Class 6 ‐ Advanced SIEM - Justin-Boyd/CIT-Class GitHub Wiki

Log Queries

Queries

  • Dedicated requests
  • Retrieve information from SIEM
  • Many SIEM applications use proprietary query syntax.
  • Many features in Splunk are based on queries.

Linux Log Queries

Linux Log Queries

  • Many Linux logs are located in /var/log.
  • To display Linux logs, a source must be selected: source="log-file-path"
  • The entire /var/log directory can also be viewed.

Windows Log Queries

Windows Log Queries

  • source="wineventlog“ displays Windows logs.
  • sourcetype="wineventlog :[log-type]“ displays specific groups of Windows logs.

Field Types

Field Types

  • A variety of fields can be used to filter logs.
  • They are associated with data types, such as host machine data, timestamps, and others.
  • Splunk also supports custom fields.

Basic Wildcards

Basic Wildcards

  • Used as placeholders in queries
  • A single character can be used to retrieve data.
  • The asterisk (*) represents all and will display all logs located in /var/log.

Log Parsing

Parsing Overview

  • SIEM parses each log added to the system.
  • Parsing organizes logs into fields with the format [key: value], such as [host: "Johnd-PC"].

Parsing Methods

  • Regular Expression (Regex)

    • Matches a specified field value with an unanchored regular expression.

  • Delimited

    • Parses fields using constant delimiters.

Field Extraction

  • Extracting maximum data from a log
  • Splunk may skip fields such as usernames and IPs in custom logs.

Field Extraction Field Extraction 2

  • Each field can be renamed according to your preference.

Operators

Operators Overview

  • Splunk supports logical operators.
  • Logical operators include NOT, OR, AND.
  • Operators are written with capital letters.

Logical Operators

  • NOT: Displays the logs when the parameter is not true
  • OR: Displays the logs if one of the parameters is true
  • AND: Displays the logs only if both parameters are true

Boolean Operators

Boolean Operators

  • The query in the example above searches for access logs or error logs.

The IN Operator

The IN Operator

  • Specifies the field and a list of values

Nested Operators

Nested Operators

  • In the scenario shown above, if one condition is true, the log will be displayed.

Advanced Queries

Advanced Syntax

  • Pipe & Search

    • Pipe forms a chain of commands.
    • Search is used with Pipe to filter the output.

  • AS & BY

    • AS renames a column.
    • BY groups by field.

  • Splunk query syntax works with Search Processing Language (SPL) and is similar to SQL.

Common Stat Functions

  • stats count (x)
    • Returns the number of occurrences of X
  • stats dc (X)
    • Returns a count of the distinct value of X
  • stats count by (x)
    • Returns the number of occurrences in a specific field

Stats Visualization

Stats Visualization

  • Use Visualization to view a statistical graph.
  • There are many types of graphs, including column-based, pie, and bubble charts.