Splunk Search

Is there a search for a set commands in quick succession?

AaronMoorcroft
Communicator

Hey Guys,

IS there a simple way to search for a set of commands being ran in quick succession on a single system and then maybe even table the results if it happens on multiple systems, for example

Mr Hackerman gains access to workstation 1 and within the space of a min or two types in whoami, ipconfig, systeminfo ?

Obviously these commands could be in any order so that would need to be taken into account too.

0 Karma

pkeenan87
Communicator

Streamstats and the time_window parameter could be useful here. Something like this

base_search
| streamstats time_window=1m dc(command) AS unique_commands values(command) AS commands_executed by user host
| sort - unique_commands

You could look for it happening on multiple systems by adding eventstats to it with something like this:

base_search
| streamstats time_window=1m dc(command) AS unique_commands values(command) AS commands_executed by user host
| where unique_commands>4
| eventstats dc(host) AS unique_hosts by user
| sort - unique_hosts

That should at least get you pointed in the right direction. Here is the streamstats and eventstats docs for reference. They will be pretty useful for use cases such as these

Streamstats: https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Streamstats
Eventstats: https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Eventstats

Also a cool blog: https://www.splunk.com/blog/2014/04/01/search-command-stats-eventstats-and-streamstats-2.html

AaronMoorcroft
Communicator

Hey, Thank you ill give this a shot 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...