splunk

Splunk Queries for SOC Analyst

🔍 Advanced Splunk Queries for Security Monitoring

As a System Engineer, monitoring security events is critical for ensuring system integrity and identifying potential threats. Here’s a collection of essential Splunk queries categorized for different scenarios, from failed login attempts to suspicious network traffic.

🔐 Authentication Attempts

🔐 Failed Login Attempts

sourcetype=auth* "authentication failure"
| stats count by user
| sort -count

🔑 Failed SSH Attempts

sourcetype=linux_secure "Failed password for"
| stats count by src_ip
| sort -count

✅ Successful SSH Attempts

sourcetype=linux_secure "Accepted publickey for"
| stats count by src_ip
| sort -count

🌎 Successful Login Attempts from New or Unknown IP Addresses

sourcetype=access_* action=login
| stats count by user, src_ip
| where count=1

🔓 Account Takeover Attempts

sourcetype=access_* action=login
| stats count by user
| where count > 10

🛠️ Brute Force Attacks on SSH Servers

sourcetype=linux_secure action=invalid
| stats count by src_ip
| where count >= 10

📧 Brute Force Attacks on Email Accounts

sourcetype=exchangeps
| stats count by src_ip
| where count >= 10

🔐 Brute Force Attacks on SSH Servers

sourcetype=access_* method=POST uri_path="*/ssh"
| stats count by src_ip
| where count >= 10

🔐 Brute Force Attacks on SSH Servers (Failed Login Attempts)

sourcetype=linux_secure action=failed
| stats count by src_ip
| where count >= 10

🛠️ Brute Force Attacks on MSSQL Servers

sourcetype=mssql_access action=failed
| stats count by src_ip
| where count >= 10

🛠️ Brute Force Attacks on RDP

sourcetype=WinEventLog:Security EventCode=4625
| search Logon_Type=10 AND Status="0xC000006D"

🖥️ Privilege Escalation Attempts on Windows Systems

sourcetype=WinEventLog:Security EventCode=4697 OR EventCode=7045
| search Image_Path="*\\System32\\*" AND NOT User="SYSTEM"

➡️ Lateral Movement Attempts Using Remote Registry

sourcetype=WinEventLog:Security EventCode=4663
| search Object_Name="*\\REGISTRY\\MACHINE\\SOFTWARE" AND NOT User="SYSTEM" AND
NOT User="NETWORK SERVICE" AND NOT User="LOCAL SERVICE"

➡️ Lateral Movement Attempts Using SMB

sourcetype=WinEventLog:Security EventCode=5140
| search Object_Name="*\\ADMIN$" OR Object_Name="*\\C$"

➡️ Lateral Movement Attempts Using SMB (Successful Logins)

sourcetype=WinEventLog:Security EventCode=5140
| search Object_Name="*\\ADMIN$" OR Object_Name="*\\C$"

➡️ Lateral Movement Attempts Using RDP (Successful Logins)

sourcetype=WinEventLog:Security EventCode=4624
| search Logon_Type=10

🖥️ Privilege Escalation Attempts on Windows Systems

sourcetype=WinEventLog:Security EventCode=4698
| search "Task Scheduler service found a misconfiguration" AND NOT User="SYSTEM"

🖥️ Privilege Escalation Attempts on Windows Systems

sourcetype="WinEventLog:Security" EventCode=4672
| eval user_account=mvindex(Account_Name,1)
| search "Security ID" NOT IN ("SYSTEM","LOCAL SERVICE","NETWORK SERVICE")

⚙️ Privilege Escalation Attempts Using PowerShell

sourcetype=WinEventLog:Microsoft-Windows-PowerShell/Operational EventCode=400
| search "PowerShell pipeline execution details" AND NOT "UserPrincipalName=SYSTEM@*"
AND NOT "UserPrincipalName=NETWORK SERVICE@*"

✉️ Phishing Attempts Through Email Attachments

sourcetype=email
| search attachment="*.exe" OR attachment="*.zip"

🛡️ Security Threats

🛡️ Security Threats

sourcetype=access_* method=POST status=200 |
rex field=_raw "password=(?<password>[^&]+)"
| eval password_length=length(password)
| where password_length >= 8

🚨 Traffic to Known Malicious IP Addresses

sourcetype=network_traffic dest_ip=malicious_ip

🦠 Malware Infections

sourcetype=access_* action=file_download |
rex field=file_path ".*\.(?<extension>[^\.]+)"
| search extension="exe" OR extension="dll"

👀 Insider Threats

sourcetype=access_* action=file_upload
| stats count by user, file_path
| where count > 10

🛡️ Ransomware Activity

"sourcetype=access_* action=file_write  
| search file_path="*.crypt" OR file_path="*.locky""

🛡️ Ransomware Activity

sourcetype=access_* action=file_delete
| rex field=file_path ".*\\.(?<extension>[^\\.]+)"
| search extension="encrypted" OR extension="locked" OR extension="ransom"

💻 Web Shell Activity

"sourcetype=access_* action=command_execution  
| search (echo|print|printf)\s+(base64_decode|eval|gzinflate|str_rot13)"

⚔️ DDoS Attacks

sourcetype=network_traffic
| stats sum(bytes) as total_bytes by src_ip
| where total_bytes > 100000000

🖥️ Privilege Escalation Attempts on Windows Systems

sourcetype=WinEventLog:Security EventCode=4688
| search (New_Process_Name="*\\runas.exe" OR New_Process_Name="*\\psexec.exe") AND
NOT User="SYSTEM"

🌏 Successful SSH Logins from Unusual Countries

sourcetype=access_* action=login service=ssh
| iplocation src_ip
| stats count by src_country
| where count > 10 AND NOT src_country="United States"

🖥️ Ransomware Activity on Windows Systems

sourcetype=WinEventLog:Security EventCode=4663 |
rex field=Object_Name "\\\\.*\\\\(?<filename>.+)"
| rex field=filename ".*\\.(?<extension>[^\\.]+)"
| search extension="encrypted" OR extension="locked" OR extension="ransom"

🚨 Suspicious Activity

🚨 Privilege Escalation Attempts

sourcetype=linux_secure su*
| where user!=root AND user!=""

🌐 Unusual Network Traffic

sourcetype=network_traffic
| stats sum(bytes) as total_bytes by src_ip, dest_ip
| where total_bytes > 1000000

🕵️ Suspicious Processes

sourcetype=processes
| search "lsass.exe" OR "svchost.exe" OR "explorer.exe"
| stats count by user
| sort -count

🛠️ Brute Force Attacks

sourcetype=access_* | stats count by clientip, action | where action="failure" AND count>=5

📡 Network Port Scans

sourcetype=network_traffic
| stats count by src_ip, dest_port
| where count > 100

🕒 Unusual Login Times

sourcetype=access_* action=login
| eval hour=strftime(_time,"%H")
| stats count by user, hour
| where count < 3

👀 Reconnaissance Activity

"sourcetype=access_* method=GET  
| stats count by uri_path  
| where count > 100"

🔐 Privilege Escalation Attempts

"sourcetype=access_* action=privilege_escalation  
| stats count by user  
| where count > 5"

✉️ Phishing Attempts Through Email Attachments

sourcetype=email
| search attachment="*.exe" OR attachment="*.zip"

📁 Brute Force Attacks on a Specific Application

sourcetype=access_* uri_path="/app/login" AND action=failure
| stats count by src_ip
| where count >= 5

📂 Unauthorized Changes to Critical Files

"sourcetype=access_* action=file_write  
| search file_path="*/etc/*" OR file_path="*/var/*""

📡 Command and Control (C2) Traffic

"sourcetype=network_traffic  
| stats count by dest_ip  
| where count > 500 AND NOT dest_ip IN (192.168.0.0/16, 10.0.0.0/8)"

🌍 Malicious Traffic from a Specific IP Address

"sourcetype=network_traffic src_ip=10.1.1.1  
| stats count by dest_ip  
| where count > 10"

🌏 Successful SSH Logins from Unusual Countries

sourcetype=access_* action=login service=ssh
| iplocation src_ip
| stats count by src_country
| where count > 10 AND NOT src_country="United States"

🐧 Privilege Escalation Attempts on Linux Systems

sourcetype=linux_secure "sudo:" |
where user!="root" AND user!=""

🛠️ Brute Force and Exploit Attempts

🛠️ Brute Force Attacks

sourcetype=access_* | stats count by clientip, action | where action="failure" AND count>=5

👤 Abnormal User Activity

sourcetype=access_* action=purchase
| stats count by clientip, user
| where count > 50

🌍 DNS Tunneling Activity

sourcetype=dns
| rex field=answer "data\"\s*:\s*\"(?<data>[^\"]+)\""
| eval data_length=len(data)
| where data_length > 32 AND (data_length % 4) == 0

⚙️ Suspicious PowerShell Activity

sourcetype="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4103
| eval script_block=mvindex(Message,3)
| search script_block="*Start-Process*"

📂 Unusual File Access

sourcetype=access_* action=file_delete OR action=file_rename
| stats count by user
| where count > 10

📁 Brute Force Attacks on Web Applications

sourcetype=access_* method=POST uri_path="*.php"
| stats count by src_ip
| where count >= 50

📩 Spear-Phishing Attempts

sourcetype=email
| search "CEO" OR "CFO" OR "Finance" OR "Accounting" OR "Payment"

⚙️ Privilege Escalation Attempts Using PowerShell

sourcetype=WinEventLog:Microsoft-Windows-PowerShell/Operational EventCode=400
| search "PowerShell pipeline execution details" AND NOT "UserPrincipalName=SYSTEM@*"
AND NOT "UserPrincipalName=NETWORK SERVICE@*"

🐧 Privilege Escalation Attempts on Linux Systems

"sourcetype=access_* action="sudo command"  
| stats count by user  
| where count >= 10"

🖥️ Privilege Escalation Attempts on Windows Systems

sourcetype=WinEventLog:Security EventCode=4688
| search (New_Process_Name="*\\runas.exe" OR New_Process_Name="*\\psexec.exe") AND
NOT User="SYSTEM"

📧 Phishing Attacks

sourcetype=access_* method=POST uri_path="*.php"
| search form_action="http://www.evilsite.com/login.php" AND (input_password=* OR
input_password=*)

🌐 Network & DNS Activity

🕒 Unusual Login Times

sourcetype=access_* action=login
| eval hour=strftime(_time,"%H")
| stats count by user, hour
| where count < 3

🌐 Unusual DNS Requests

sourcetype=dns |
stats count by query
| where count > 10

🛠️ Brute Force Attacks on a Specific Protocol

sourcetype=network_traffic protocol=http
| stats count by src_ip
| where count >= 50

👥 Brute Force Attacks Against a Specific User

sourcetype=access_* user=username AND action=failure
| stats count by src_ip
| where count >= 5

👀 Reconnaissance Activity

"sourcetype=access_* method=GET  
| stats count by uri_path  
| where count > 100"

🛡️ Ransomware Activity

sourcetype=access_* action=file_delete
| rex field=file_path ".*\\.(?<extension>[^\\.]+)"
| search extension="encrypted" OR extension="locked" OR extension="ransom"

🌍 DNS Tunneling Activity

sourcetype=dns
| stats count by query
| where count > 5 AND NOT match(query, "\\.")

⚒️ Command Injection Attempts on Web Servers

sourcetype=access_* method=POST uri_path="*.php"
| rex field=_raw "(?<command>cat|ls|dir)\s+(?<argument>[^;]+)"
| where isnotnull(command) AND isnotnull(argument)

📤 Data Exfiltration Attempts Over HTTPS

sourcetype=ssl method=POST
| stats count by src_ip, dest_ip
| where count >= 10

📂 File Activity

📁 Unusual File Extensions

sourcetype=access_* action=file_upload
| rex field=file_path ".*\.(?<extension>[^\.]+)"
| stats count by extension
| where count > 10

📂 Unusual File Access

sourcetype=access_* action=file_delete OR action=file_rename
| stats count by user
| where count > 10

📂 Unauthorized Changes to Critical Files

"sourcetype=access_* action=file_write  
| search file_path="*/etc/*" OR file_path="*/var/*""

⚒️ Command Injection Attempts on Web Servers

sourcetype=access_* method=POST uri_path="*.php"
| rex field=_raw "(?<command>cat|ls|dir)\s+(?<argument>[^;]+)"
| where isnotnull(command) AND isnotnull(argument)

➡️ Lateral Movement Attempts Using SMB (Successful Logins)

sourcetype=WinEventLog:Security EventCode=5140
| search Object_Name="*\\ADMIN$" OR Object_Name="*\\C$"

Data Exfiltration

📤 Data Exfiltration

source type=access_* action=file_download
| stats count by user, dest_ip, dest_port
| where count > 10

📤 Data Exfiltration Attempts Over HTTP

sourcetype=access_* action=file_download
| search uri_path="*.zip" OR uri_path="*.rar" OR uri_path="*.tgz" OR uri_path="*.tar.gz"

📤 Data Exfiltration Attempts Over HTTPS

sourcetype=ssl method=POST
| stats count by src_ip, dest_ip
| where count >= 10

📤 Data Exfiltration Attempts Over FTP

sourcetype=access_* action=file_upload
| search uri_path="*/ftp" OR uri_path="*/sftp"

📤 Data Exfiltration Attempts Over DNS

sourcetype=dns
| search query_type=A AND query !="*.google.com" AND query !="*.facebook.com" AND query
!="*.twitter.com" AND query !="*.microsoft.com"

📤 Data Exfiltration Attempts Over SMTP

sourcetype=smtp action=send_message
| search recipient!="*@gmail.com" AND recipient!="*@yahoo.com" AND
recipient!="*@hotmail.com" AND recipient!="*@aol.com"

📤 Data Exfiltration Attempts Over FTP

sourcetype=ftp action=putfile
| stats count by src_ip
| where count >= 10

💻 Web Server Attacks

🔐 Privilege Escalation Attempts

"sourcetype=access_* action=privilege_escalation  
| stats count by user  
| where count > 5"

🛠️ SQL Injection Attempts on Web Servers

sourcetype=access_* method=POST uri_path="*.php"
| rex field=_raw "SELECT\\s+(?<query>[^;]+)"
| eval query_length=length(query)
| where query_length > 50 AND query_length < 100

📂 Unauthorized Changes to Critical Files

"sourcetype=access_* action=file_write  
| search file_path="*/etc/*" OR file_path="*/var/*""

🖥️ Privileged System Access

🛠️ SQL Injection Attempts on Web Servers

"sourcetype=access_* method=POST uri_path="*.php"  
| rex field=_raw "SELECT\s+(?<query>[^;]+)"  
| eval query_length=length(query)  
| where query_length > 100 AND query_length < 200"

🖥️ Privilege Escalation Attempts on Windows Systems

sourcetype=WinEventLog:Security EventCode=4698
| search "Task Scheduler service found a misconfiguration" AND NOT User="SYSTEM"

➡️ Lateral Movement Attempts Using WinRM

sourcetype=WinEventLog:Microsoft-Windows-WinRM/Operational EventCode=146
| search "winrs: client" AND "is starting a command" AND NOT user="NETWORK SERVICE" AND
NOT user="LocalSystem"

🖥️ Privilege Escalation Attempts on Windows Systems

sourcetype="WinEventLog:Security" EventCode=4672
| eval user_account=mvindex(Account_Name,1)
| search "Security ID" NOT IN ("SYSTEM","LOCAL SERVICE","NETWORK SERVICE")

⚙️ Automation & Movement

🐧 Privilege Escalation Attempts on Linux Systems

sourcetype=linux_secure "sudo:" |
where user!="root" AND user!=""

🔐 Privilege Escalation Attempts

"sourcetype=access_* action=privilege_escalation  
| stats count by user  
| where count > 5"

⚔️ DDoS Attacks

"sourcetype=network_traffic  
| stats count by src_ip  
| where count > 1000"

⚙️ PowerShell Empire Activity

"sourcetype=WinEventLog:Windows PowerShell  
| search (powershell.exe -nop -w hidden -ep bypass -c)|(iex(new-object  
net.webclient).downloadstring)"

🛠️ Brute Force Attacks on a Specific Protocol

sourcetype=network_traffic protocol=http
| stats count by src_ip
| where count >= 50

🌍 DNS Tunneling Activity

sourcetype=dns
| stats count by query
| where count > 5 AND NOT match(query, "\\.")

🐧 Privilege Escalation Attempts on Linux Systems

"sourcetype=access_* action="sudo command"  
| stats count by user  
| where count >= 10"

⚙️ Privilege Escalation Attempts Using PowerShell

sourcetype=WinEventLog:Microsoft-Windows-PowerShell/Operational EventCode=400
| search "PowerShell pipeline execution details" AND NOT "UserPrincipalName=SYSTEM@*"
AND NOT "UserPrincipalName=NETWORK SERVICE@*"

✉️ Phishing Attempts Through Email Attachments

sourcetype=email
| search attachment="*.exe" OR attachment="*.zip"

📁 Brute Force Attacks on Web Applications

sourcetype=access_* method=POST uri_path="*.php"
| stats count by src_ip
| where count >= 50

⚒️ Command Injection Attempts on Web Servers

sourcetype=access_* method=POST uri_path="*.php"
| rex field=_raw "(?<command>cat|ls|dir)\s+(?<argument>[^;]+)"
| where isnotnull(command) AND isnotnull(argument)

📂 Unauthorized Changes to Critical Files

"sourcetype=access_* action=file_write  
| search file_path="*/etc/*" OR file_path="*/var/*""

🦠 Malware Infections

sourcetype=access_* action=file_download |
rex field=file_path ".*\.(?<extension>[^\.]+)"
| search extension="exe" OR extension="dll"

📡 Command and Control (C2) Traffic

"sourcetype=network_traffic  
| stats count by dest_ip  
| where count > 500 AND NOT dest_ip IN (192.168.0.0/16, 10.0.0.0/8)"

🛡️ Ransomware Activity

sourcetype=access_* action=file_delete
| rex field=file_path ".*\\.(?<extension>[^\\.]+)"
| search extension="encrypted" OR extension="locked" OR extension="ransom"

✉️ Phishing Attempts Through Email Attachments

sourcetype=email
| search attachment="*.exe" OR attachment="*.zip"