The metadata command does not have a lot of options to it, but you can narrow down the search to specific indexes, search peers or server groups and even sourcetypes (like I did above). In this case, I want to see all the hosts that have data in the ‘os’ index because I know data in that index will be of importance to me in my hunt. Now that I know what types of data I have in Splunk, let's see which hosts are sending data through-do I have current data for all my hosts? Maybe I want to isolate on hosts that are writing to a specific index. Based on the time range of my search-it was from May 13 22:00 GMT to May 20 22:38:15 GMT-I have a high level of confidence that my FireEye data is fairly current, but if my investigation goes back before May 12, I don’t have FireEye data to work with, which could impact how I approach this activity or lower my confidence in determining when something was first seen in my network. Doing a little epoch time conversion, I determine that the data first hit my indexer on at 2:31:00 GMT and the last time it was seen on my indexer was 22:01:12 GMT. This is a quick search that I could run to enumerate sourcetypes in Splunk for the past seven days.Īs you can see, in the past seven days I have 5,162 FireEye events. My first thought is to see that I have data sets available to me that pertain to the time I am hunting in. My manager has tasked me to start hunting based on some indicators recently gathered. These metadata fields (see what I did there?) can be searched and returned with values that include first time, last time and count for a particular value. These fields are _time, source (where the event originated could be a filepath or a protocol/port value), sourcetype (type of machine data) and host (hostname or IP that generated an event). For those not fully up to speed on Splunk, there are certain fields that are written at index time. The metadata command is a generating command, which means it is the first command in a search. Today, I am going to share with you my methodology around initial information gathering and how I use the metadata and tstats commands to understand the data available to me when I start threat hunting. Without this knowledge, you risk making assumptions that lead to poor decisions whilst threat hunting. To effectively hunt, understanding the data you have and don’t have for your hosts is key. Actually-in this case-know your network and hosts. What gaps might those be? As a wise man once said, Know thy network. What do I mean by that? Well, if you rush into threat hunting and start slinging SPL indiscrimately, you risk creating gaps in your investigation. As a Splunk Jedi once told me, you have to first go slow to go fast. So you want to hunt, eh? Well my young padwa, hold on. Using metadata and tstats to quickly establish situational awareness This is part four of the " Hunting with Splunk: The Basics" series.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |