12/24/2023 0 Comments Splunk eval math![]() The sort and where commands can also be used to filter out data below your defined threshold and bring the longest (or shortest) strings to the top.Īnother way eval can be used for hunting is by calculating the time elapsed between different events and applying functions to date/time values. As discussed in our earlier blog on the stats command, I can calculate average, standard deviation, maximum, minimum and more on a numeric value while grouping by other field values like host. If I want to continue to evolve this search, I can apply statistical methods to the data. Notice that an additional column has been added on the far right that shows my newly created calculated field length. My function will be len(CommandLine) where len is short for length of the field in parenthesis, in this case the field CommandLine. The output of that function will reside within our new field. To determine the length of a string, I will use eval to define a new field that I will call cl_length and then I will call a function. I want to establish which-if any-hosts have long process strings executing and if they do, I want to know when they executed. My hypothesis states that long command line strings are of concern due to their ability to harbor badness within them. With the initial search in place, I can start using eval. Index=main sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" CommandLine=*īasically, I am searching the Sysmon data and using the table command to put it into easy to read columns. ![]() My initial search of Sysmon isolated on process, time and host would look something like this: As always, it's important to focus the hunt on data sets that are relevant. With that in mind, let’s start hunting.įor this initial search, I will leverage Microsoft Sysmon data because of its ability to provide insight into processes executing on our systems. For this hunt, I am hypothesizing that abnormally long process strings are of interest to us. With that in mind, let’s dive straight into an example where eval is incredibly useful.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |