Work with Splunk Enterprise Security#

Caution

This app is no longer supported and this documentation will be removed on 1 December 2024.

Splunk Enterprise Security (Splunk ES) is a paid-for Splunk app that provides additional tooling for cybersecurity practioners to perform advanced searches and threat identification in environments.

Requirements#

Example queries#

EclecticIQ tstats Threat Intelligence alert - Domain#

| `eiq_dm_alert_domain`
| eval alert_field=case(isnotnull(value_eiq_domain), "domain")
| eval event_hash=md5(sourcetype.index._time.host.value_eiq)
| eval alert_source="splunk_dm_search"
| eval key=_time."-".'event_hash', event_index=index, event_sourcetype=sourcetype, event_time=_time, event_host=host, event_time_1=(_time+1)
| dedup key
| table key, alert_field, alert_source, eiq_src, eiq_dest, event_time, event_hash, event_index, event_host, event_sourcetype, value_url_eiq, type_eiq, timestamp_eiq, source.name_eiq, meta.tags_eiq, meta.relevancy_eiq, feed_id_eiq, entity.id_eiq, entity.title_eiq, value_eiq, meta.entity_url_eiq, meta.taxonomy_eiq, event_time_1
| rename source.name_eiq AS source_name_eiq, meta.tags_eiq AS meta_tags_eiq, meta.relevancy_eiq AS meta_relevancy_eiq, entity.id_eiq AS entity_id_eiq, entity.title_eiq AS entity_title_eiq, meta.entity_url_eiq AS meta_entity_url_eiq, meta.taxonomy_eiq AS meta_taxonomy_eiq, eiq_src AS src, eiq_dest AS dest

EclecticIQ tstats Threat Intelligence alert - Email#

| `eiq_dm_alert_email`
| eval alert_field=case(isnotnull(value_eiq_sender), "sender", isnotnull(value_eiq_receiver), "receiver")
| eval event_hash=md5(sourcetype.index._time.host.value_eiq)
| eval alert_source="splunk_dm_search"
| eval key=_time."-".'event_hash', event_index=index, event_sourcetype=sourcetype, event_time=_time, event_host=host, event_time_1=(_time+1)
| dedup key
| table key, alert_field, alert_source, eiq_src, eiq_dest, event_time, event_hash, event_index, event_host, event_sourcetype, value_url_eiq, type_eiq, timestamp_eiq, source.name_eiq, meta.tags_eiq, meta.relevancy_eiq, feed_id_eiq, entity.id_eiq, entity.title_eiq, value_eiq, meta.entity_url_eiq, meta.taxonomy_eiq, event_time_1
| rename source.name_eiq AS source_name_eiq, meta.tags_eiq AS meta_tags_eiq, meta.relevancy_eiq AS meta_relevancy_eiq, entity.id_eiq AS entity_id_eiq, entity.title_eiq AS entity_title_eiq, meta.entity_url_eiq AS meta_entity_url_eiq, meta.taxonomy_eiq AS meta_taxonomy_eiq, eiq_src AS src, eiq_dest AS dest

EclecticIQ tstats Threat Intelligence alert - Hash#

| `eiq_dm_alert_hash`
| eval alert_field=case(isnotnull(value_eiq_file_hash), "file_hash")
| eval event_hash=md5(sourcetype.index._time.host.value_eiq)
| eval alert_source="splunk_dm_search"
| eval key=_time."-".'event_hash', event_index=index, event_sourcetype=sourcetype, event_time=_time, event_host=host, event_time_1=(_time+1)
| dedup key
| table key, alert_field, alert_source, eiq_src, eiq_dest, event_time, event_hash, event_index, event_host, event_sourcetype, value_url_eiq, type_eiq, timestamp_eiq, source.name_eiq, meta.tags_eiq, meta.relevancy_eiq, feed_id_eiq, entity.id_eiq, entity.title_eiq, value_eiq, meta.entity_url_eiq, meta.taxonomy_eiq, event_time_1
| rename source.name_eiq AS source_name_eiq, meta.tags_eiq AS meta_tags_eiq, meta.relevancy_eiq AS meta_relevancy_eiq, entity.id_eiq AS entity_id_eiq, entity.title_eiq AS entity_title_eiq, meta.entity_url_eiq AS meta_entity_url_eiq, meta.taxonomy_eiq AS meta_taxonomy_eiq, eiq_src AS src, eiq_dest AS dest

EclecticIQ tstats Threat Intelligence alert - Source/Destination#

| `eiq_dm_alert_src_dst`
| eval alert_field=case(isnotnull(value_eiq_src), "src", isnotnull(value_eiq_dest), "dest")
| eval event_hash=md5(sourcetype.index._time.host.value_eiq)
| eval alert_source="splunk_dm_search"
| eval key=_time."-".'event_hash', event_index=index, event_sourcetype=sourcetype, event_time=_time, event_host=host, event_time_1=(_time+1)
| dedup key
| table key, alert_field, alert_source, eiq_src, eiq_dest, event_time, event_hash, event_index, event_host, event_sourcetype, value_url_eiq, type_eiq, timestamp_eiq, source.name_eiq, meta.tags_eiq, meta.relevancy_eiq, feed_id_eiq, entity.id_eiq, entity.title_eiq, value_eiq, meta.entity_url_eiq, meta.taxonomy_eiq, event_time_1
| rename source.name_eiq AS source_name_eiq, meta.tags_eiq AS meta_tags_eiq, meta.relevancy_eiq AS meta_relevancy_eiq, entity.id_eiq AS entity_id_eiq, entity.title_eiq AS entity_title_eiq, meta.entity_url_eiq AS meta_entity_url_eiq, meta.taxonomy_eiq AS meta_taxonomy_eiq, eiq_src AS src, eiq_dest AS dest

EclecticIQ tstats Threat Intelligence alert - URL#

| `eiq_dm_alert_url`
| eval alert_field=case(isnotnull(value_eiq_url), "url")
| eval event_hash=md5(sourcetype.index._time.host.value_eiq)
| eval alert_source="splunk_dm_search"
| eval key=_time."-".'event_hash', event_index=index, event_sourcetype=sourcetype, event_time=_time, event_host=host, event_time_1=(_time+1)
| dedup key
| table key, alert_field, alert_source, eiq_src, eiq_dest, event_time, event_hash, event_index, event_host, event_sourcetype, value_url_eiq, type_eiq, timestamp_eiq, source.name_eiq, meta.tags_eiq, meta.relevancy_eiq, feed_id_eiq, entity.id_eiq, entity.title_eiq, value_eiq, meta.entity_url_eiq, meta.taxonomy_eiq, event_time_1
| rename source.name_eiq AS source_name_eiq, meta.tags_eiq AS meta_tags_eiq, meta.relevancy_eiq AS meta_relevancy_eiq, entity.id_eiq AS entity_id_eiq, entity.title_eiq AS entity_title_eiq, meta.entity_url_eiq AS meta_entity_url_eiq, meta.taxonomy_eiq AS meta_taxonomy_eiq, eiq_src AS src, eiq_dest AS dest