![]() ![]() We sometimes refer to searching in this way as "super-grepping", and - while it can be effective - Splunk has a lot more power under the hood. Events containing this phrase begin to appear, usually within just a few seconds. Splunk is often referred to as a search engine for your data, and it’s easy to see why when you enter a simple phrase into the search app. Fields of Dreams: Using field-value expressions Your data and hunting hypotheses will vary, but remember - when hunting in Splunk, it pays to pay attention to time.įigure 1: Filtering events based on timestamp Technique 2. In this case, selecting an appropriate time range helped us realize a 96% reduction in both the number of events and the time to run the search! The same search run over the entire month of August 2016 (not shown) returned about 1.37 million events and took approximately 184 seconds to complete.This search returned in about 6.6 seconds and returned about 55,000 results.Specifically, I’ve asked Splunk to search all DNS activity on August 24, 2016: In this example, I’m looking at some DNS events from our Boss of the SOC v1.0 data set. If you can put a left and right boundary on the timeline of your hunt, you enable Splunk to ignore events from time periods that have nothing to do with your hypothesis, potentially saving you valuable time and system resources along the way.įor most Splunk users, the easiest way to specify the time range is to use the time range picker as shown in Figure 1 (below). The most obvious (but often overlooked) technique for reducing the number of events returned by your Splunk search - and getting you closer to actionable results - is to specify an appropriate time range. For all three tutorials, below, we use data from our Boss of the SOC v1.0 data set. To do this, we will focus on three specific techniques for filtering data that you can start using right away. You need to eliminate the noise and expose the signal. Why is filtering data important? Well, Splunk allows you to store gigabytes, terabytes, or even petabytes of full-fidelity security data - yet the evidence you are seeking during a hunt or investigation is often contained in just a few events. We’ve updated it recently to maximize your value.) Data filtering techniques for threat hunting (Part of our Threat Hunting with Splunk series, this article was originally written by Dave Herrald. And yes, we’re going to keep on keepin’ on with the stats command, too. This post will continue by introducing a set of foundational Splunk threat-hunting techniques that will help you filter data. Make the most of your Windows event logs.Discover the different types of data available in your Splunk instance.Examine network traffic with Splunk Stream.Enrich data with lookup commands and workflow actions.So far in this series, we’ve shared some key techniques that are required for threat hunting using Splunk - we’ve discussed how to…
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |