.annotations') AND 'action.correlationsearch.annotations'!="",'action.correlationsearch.annotations',isnotnull(annotations) AND annotations!="",annotations,1=1,null()),rule_name=if(isnotnull('action.correlationsearch.label'),'action.correlationsearch.label',title) | rename title as _key,action.notable.param.* as * | append [| rest splunk_server=local count=0 /servicesNS/-/-/configs/conf-correlationsearches | rename title as _key] | eval security_domain=if(security_domain="",null(),security_domain),severity=if(severity="",null(),severity),rule_name=if(rule_name="",null(),rule_name),description=if(description="",null(),description),rule_title=if(rule_title="",null(),rule_title),rule_description=if(rule_description="",null(),rule_description),drilldown_name=if(drilldown_name="",null(),drilldown_name),drilldown_search=if(drilldown_search="",null(),drilldown_search),drilldown_earliest_offset=if(drilldown_earliest_offset="",null(),drilldown_earliest_offset),drilldown_latest_offset=if(drilldown_latest_offset="",null(),drilldown_latest_offset),default_status=if(default_status="",null(),default_status),default_owner=if(default_owner="",null(),default_owner),default_disposition=if(default_disposition="",null(),default_disposition),next_steps=if(next_steps="",null(),next_steps),investigation_profiles=if(investigation_profiles="",null(),investigation_profiles),extract_artifacts=if(extract_artifacts="",null(),extract_artifacts),recommended_actions=if(recommended_actions="",null(),recommended_actions),analyticstories=if(analyticstories="",null(),analyticstories) | appendpipe [ where _key LIKE "%\"%" | eval _key=replace(_key, "\"", "_") ] | stats first(annotations) as annotations,first(security_domain) as security_domain,first(severity) as severity,first(rule_name) as rule_name,first(description) as description,first(rule_title) as rule_title,first(rule_description) as rule_description,first(drilldown_name) as drilldown_name,first(drilldown_search) as drilldown_search,first(drilldown_earliest_offset) as drilldown_earliest_offset,first(drilldown_latest_offset) as drilldown_latest_offset,first(default_status) as default_status,first(default_owner) as default_owner,first(next_steps) as next_steps,first(investigation_profiles) as investigation_profiles,first(extract_artifacts) as extract_artifacts,first(recommended_actions) as recommended_actions,values(analyticstories) as analyticstories by _key | outputlookup correlationsearches_lookup append=T key_field=_key | stats count', autojoin='1', buckets=0, ttl=120, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='Mon May 23 20:19:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="Threat - Correlation Searches - Lookup Gen", search_type="scheduled", is_proxied=false, app="SA-ThreatIntelligence", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:18:54.691, user=splunk-system-user, action=search, info=granted , search_id='scheduler__nobody_U3BsdW5rX1NBX0NJTQ__RMD5021246a350b56653_at_1653337080_73020', search='| summarize tstats=t override=partial manual_rebuilds=t max_time=3600 poll_buckets_until_maxtime=f id=DM_Splunk_SA_CIM_Endpoint.Services [ search (index=* OR index=_*) (`cim_Endpoint_indexes`) tag=service tag=report | eval nodename = "Services"| eval dest=if(isnull(dest) OR dest="","unknown",dest), service=if(isnull(service) OR service="","unknown",service), service_name=if(isnull(service_name) OR service_name="","unknown",service_name), service_id=if(isnull(service_id) OR service_id="","unknown",service_id), start_mode=if(isnull(start_mode) OR start_mode="","unknown",start_mode), status=if(isnull(status) OR status="","unknown",status), user=if(isnull(user) OR user="","unknown",user), vendor_product=case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!="unknown" AND isnotnull(product) AND product!="unknown",vendor." ".product,isnotnull(vendor) AND vendor!="unknown" AND (isnull(product) OR product="unknown"),vendor." unknown",(isnull(vendor) OR vendor="unknown") AND isnotnull(product) AND product!="unknown","unknown ".product,isnotnull(sourcetype),sourcetype,1=1,"unknown") | rename description AS Services.description dest_bunit AS Services.dest_bunit dest_category AS Services.dest_category dest_is_expected AS Services.dest_is_expected dest_priority AS Services.dest_priority dest_requires_av AS Services.dest_requires_av dest_should_timesync AS Services.dest_should_timesync dest_should_update AS Services.dest_should_update process_guid AS Services.process_guid process_id AS Services.process_id service_dll AS Services.service_dll service_dll_path AS Services.service_dll_path service_dll_hash AS Services.service_dll_hash service_dll_signature_exists AS Services.service_dll_signature_exists service_dll_signature_verified AS Services.service_dll_signature_verified service_exec AS Services.service_exec service_hash AS Services.service_hash service_path AS Services.service_path service_signature_exists AS Services.service_signature_exists service_signature_verified AS Services.service_signature_verified tag AS Services.tag user_bunit AS Services.user_bunit user_category AS Services.user_category user_priority AS Services.user_priority dest AS Services.dest service AS Services.service service_name AS Services.service_name service_id AS Services.service_id start_mode AS Services.start_mode status AS Services.status user AS Services.user vendor_product AS Services.vendor_product | fields nodename, _time, host, source, sourcetype, Services.description, Services.dest_bunit, Services.dest_category, Services.dest_is_expected, Services.dest_priority, Services.dest_requires_av, Services.dest_should_timesync, Services.dest_should_update, Services.process_guid, Services.process_id, Services.service_dll, Services.service_dll_path, Services.service_dll_hash, Services.service_dll_signature_exists, Services.service_dll_signature_verified, Services.service_exec, Services.service_hash, Services.service_path, Services.service_signature_exists, Services.service_signature_verified, Services.tag, Services.user_bunit, Services.user_category, Services.user_priority, Services.dest, Services.service, Services.service_name, Services.service_id, Services.start_mode, Services.status, Services.user, Services.vendor_product ]', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Sat Apr 23 20:18:00 2022', apiEndTime='Mon May 23 20:18:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="_ACCELERATE_DM_Splunk_SA_CIM_Endpoint.Services_ACCELERATE_", search_type="datamodel_acceleration", is_proxied=false, app="Splunk_SA_CIM", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:18:43.581, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD582768367c8a33718_at_1653336000_73007', has_error_warn=false, fully_completed_search=true, total_run_time=3.42, event_count=0, result_count=0, available_count=0, scan_count=6273, drop_count=0, exec_time=1653337095, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - WMI Permanent Event Subscription - Sysmon - Rule", search_startup_time="2690", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_b84288f5555dd5a7", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=7, eliminated_buckets=6, considered_events=6273, total_slices=44916, decompressed_slices=460, duration.command.search.index=7, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=193, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='search `sysmon` EventCode=21 | rename host as dest | table _time, dest, user, Operation, EventType, Query, Consumer, Filter | `wmi_permanent_event_subscription___sysmon_filter`'] Audit:[timestamp=05-23-2022 20:18:43.488, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD5e396e89410f66b2c_at_1653336000_73009', has_error_warn=false, fully_completed_search=true, total_run_time=0.91, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653337099, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - GetAdComputer with PowerShell Script Block - Rule", search_startup_time="413", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_9d3deb9b72ed2dfd", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=7, eliminated_buckets=6, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=7, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='search `powershell` EventCode=4104 (Message = "*Get-AdComputer*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `getadcomputer_with_powershell_script_block_filter`'] Audit:[timestamp=05-23-2022 20:18:19.406, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD5e396e89410f66b2c_at_1653336000_73009', search='search `powershell` EventCode=4104 (Message = "*Get-AdComputer*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `getadcomputer_with_powershell_script_block_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - GetAdComputer with PowerShell Script Block - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:18:14.021, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD582768367c8a33718_at_1653336000_73007', search='search `sysmon` EventCode=21 | rename host as dest | table _time, dest, user, Operation, EventType, Query, Consumer, Filter | `wmi_permanent_event_subscription___sysmon_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - WMI Permanent Event Subscription - Sysmon - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:18:04.879, user=admin, action=search, info=granted , search_id='scheduler__admin_U0EtVGhyZWF0SW50ZWxsaWdlbmNl__RMD501805f07ae0aff07_at_1653337080_73005', search='| rest splunk_server=local count=0 "/servicesNS/-/-/saved/searches?listDefaultActionArgs=1" | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") OR match('action.notable', "1|[Tt]|[Tt][Rr][Uu][Ee]") OR match('action.risk', "1|[Tt]|[Tt][Rr][Uu][Ee]") | join type=left title [| rest splunk_server=local count=0 /services/configs/conf-analyticstories search="name=savedsearch* AND annotations=*" | eval title=replace(title, "savedsearch://", "") | table title,annotations] | join type=left max=0 title [| rest splunk_server=local count=0 /services/configs/conf-analyticstories search="name=analytic_story* AND searches=*" | eval analyticstories=replace(title, "analytic_story://", "") | spath input=searches path={} output=title | stats values(analyticstories) as analyticstories by title | eval analyticstories=mvjoin(analyticstories, "@@")] | eval analyticstories=split(analyticstories, "@@") | eval annotations=case(isnotnull('action.correlationsearch.annotations') AND 'action.correlationsearch.annotations'!="",'action.correlationsearch.annotations',isnotnull(annotations) AND annotations!="",annotations,1=1,null()),rule_name=if(isnotnull('action.correlationsearch.label'),'action.correlationsearch.label',title) | rename title as _key,action.notable.param.* as * | append [| rest splunk_server=local count=0 /servicesNS/-/-/configs/conf-correlationsearches | rename title as _key] | eval security_domain=if(security_domain="",null(),security_domain),severity=if(severity="",null(),severity),rule_name=if(rule_name="",null(),rule_name),description=if(description="",null(),description),rule_title=if(rule_title="",null(),rule_title),rule_description=if(rule_description="",null(),rule_description),drilldown_name=if(drilldown_name="",null(),drilldown_name),drilldown_search=if(drilldown_search="",null(),drilldown_search),drilldown_earliest_offset=if(drilldown_earliest_offset="",null(),drilldown_earliest_offset),drilldown_latest_offset=if(drilldown_latest_offset="",null(),drilldown_latest_offset),default_status=if(default_status="",null(),default_status),default_owner=if(default_owner="",null(),default_owner),default_disposition=if(default_disposition="",null(),default_disposition),next_steps=if(next_steps="",null(),next_steps),investigation_profiles=if(investigation_profiles="",null(),investigation_profiles),extract_artifacts=if(extract_artifacts="",null(),extract_artifacts),recommended_actions=if(recommended_actions="",null(),recommended_actions),analyticstories=if(analyticstories="",null(),analyticstories) | appendpipe [ where _key LIKE "%\"%" | eval _key=replace(_key, "\"", "_") ] | stats first(annotations) as annotations,first(security_domain) as security_domain,first(severity) as severity,first(rule_name) as rule_name,first(description) as description,first(rule_title) as rule_title,first(rule_description) as rule_description,first(drilldown_name) as drilldown_name,first(drilldown_search) as drilldown_search,first(drilldown_earliest_offset) as drilldown_earliest_offset,first(drilldown_latest_offset) as drilldown_latest_offset,first(default_status) as default_status,first(default_owner) as default_owner,first(next_steps) as next_steps,first(investigation_profiles) as investigation_profiles,first(extract_artifacts) as extract_artifacts,first(recommended_actions) as recommended_actions,values(analyticstories) as analyticstories by _key | outputlookup correlationsearches_lookup append=T key_field=_key | stats count', autojoin='1', buckets=0, ttl=120, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='Mon May 23 20:18:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="Threat - Correlation Searches - Lookup Gen", search_type="scheduled", is_proxied=false, app="SA-ThreatIntelligence", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:18:03.987, user=splunk-system-user, action=search, info=granted , search_id='scheduler__nobody_U3BsdW5rX1NBX0NJTQ__RMD5fe51f0ad1d9fe444_at_1653337080_73002', search='| summarize tstats=t override=partial manual_rebuilds=t max_time=3600 poll_buckets_until_maxtime=f id=DM_Splunk_SA_CIM_Authentication [ search (index=* OR index=_*) ((`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$)) | eval nodename = "Authentication"| eval action=if(isnull(action) OR action="","unknown",action), app=if(isnull(app) OR app="",sourcetype,app), src=if(isnull(src) OR src="","unknown",src), src_user=if(isnull(src_user) OR src_user="","unknown",src_user), dest=if(isnull(dest) OR dest="","unknown",dest), user=if(isnull(user) OR user="","unknown",user)| eval is_Failed_Authentication=if(searchmatch("(action=\"failure\")"),1,0), is_not_Failed_Authentication=1-is_Failed_Authentication, is_Successful_Authentication=if(searchmatch("(action=\"success\")"),1,0), is_not_Successful_Authentication=1-is_Successful_Authentication, is_Default_Authentication=if(searchmatch("(tag=\"default\")"),1,0), is_not_Default_Authentication=1-is_Default_Authentication, is_Insecure_Authentication=if(searchmatch("(tag=\"insecure\" OR tag=\"cleartext\")"),1,0), is_not_Insecure_Authentication=1-is_Insecure_Authentication, is_Privileged_Authentication=if(searchmatch("(tag=\"privileged\")"),1,0), is_not_Privileged_Authentication=1-is_Privileged_Authentication | eval nodename = if(nodename == "Authentication" AND searchmatch("(action=\"failure\")"), mvappend(nodename, "Authentication.Failed_Authentication"), nodename) | eval nodename = if(nodename == "Authentication" AND searchmatch("(action=\"success\")"), mvappend(nodename, "Authentication.Successful_Authentication"), nodename) | eval nodename = if(nodename == "Authentication" AND searchmatch("(tag=\"default\")"), mvappend(nodename, "Authentication.Default_Authentication"), nodename)| eval is_Failed_Default_Authentication=if(searchmatch("(action=\"failure\")"),1,0), is_not_Failed_Default_Authentication=1-is_Failed_Default_Authentication, is_Successful_Default_Authentication=if(searchmatch("(action=\"success\")"),1,0), is_not_Successful_Default_Authentication=1-is_Successful_Default_Authentication | eval nodename = if(nodename == "Authentication.Default_Authentication" AND searchmatch("(action=\"failure\")"), mvappend(nodename, "Authentication.Default_Authentication.Failed_Default_Authentication"), nodename) | eval nodename = if(nodename == "Authentication.Default_Authentication" AND searchmatch("(action=\"success\")"), mvappend(nodename, "Authentication.Default_Authentication.Successful_Default_Authentication"), nodename) | rename is_Failed_Default_Authentication AS Authentication.Default_Authentication.is_Failed_Default_Authentication is_not_Failed_Default_Authentication AS Authentication.Default_Authentication.is_not_Failed_Default_Authentication is_Successful_Default_Authentication AS Authentication.Default_Authentication.is_Successful_Default_Authentication is_not_Successful_Default_Authentication AS Authentication.Default_Authentication.is_not_Successful_Default_Authentication | eval nodename = if(nodename == "Authentication" AND searchmatch("(tag=\"insecure\" OR tag=\"cleartext\")"), mvappend(nodename, "Authentication.Insecure_Authentication"), nodename) | eval nodename = if(nodename == "Authentication" AND searchmatch("(tag=\"privileged\")"), mvappend(nodename, "Authentication.Privileged_Authentication"), nodename)| eval is_Failed_Privileged_Authentication=if(searchmatch("(action=\"failure\")"),1,0), is_not_Failed_Privileged_Authentication=1-is_Failed_Privileged_Authentication, is_Successful_Privileged_Authentication=if(searchmatch("(action=\"success\")"),1,0), is_not_Successful_Privileged_Authentication=1-is_Successful_Privileged_Authentication | eval nodename = if(nodename == "Authentication.Privileged_Authentication" AND searchmatch("(action=\"failure\")"), mvappend(nodename, "Authentication.Privileged_Authentication.Failed_Privileged_Authentication"), nodename) | eval nodename = if(nodename == "Authentication.Privileged_Authentication" AND searchmatch("(action=\"success\")"), mvappend(nodename, "Authentication.Privileged_Authentication.Successful_Privileged_Authentication"), nodename) | rename is_Failed_Privileged_Authentication AS Authentication.Privileged_Authentication.is_Failed_Privileged_Authentication is_not_Failed_Privileged_Authentication AS Authentication.Privileged_Authentication.is_not_Failed_Privileged_Authentication is_Successful_Privileged_Authentication AS Authentication.Privileged_Authentication.is_Successful_Privileged_Authentication is_not_Successful_Privileged_Authentication AS Authentication.Privileged_Authentication.is_not_Successful_Privileged_Authentication | rename authentication_method AS Authentication.authentication_method authentication_service AS Authentication.authentication_service dest_bunit AS Authentication.dest_bunit dest_category AS Authentication.dest_category dest_nt_domain AS Authentication.dest_nt_domain dest_priority AS Authentication.dest_priority duration AS Authentication.duration reason AS Authentication.reason response_time AS Authentication.response_time signature AS Authentication.signature signature_id AS Authentication.signature_id src_bunit AS Authentication.src_bunit src_category AS Authentication.src_category src_nt_domain AS Authentication.src_nt_domain src_priority AS Authentication.src_priority src_user_bunit AS Authentication.src_user_bunit src_user_category AS Authentication.src_user_category src_user_id AS Authentication.src_user_id src_user_priority AS Authentication.src_user_priority src_user_role AS Authentication.src_user_role src_user_type AS Authentication.src_user_type tag AS Authentication.tag user_agent AS Authentication.user_agent user_bunit AS Authentication.user_bunit user_category AS Authentication.user_category user_id AS Authentication.user_id user_priority AS Authentication.user_priority user_role AS Authentication.user_role user_type AS Authentication.user_type vendor_account AS Authentication.vendor_account action AS Authentication.action app AS Authentication.app src AS Authentication.src src_user AS Authentication.src_user dest AS Authentication.dest user AS Authentication.user is_Failed_Authentication AS Authentication.is_Failed_Authentication is_not_Failed_Authentication AS Authentication.is_not_Failed_Authentication is_Successful_Authentication AS Authentication.is_Successful_Authentication is_not_Successful_Authentication AS Authentication.is_not_Successful_Authentication is_Default_Authentication AS Authentication.is_Default_Authentication is_not_Default_Authentication AS Authentication.is_not_Default_Authentication is_Insecure_Authentication AS Authentication.is_Insecure_Authentication is_not_Insecure_Authentication AS Authentication.is_not_Insecure_Authentication is_Privileged_Authentication AS Authentication.is_Privileged_Authentication is_not_Privileged_Authentication AS Authentication.is_not_Privileged_Authentication | fields nodename, _time, host, source, sourcetype, Authentication.authentication_method, Authentication.authentication_service, Authentication.dest_bunit, Authentication.dest_category, Authentication.dest_nt_domain, Authentication.dest_priority, Authentication.duration, Authentication.reason, Authentication.response_time, Authentication.signature, Authentication.signature_id, Authentication.src_bunit, Authentication.src_category, Authentication.src_nt_domain, Authentication.src_priority, Authentication.src_user_bunit, Authentication.src_user_category, Authentication.src_user_id, Authentication.src_user_priority, Authentication.src_user_role, Authentication.src_user_type, Authentication.tag, Authentication.user_agent, Authentication.user_bunit, Authentication.user_category, Authentication.user_id, Authentication.user_priority, Authentication.user_role, Authentication.user_type, Authentication.vendor_account, Authentication.action, Authentication.app, Authentication.src, Authentication.src_user, Authentication.dest, Authentication.user, Authentication.is_Failed_Authentication, Aut (truncated)', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Sun May 23 20:18:00 2021', apiEndTime='Mon May 23 20:18:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="_ACCELERATE_DM_Splunk_SA_CIM_Authentication_ACCELERATE_", search_type="datamodel_acceleration", is_proxied=false, app="Splunk_SA_CIM", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:17:13.515, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD53945fd91cb6b90d8_at_1653336000_72983', has_error_warn=false, fully_completed_search=true, total_run_time=1.73, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653337016, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - EC2 Instance Modified With Previously Unseen User - Rule", search_startup_time="2072", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_101113338d01109d", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='search `cloudtrail` `ec2_modification_api_calls` [search `cloudtrail` `ec2_modification_api_calls` errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_modifications_by_user | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | eval newUser=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=dest responseElements.instancesSet.items{}.instanceId | spath output=user userIdentity.arn | table _time, user, dest | `ec2_instance_modified_with_previously_unseen_user_filter`'] Audit:[timestamp=05-23-2022 20:17:13.481, user=admin, action=search, info=completed, search_id='subsearch_scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD53945fd91cb6b90d8_at_1653336000_72983_1653337016.24', has_error_warn=false, fully_completed_search=true, total_run_time=1.34, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653337016, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="", search_startup_time="506", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_9e287d486c1acc6c", app="DA-ESS-ContentUpdate", provenance="N/A", mode="historical_batch", is_proxied=false, searched_buckets=7, eliminated_buckets=7, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='search sourcetype=aws:cloudtrail (eventName=AssociateAddress OR eventName=AssociateIamInstanceProfile OR eventName=AttachClassicLinkVpc OR eventName=AttachNetworkInterface OR eventName=AttachVolume OR eventName=BundleInstance OR eventName=DetachClassicLinkVpc OR eventName=DetachVolume OR eventName=ModifyInstanceAttribute OR eventName=ModifyInstancePlacement OR eventName=MonitorInstances OR eventName=RebootInstances OR eventName=ResetInstanceAttribute OR eventName=StartInstances OR eventName=StopInstances OR eventName=TerminateInstances OR eventName=UnmonitorInstances) errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_modifications_by_user | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | eval newUser=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newUser=1 | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) | rename arn as userIdentity.arn | table userIdentity.arn'] Audit:[timestamp=05-23-2022 20:17:04.951, user=admin, action=search, info=granted , search_id='scheduler__admin_U0EtVGhyZWF0SW50ZWxsaWdlbmNl__RMD501805f07ae0aff07_at_1653337020_72989', search='| rest splunk_server=local count=0 "/servicesNS/-/-/saved/searches?listDefaultActionArgs=1" | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") OR match('action.notable', "1|[Tt]|[Tt][Rr][Uu][Ee]") OR match('action.risk', "1|[Tt]|[Tt][Rr][Uu][Ee]") | join type=left title [| rest splunk_server=local count=0 /services/configs/conf-analyticstories search="name=savedsearch* AND annotations=*" | eval title=replace(title, "savedsearch://", "") | table title,annotations] | join type=left max=0 title [| rest splunk_server=local count=0 /services/configs/conf-analyticstories search="name=analytic_story* AND searches=*" | eval analyticstories=replace(title, "analytic_story://", "") | spath input=searches path={} output=title | stats values(analyticstories) as analyticstories by title | eval analyticstories=mvjoin(analyticstories, "@@")] | eval analyticstories=split(analyticstories, "@@") | eval annotations=case(isnotnull('action.correlationsearch.annotations') AND 'action.correlationsearch.annotations'!="",'action.correlationsearch.annotations',isnotnull(annotations) AND annotations!="",annotations,1=1,null()),rule_name=if(isnotnull('action.correlationsearch.label'),'action.correlationsearch.label',title) | rename title as _key,action.notable.param.* as * | append [| rest splunk_server=local count=0 /servicesNS/-/-/configs/conf-correlationsearches | rename title as _key] | eval security_domain=if(security_domain="",null(),security_domain),severity=if(severity="",null(),severity),rule_name=if(rule_name="",null(),rule_name),description=if(description="",null(),description),rule_title=if(rule_title="",null(),rule_title),rule_description=if(rule_description="",null(),rule_description),drilldown_name=if(drilldown_name="",null(),drilldown_name),drilldown_search=if(drilldown_search="",null(),drilldown_search),drilldown_earliest_offset=if(drilldown_earliest_offset="",null(),drilldown_earliest_offset),drilldown_latest_offset=if(drilldown_latest_offset="",null(),drilldown_latest_offset),default_status=if(default_status="",null(),default_status),default_owner=if(default_owner="",null(),default_owner),default_disposition=if(default_disposition="",null(),default_disposition),next_steps=if(next_steps="",null(),next_steps),investigation_profiles=if(investigation_profiles="",null(),investigation_profiles),extract_artifacts=if(extract_artifacts="",null(),extract_artifacts),recommended_actions=if(recommended_actions="",null(),recommended_actions),analyticstories=if(analyticstories="",null(),analyticstories) | appendpipe [ where _key LIKE "%\"%" | eval _key=replace(_key, "\"", "_") ] | stats first(annotations) as annotations,first(security_domain) as security_domain,first(severity) as severity,first(rule_name) as rule_name,first(description) as description,first(rule_title) as rule_title,first(rule_description) as rule_description,first(drilldown_name) as drilldown_name,first(drilldown_search) as drilldown_search,first(drilldown_earliest_offset) as drilldown_earliest_offset,first(drilldown_latest_offset) as drilldown_latest_offset,first(default_status) as default_status,first(default_owner) as default_owner,first(next_steps) as next_steps,first(investigation_profiles) as investigation_profiles,first(extract_artifacts) as extract_artifacts,first(recommended_actions) as recommended_actions,values(analyticstories) as analyticstories by _key | outputlookup correlationsearches_lookup append=T key_field=_key | stats count', autojoin='1', buckets=0, ttl=120, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='Mon May 23 20:17:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="Threat - Correlation Searches - Lookup Gen", search_type="scheduled", is_proxied=false, app="SA-ThreatIntelligence", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:17:04.542, user=splunk-system-user, action=search, info=granted , search_id='scheduler__nobody_U3BsdW5rX1NBX0NJTQ__RMD5ea35b39b15ead40d_at_1653337020_72987', search='| summarize tstats=t override=partial manual_rebuilds=t max_time=3600 poll_buckets_until_maxtime=f id=DM_Splunk_SA_CIM_Change [ search (index=* OR index=_*) ((`cim_Change_indexes`) tag=change NOT (object_category=file OR object_category=directory OR object_category=registry)) | eval nodename = "All_Changes"| eval change_type=if(isnull(change_type) OR change_type="","unknown",change_type), command=if(isnull(command) OR command="","unknown",if(sourcetype=="audittrail",Operation." ".ObjectName,command)), dest=if(isnull(dest) OR dest="","unknown",dest), dvc=if(isnull(dvc) OR dvc="","unknown",dvc), object=if(isnull(object) OR object="","unknown",object), object_attrs=if(isnull(object_attrs) OR object_attrs="","unknown",object_attrs), object_category=if(isnull(object_category) OR object_category="","unknown",object_category), object_id=if(isnull(object_id) OR object_id="","unknown",object_id), object_path=if(isnull(object_path) OR object_path="","unknown",object_path), status=if(isnull(status) OR status="","unknown",status), result=if(isnotnull(result) AND result!="",result,if(isnotnull(signature) AND signature!="",signature,"unknown")), result_id=if(isnotnull(result_id) AND result_id!="",result_id,if(isnotnull(signature_id) AND signature_id!="",signature_id,-1)), src=if(isnull(src) OR src="","unknown",src), user=if(isnull(user) OR user="","unknown",user), user_name=if(isnull(user_name) OR user_name="","unknown",user_name), vendor_product=case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!="unknown" AND isnotnull(product) AND product!="unknown",vendor." ".product,isnotnull(vendor) AND vendor!="unknown" AND (isnull(product) OR product="unknown"),vendor." unknown",(isnull(vendor) OR vendor="unknown") AND isnotnull(product) AND product!="unknown","unknown ".product,isnotnull(sourcetype),sourcetype,1=1,"unknown"), action=if(isnull(action) OR action="","unknown",action)| eval is_Auditing_Changes=if(searchmatch("(tag=audit)"),1,0), is_not_Auditing_Changes=1-is_Auditing_Changes, is_Endpoint_Changes=if(searchmatch("(tag=endpoint)"),1,0), is_not_Endpoint_Changes=1-is_Endpoint_Changes, is_Network_Changes=if(searchmatch("(tag=network)"),1,0), is_not_Network_Changes=1-is_Network_Changes, is_Account_Management=if(searchmatch("(tag=account)"),1,0), is_not_Account_Management=1-is_Account_Management, is_Instance_Changes=if(searchmatch("(tag=instance)"),1,0), is_not_Instance_Changes=1-is_Instance_Changes | eval nodename = if(nodename == "All_Changes" AND searchmatch("(tag=audit)"), mvappend(nodename, "All_Changes.Auditing_Changes"), nodename) | eval nodename = if(nodename == "All_Changes" AND searchmatch("(tag=endpoint)"), mvappend(nodename, "All_Changes.Endpoint_Changes"), nodename)| eval is_Endpoint_Restarts=if(searchmatch("(action=modified change_type=restart)"),1,0), is_not_Endpoint_Restarts=1-is_Endpoint_Restarts, is_Other_Endpoint_Changes=if(searchmatch("(NOT change_type=restart)"),1,0), is_not_Other_Endpoint_Changes=1-is_Other_Endpoint_Changes | eval nodename = if(nodename == "All_Changes.Endpoint_Changes" AND searchmatch("(action=modified change_type=restart)"), mvappend(nodename, "All_Changes.Endpoint_Changes.Endpoint_Restarts"), nodename) | eval nodename = if(nodename == "All_Changes.Endpoint_Changes" AND searchmatch("(NOT change_type=restart)"), mvappend(nodename, "All_Changes.Endpoint_Changes.Other_Endpoint_Changes"), nodename) | rename is_Endpoint_Restarts AS All_Changes.Endpoint_Changes.is_Endpoint_Restarts is_not_Endpoint_Restarts AS All_Changes.Endpoint_Changes.is_not_Endpoint_Restarts is_Other_Endpoint_Changes AS All_Changes.Endpoint_Changes.is_Other_Endpoint_Changes is_not_Other_Endpoint_Changes AS All_Changes.Endpoint_Changes.is_not_Other_Endpoint_Changes | eval nodename = if(nodename == "All_Changes" AND searchmatch("(tag=network)"), mvappend(nodename, "All_Changes.Network_Changes"), nodename)| eval is_Device_Restarts=if(searchmatch("(action=modified change_type=restart)"),1,0), is_not_Device_Restarts=1-is_Device_Restarts | eval nodename = if(nodename == "All_Changes.Network_Changes" AND searchmatch("(action=modified change_type=restart)"), mvappend(nodename, "All_Changes.Network_Changes.Device_Restarts"), nodename) | rename dest_ip_range AS All_Changes.Network_Changes.dest_ip_range dest_port_range AS All_Changes.Network_Changes.dest_port_range direction AS All_Changes.Network_Changes.direction protocol AS All_Changes.Network_Changes.protocol rule_action AS All_Changes.Network_Changes.rule_action src_ip_range AS All_Changes.Network_Changes.src_ip_range src_port_range AS All_Changes.Network_Changes.src_port_range is_Device_Restarts AS All_Changes.Network_Changes.is_Device_Restarts is_not_Device_Restarts AS All_Changes.Network_Changes.is_not_Device_Restarts | eval nodename = if(nodename == "All_Changes" AND searchmatch("(tag=account)"), mvappend(nodename, "All_Changes.Account_Management"), nodename)| eval dest_nt_domain=if(isnull(dest_nt_domain) OR dest_nt_domain="","unknown",dest_nt_domain), src_nt_domain=if(isnull(src_nt_domain) OR src_nt_domain="","unknown",src_nt_domain), src_user=if(isnull(src_user) OR src_user="","unknown",src_user), src_user_name=if(isnull(src_user_name) OR src_user_name="","unknown",src_user_name)| eval is_Accounts_Created=if(searchmatch("(action=\"created\")"),1,0), is_not_Accounts_Created=1-is_Accounts_Created, is_Accounts_Deleted=if(searchmatch("(action=\"deleted\")"),1,0), is_not_Accounts_Deleted=1-is_Accounts_Deleted, is_Account_Lockouts=if(searchmatch("(result=\"lockout\")"),1,0), is_not_Account_Lockouts=1-is_Account_Lockouts, is_Accounts_Updated=if(searchmatch("(action=\"updated\" OR action=\"modified\")"),1,0), is_not_Accounts_Updated=1-is_Accounts_Updated | eval nodename = if(nodename == "All_Changes.Account_Management" AND searchmatch("(action=\"created\")"), mvappend(nodename, "All_Changes.Account_Management.Accounts_Created"), nodename) | eval nodename = if(nodename == "All_Changes.Account_Management" AND searchmatch("(action=\"deleted\")"), mvappend(nodename, "All_Changes.Account_Management.Accounts_Deleted"), nodename) | eval nodename = if(nodename == "All_Changes.Account_Management" AND searchmatch("(result=\"lockout\")"), mvappend(nodename, "All_Changes.Account_Management.Account_Lockouts"), nodename) | eval nodename = if(nodename == "All_Changes.Account_Management" AND searchmatch("(action=\"updated\" OR action=\"modified\")"), mvappend(nodename, "All_Changes.Account_Management.Accounts_Updated"), nodename) | rename src_user_bunit AS All_Changes.Account_Management.src_user_bunit src_user_category AS All_Changes.Account_Management.src_user_category src_user_priority AS All_Changes.Account_Management.src_user_priority src_user_type AS All_Changes.Account_Management.src_user_type dest_nt_domain AS All_Changes.Account_Management.dest_nt_domain src_nt_domain AS All_Changes.Account_Management.src_nt_domain src_user AS All_Changes.Account_Management.src_user src_user_name AS All_Changes.Account_Management.src_user_name is_Accounts_Created AS All_Changes.Account_Management.is_Accounts_Created is_not_Accounts_Created AS All_Changes.Account_Management.is_not_Accounts_Created is_Accounts_Deleted AS All_Changes.Account_Management.is_Accounts_Deleted is_not_Accounts_Deleted AS All_Changes.Account_Management.is_not_Accounts_Deleted is_Account_Lockouts AS All_Changes.Account_Management.is_Account_Lockouts is_not_Account_Lockouts AS All_Changes.Account_Management.is_not_Account_Lockouts is_Accounts_Updated AS All_Changes.Account_Management.is_Accounts_Updated is_not_Accounts_Updated AS All_Changes.Account_Management.is_not_Accounts_Updated | eval nodename = if(nodename == "All_Changes" AND searchmatch("(tag=instance)"), mvappend(nodename, "All_Changes.Instance_Changes"), nodename)| eval image_id=if(isnull(image_id) OR image_id="","unknown",image_id), instance_type=if(isnull(instance_type) OR instance_type="","unknown",instance_type) | rename image_id AS All_Changes.Instance_Changes.image_id instance_typ (truncated)', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Sun May 23 20:17:00 2021', apiEndTime='Mon May 23 20:17:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="_ACCELERATE_DM_Splunk_SA_CIM_Change_ACCELERATE_", search_type="datamodel_acceleration", is_proxied=false, app="Splunk_SA_CIM", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:16:55.935, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD53945fd91cb6b90d8_at_1653336000_72983', search='search `cloudtrail` `ec2_modification_api_calls` [search `cloudtrail` `ec2_modification_api_calls` errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_modifications_by_user | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | eval newUser=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=dest responseElements.instancesSet.items{}.instanceId | spath output=user userIdentity.arn | table _time, user, dest | `ec2_instance_modified_with_previously_unseen_user_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - EC2 Instance Modified With Previously Unseen User - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:16:43.488, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD5faf9ca55649bc772_at_1653336000_72979', has_error_warn=false, fully_completed_search=true, total_run_time=7.98, event_count=0, result_count=0, available_count=0, scan_count=4, drop_count=0, exec_time=1653336974, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - Disable Windows Behavior Monitoring - Rule", search_startup_time="5266", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_1c720f4709cdbe4a", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=16, eliminated_buckets=0, considered_events=4, total_slices=285262, decompressed_slices=46, duration.command.search.index=10, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=39, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScanOnRealtimeEnable" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring" OR Registry.registry_path= "*\\Real-Time Protection\\DisableIntrusionPreventionSystem" OR Registry.registry_path= "*\\Real-Time Protection\\DisableIOAVProtection" OR Registry.registry_path= "*\\Real-Time Protection\\DisableScriptScanning" AND Registry.registry_value_data = "0x00000001" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` |rename process_guid as proc_guid |join proc_guid, _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | fields _time dest user parent_process_name parent_process process_name process_path process proc_guid registry_path registry_value_name registry_value_data] | table _time dest user parent_process_name parent_process process_name process_path process proc_guid registry_path registry_value_name registry_value_data | `disable_windows_behavior_monitoring_filter`'] Audit:[timestamp=05-23-2022 20:16:13.631, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD5abb6ea0b0df1c188_at_1653336000_72967', has_error_warn=false, fully_completed_search=true, total_run_time=11.90, event_count=127, result_count=1, available_count=0, scan_count=75955, drop_count=0, exec_time=1653336953, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - Windows High File Deletion Frequency - Rule", search_startup_time="466", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_dafef3a46566d18c", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=7, eliminated_buckets=6, considered_events=75955, total_slices=44642, decompressed_slices=3831, duration.command.search.index=82, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=510, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='search `sysmon` EventCode=23 TargetFilename IN ("*.cmd", "*.ini","*.gif", "*.jpg", "*.jpeg", "*.db", "*.ps1", "*.doc*", "*.xls*", "*.ppt*", "*.bmp","*.zip", "*.rar", "*.7z", "*.chm", "*.png", "*.log", "*.vbs", "*.js", "*.vhd", "*.bak", "*.wbcat", "*.bkf" , "*.backup*", "*.dsk", , "*.win") | stats values(TargetFilename) as deleted_files min(_time) as firstTime max(_time) as lastTime count by Computer user EventCode Image ProcessID |where count >=100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_high_file_deletion_frequency_filter`'] Audit:[timestamp=05-23-2022 20:16:13.627, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD55d7c21fcc83c8934_at_1653336000_72976', has_error_warn=false, fully_completed_search=true, total_run_time=4.42, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653336967, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - Wmiprsve LOLBAS Execution Process Spawn - Rule", search_startup_time="1595", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_557e324e5e6eab75", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=16, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=403, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe) (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe", "Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Dllhost.exe", "Pnputil.exe", "Atbroker.exe", "Pcwrun.exe", "Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe", "Microsoft.Workflow.Compiler.exe", "Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe", "Register-cimprovider.exe", "Tttracer.exe", "Ie4uinit.exe", "Bash.exe", "Hh.exe", "SettingSyncHost.exe", "Cmstp.exe", "Mmc.exe", "Stordiag.exe", "Scriptrunner.exe", "Odbcconf.exe", "Extexport.exe", "Msdt.exe", "WorkFolders.exe", "Diskshadow.exe", "Mavinject.exe", "Regasm.exe", "Gpscript.exe", "Rundll32.exe", "Regsvr32.exe", "Msiexec.exe", "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe", "Runonce.exe", "Syncappvpublishingserver.exe", "Verclsid.exe", "Infdefaultinstall.exe", "Explorer.exe", "Installutil.exe", "Netsh.exe", "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmiprsve_lolbas_execution_process_spawn_filter`'] Audit:[timestamp=05-23-2022 20:16:13.591, user=splunk-system-user, action=search, info=completed, search_id='scheduler__nobody_REEtRVNTLVRocmVhdEludGVsbGlnZW5jZQ__RMD561ef7423405d3912_at_1653336900_72969', has_error_warn=false, fully_completed_search=true, total_run_time=5.25, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1653336954, api_et=N/A, api_lt=1653336900.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=N/A, search_lt=1653336900.000000000, is_realtime=0, savedsearch_name="_ACCELERATE_DM_DA-ESS-ThreatIntelligence_Threat_Intelligence_ACCELERATE_", search_startup_time="4409", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DM_DA-ESS-ThreatIntelligence_Threat_Intelligence", app="DA-ESS-ThreatIntelligence", provenance="scheduler", mode="historical", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=datamodel_acceleration, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+splunk-system-role+user', search='| summarize tstats=t override=partial manual_rebuilds=t max_time=3600 poll_buckets_until_maxtime=f id=DM_DA-ESS-ThreatIntelligence_Threat_Intelligence [ search (index=* OR index=_*) (index=threat_activity) | eval nodename = "Threat_Activity"| eval dest=case(isnull(dest) OR dest="","unknown",mvcount(dest)=1,split(dest,"|"),1=1,dest), orig_sourcetype=if(mvcount(orig_sourcetype)=1,split(orig_sourcetype,"|"),orig_sourcetype), src=case(isnull(src) OR src="","unknown",mvcount(src)=1,split(src,"|"),1=1,src), src_user=case(isnull(src_user) OR src_user="","unknown",mvcount(src_user)=1,split(src_user,"|"),1=1,src_user), user=case(isnull(user) OR user="","unknown",mvcount(user)=1,split(user,"|"),1=1,user) | rename dest_bunit AS Threat_Activity.dest_bunit dest_category AS Threat_Activity.dest_category dest_priority AS Threat_Activity.dest_priority src_bunit AS Threat_Activity.src_bunit src_category AS Threat_Activity.src_category src_priority AS Threat_Activity.src_priority src_user_bunit AS Threat_Activity.src_user_bunit src_user_category AS Threat_Activity.src_user_category src_user_priority AS Threat_Activity.src_user_priority threat_match_field AS Threat_Activity.threat_match_field threat_match_value AS Threat_Activity.threat_match_value threat_collection AS Threat_Activity.threat_collection threat_collection_key AS Threat_Activity.threat_collection_key threat_key AS Threat_Activity.threat_key user_bunit AS Threat_Activity.user_bunit user_category AS Threat_Activity.user_category user_priority AS Threat_Activity.user_priority dest AS Threat_Activity.dest orig_sourcetype AS Threat_Activity.orig_sourcetype src AS Threat_Activity.src src_user AS Threat_Activity.src_user user AS Threat_Activity.user | fields nodename, _time, host, source, sourcetype, Threat_Activity.dest_bunit, Threat_Activity.dest_category, Threat_Activity.dest_priority, Threat_Activity.src_bunit, Threat_Activity.src_category, Threat_Activity.src_priority, Threat_Activity.src_user_bunit, Threat_Activity.src_user_category, Threat_Activity.src_user_priority, Threat_Activity.threat_match_field, Threat_Activity.threat_match_value, Threat_Activity.threat_collection, Threat_Activity.threat_collection_key, Threat_Activity.threat_key, Threat_Activity.user_bunit, Threat_Activity.user_category, Threat_Activity.user_priority, Threat_Activity.dest, Threat_Activity.orig_sourcetype, Threat_Activity.src, Threat_Activity.src_user, Threat_Activity.user ]'] Audit:[timestamp=05-23-2022 20:16:13.573, user=admin, action=search, info=completed, search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD5b15398fd76fa9d43_at_1653336000_72977', has_error_warn=false, fully_completed_search=true, total_run_time=2.16, event_count=0, result_count=0, available_count=0, scan_count=7, drop_count=0, exec_time=1653336969, api_et=1653331800.000000000, api_lt=1653335400.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1653331800.000000000, search_lt=1653335400.000000000, is_realtime=0, savedsearch_name="ESCU - Detect Empire with PowerShell Script Block Logging - Rule", search_startup_time="1417", is_prjob=false, acceleration_id="9E043255-7F1D-496E-8BB6-16EB563B2989_DA-ESS-ContentUpdate_admin_4865c64c5311068d", app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical_batch", is_proxied=false, searched_buckets=7, eliminated_buckets=6, considered_events=7, total_slices=44673, decompressed_slices=7, duration.command.search.index=1, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=156, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=scheduled, roles='admin+can_delete+ess_admin+ess_analyst+ess_user+power+user', search='search `powershell` EventCode=4104 (Message=*system.net.webclient* AND Message=*frombase64string*) | stats count min(_time) as firstTime max(_time) as lastTime by OpCode ComputerName User EventCode Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_empire_with_powershell_script_block_logging_filter`'] Audit:[timestamp=05-23-2022 20:16:13.545, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD5faf9ca55649bc772_at_1653336000_72979', search='| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScanOnRealtimeEnable" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring" OR Registry.registry_path= "*\\Real-Time Protection\\DisableIntrusionPreventionSystem" OR Registry.registry_path= "*\\Real-Time Protection\\DisableIOAVProtection" OR Registry.registry_path= "*\\Real-Time Protection\\DisableScriptScanning" AND Registry.registry_value_data = "0x00000001" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` |rename process_guid as proc_guid |join proc_guid, _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | fields _time dest user parent_process_name parent_process process_name process_path process proc_guid registry_path registry_value_name registry_value_data] | table _time dest user parent_process_name parent_process process_name process_path process proc_guid registry_path registry_value_name registry_value_data | `disable_windows_behavior_monitoring_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - Disable Windows Behavior Monitoring - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:16:09.441, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD5b15398fd76fa9d43_at_1653336000_72977', search='search `powershell` EventCode=4104 (Message=*system.net.webclient* AND Message=*frombase64string*) | stats count min(_time) as firstTime max(_time) as lastTime by OpCode ComputerName User EventCode Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_empire_with_powershell_script_block_logging_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - Detect Empire with PowerShell Script Block Logging - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:16:07.522, user=admin, action=search, info=granted , search_id='scheduler__admin_REEtRVNTLUNvbnRlbnRVcGRhdGU__RMD55d7c21fcc83c8934_at_1653336000_72976', search='| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe) (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe", "Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Dllhost.exe", "Pnputil.exe", "Atbroker.exe", "Pcwrun.exe", "Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe", "Microsoft.Workflow.Compiler.exe", "Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe", "Register-cimprovider.exe", "Tttracer.exe", "Ie4uinit.exe", "Bash.exe", "Hh.exe", "SettingSyncHost.exe", "Cmstp.exe", "Mmc.exe", "Stordiag.exe", "Scriptrunner.exe", "Odbcconf.exe", "Extexport.exe", "Msdt.exe", "WorkFolders.exe", "Diskshadow.exe", "Mavinject.exe", "Regasm.exe", "Gpscript.exe", "Rundll32.exe", "Regsvr32.exe", "Msiexec.exe", "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe", "Runonce.exe", "Syncappvpublishingserver.exe", "Verclsid.exe", "Infdefaultinstall.exe", "Explorer.exe", "Installutil.exe", "Netsh.exe", "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe", "Msconfig.exe")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wmiprsve_lolbas_execution_process_spawn_filter`', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*,_*,annotations,host,prestats_reserved_*,psrsvd_*,source,sourcetype', apiStartTime='Mon May 23 18:50:00 2022', apiEndTime='Mon May 23 19:50:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="ESCU - Wmiprsve LOLBAS Execution Process Spawn - Rule", search_type="scheduled", is_proxied=false, app="DA-ESS-ContentUpdate", provenance="scheduler", mode="historical"] Audit:[timestamp=05-23-2022 20:16:05.539, user=admin, action=search, info=granted , search_id='scheduler__admin_U0EtVGhyZWF0SW50ZWxsaWdlbmNl__RMD501805f07ae0aff07_at_1653336960_72975', search='| rest splunk_server=local count=0 "/servicesNS/-/-/saved/searches?listDefaultActionArgs=1" | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") OR match('action.notable', "1|[Tt]|[Tt][Rr][Uu][Ee]") OR match('action.risk', "1|[Tt]|[Tt][Rr][Uu][Ee]") | join type=left title [| rest splunk_server=local count=0 /services/configs/conf-analyticstories search="name=savedsearch* AND annotations=*" | eval title=replace(title, "savedsearch://", "") | table title,annotations] | join type=left max=0 title [| rest splunk_server=local count=0 /services/configs/conf-analyticstories search="name=analytic_story* AND searches=*" | eval analyticstories=replace(title, "analytic_story://", "") | spath input=searches path={} output=title | stats values(analyticstories) as analyticstories by title | eval analyticstories=mvjoin(analyticstories, "@@")] | eval analyticstories=split(analyticstories, "@@") | eval annotations=case(isnotnull('action.correlationsearch.annotations') AND 'action.correlationsearch.annotations'!="",'action.correlationsearch.annotations',isnotnull(annotations) AND annotations!="",annotations,1=1,null()),rule_name=if(isnotnull('action.correlationsearch.label'),'action.correlationsearch.label',title) | rename title as _key,action.notable.param.* as * | append [| rest splunk_server=local count=0 /servicesNS/-/-/configs/conf-correlationsearches | rename title as _key] | eval security_domain=if(security_domain="",null(),security_domain),severity=if(severity="",null(),severity),rule_name=if(rule_name="",null(),rule_name),description=if(description="",null(),description),rule_title=if(rule_title="",null(),rule_title),rule_description=if(rule_description="",null(),rule_description),drilldown_name=if(drilldown_name="",null(),drilldown_name),drilldown_search=if(drilldown_search="",null(),drilldown_search),drilldown_earliest_offset=if(drilldown_earliest_offset="",null(),drilldown_earliest_offset),drilldown_latest_offset=if(drilldown_latest_offset="",null(),drilldown_latest_offset),default_status=if(default_status="",null(),default_status),default_owner=if(default_owner="",null(),default_owner),default_disposition=if(default_disposition="",null(),default_disposition),next_steps=if(next_steps="",null(),next_steps),investigation_profiles=if(investigation_profiles="",null(),investigation_profiles),extract_artifacts=if(extract_artifacts="",null(),extract_artifacts),recommended_actions=if(recommended_actions="",null(),recommended_actions),analyticstories=if(analyticstories="",null(),analyticstories) | appendpipe [ where _key LIKE "%\"%" | eval _key=replace(_key, "\"", "_") ] | stats first(annotations) as annotations,first(security_domain) as security_domain,first(severity) as severity,first(rule_name) as rule_name,first(description) as description,first(rule_title) as rule_title,first(rule_description) as rule_description,first(drilldown_name) as drilldown_name,first(drilldown_search) as drilldown_search,first(drilldown_earliest_offset) as drilldown_earliest_offset,first(drilldown_latest_offset) as drilldown_latest_offset,first(default_status) as default_status,first(default_owner) as default_owner,first(next_steps) as next_steps,first(investigation_profiles) as investigation_profiles,first(extract_artifacts) as extract_artifacts,first(recommended_actions) as recommended_actions,values(analyticstories) as analyticstories by _key | outputlookup correlationsearches_lookup append=T key_field=_key | stats count', autojoin='1', buckets=0, ttl=120, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='Mon May 23 20:16:00 2022', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="Threat - Correlation Searches - Lookup Gen", search_type="scheduled", is_proxied=false, app="SA-ThreatIntelligence", provenance="scheduler", mode="historical"]