splunk search pro tips...approved for public release; distribution unlimited. 15-2752. © 2015 the...
TRANSCRIPT
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. 15-2752.
Dan Aiello Principal Cyber Security Engineer, MITRE
Dan Aiello, Principal Cyber Security Engineer
Splunk Search Pro Tips
Splunk .conf2015
| 2 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Agenda
§ My background
§ Comments § Search by index § In the year 2000 § Red Card § Watch Lists § Search Job Inspector § More fun with subsearches § Carrier signal § Imaginary events
§ Summary
2
| 3 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
My Splunk background
§ 4 years Splunk experience § SOC is primary user base
§ 6 indexers § 350 GB data/day § 90 indexes § 170 sourcetypes
© 2015 The MITRE Corporation. All rights reserved.
| 4 |
/ / N o c o m m e n t
comments
| 5 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Comment your Splunk search
sourcetype=access_combined_wcookie | eval COMMENT="This is my comment" or sourcetype=access_combined_wcookie | rename COMMENT -‐> "This is my comment" * There’s nothing special about the word “COMMENT”, use whatever you like
| 6 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
rename vs. eval for comments?
§ In practice, it does not seem to matter § In a few odd circumstances, I have seen rename be faster than eval
| 7 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Why would you need comments?
© 2015 The MITRE Corporation. All rights reserved.
| 8 |
Search by index
| 9 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Searching by index and sourcetype
Specifying an index in your search speeds it up
This difference is less pronounced in Fast Mode
© 2015 The MITRE Corporation. All rights reserved.
| 10 |
I n t h e y e a r 3 0 0 0
In the year 2000
| 11 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Get with the times
§ Timestamps are extremely important for Splunk data § Detected at index time, set forever § Cannot be fixed if they’re wrong
§ Common errors: – Incorrect time zone interpretation – Host clock incorrect
| 12 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Past, present, future
If this search ever returns events, you have timestamp problems1: index=* earliest=+30m latest=+9y This requires some tweaking, depending on your expected delay: index=* | eval delta=_indextime-‐_time | where delta>300 1 Or a flux capacitor2
2 Or a TARDIS
© 2015 The MITRE Corporation. All rights reserved.
| 13 |
y o u r a p p r o x i m a t e w a i t t i m e i s…
red card
| 14 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Calculate average delay proxy logs
index=main | eval delta = _indextime -‐ _time | timechart span=1h avg(delta) Problem: that’s a lot of events
| 15 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
| 16 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Calculate average delay proxy logs
Solution: */5 * * * * wget http://testdomain.zzz index=main testdomain.zzz | eval delta = _indextime -‐ _time | timechart span=1h avg(delta) Search terms Duration
index=main 453 s index=main testdomain.zzz 6 s
© 2015 The MITRE Corporation. All rights reserved.
| 17 |
b e t t e r t h a n g r e p - f
watchlists
| 18 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Watchlist examples
§ Known “evil” IP addresses § Known “evil” domain names § List of your DMZ web servers § Known allowed IP/port combinations in your DMZ
| 19 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Example IP watchlist
| 20 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Conventional way to use watchlists
This is essentially grep -F
| 21 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Let’s try a subsearch
| 22 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
What’s the difference? Both return the same events
| 23 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
What’s the difference? 71% less time
| 24 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Saving time on a search can be important for large
or frequent searches
Small watchlists and large datasets make
this difference greater
| 25 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Just the subsearch
How does it work?
| 26 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Subsearches implicitly end with
| format Add it explicitly to
see what’s happening
| 27 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
sourcetype=access_combined_wcookie [ | inputlookup ip_watchlist.csv | search type=malicious | fields clientip ] …after the subsearch is evaluated becomes this: sourcetype=access_combined_wcookie ( ( clientip="131.178.233.243" ) OR ( clientip="212.58.253.71" ) OR … ) i.e., the results of the subsearch are appended
| 28 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
The Search Job Inspector shows us this.
| 29 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Why is sourcetype=access_combined_wcookie ( ( clientip="131.178.233.243" ) OR ( clientip="212.58.253.71" ) OR … ) Better than sourcetype=access_combined_wcookie | lookup ip_watchlist.csv clientip | search type=malicious
© 2015 The MITRE Corporation. All rights reserved.
| 30 |
…e x p l a i n s i t a l l
Search Job Inspector
| 31 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
This icon means there’s some debugging message
you should examine
Inspect Job is always here
| 32 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
| 33 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Debugging message
Profiling information
| 34 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
The slowest parts of a Splunk search are usually field extraction
and reading events from disk.
| 35 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Approximate order of operations for searches
1. Search index for keywords 2. Read matching events from disk 3. Extract fields (as necessary) 4. Match keywords to fields (as necessary) 5. Filter (e.g. additional “where” or “search” pipes) 6. Send data to search head
| 36 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
What are keywords?
| 37 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
A stitch in time saves nine
lookup subsearch 2 21 Check index for keywords
39,000 2,700 Read matching events from disk 39,000 2,700 Extract fields (i.e. regex) 39,000 2,700 Match keywords to fields 39,000 2,700 Filter
* This is illustrative and approximate, not precise
Pare your data early to save time late
| 38 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
sourcetype=access_ combined_wcookie
( ( clientip="131.178.233.243" ) OR ( clientip="212.58.253.71" ) OR … )
lookup method reads and regexes all this data
subsearch method reads only this data
| 39 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Compare “lookup” and “subsearch” methods
© 2015 The MITRE Corporation. All rights reserved.
| 40 |
More fun with subsearches
| 41 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Field name mismatch with subsearch
For lookup and subsearch, sometimes fields need to be renamed
lookup method | lookup watchlist.csv foo AS bar
subsearch method
[ | inputlookup watchlist.csv | rename foo AS bar ]
| 42 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
If you rename a field to “query”, you can search
anywhere in the event rather than a single field
| 43 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Large subsearches
43
If your watchlist is >10000 lines, the subsearch method
chokes
| 44 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Large subsearches
44
Add “|format” explicitly to fix it! Warning is
gone
We have events
© 2015 The MITRE Corporation. All rights reserved.
| 45 |
carrier signal
| 46 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
What’s the problem with watchlists?
When they don’t alert, is it because: § the watchlist is broken? § there’s nothing to alert on?
| 47 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Label your test domain as type=test in the watchlist
And adjust your subsearch accordingly
Add test cases to your watchlist
| 48 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Label your test domain as type=test in the watchlist
And adjust your subsearch accordingly
Add test cases to your watchlist
What’s so great about that? We could have just used google.com for that test
| 49 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
With your wget, you know precisely how many to
expect and you can alert only when it’s erroneous
© 2015 The MITRE Corporation. All rights reserved.
| 50 |
w e l a n d e d o n t h e m o o n
imaginary events
| 51 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Creating data on the fly
| 52 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
How is this helpful?
You can add to a watchlist inline
| 53 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Creating data on the fly with timestamps
53
This will also provide a current
timestamp
© 2015 The MITRE Corporation. All rights reserved.
| 54 |
Are we there yet?
| 55 |
© 2015 The MITRE Corporation. All rights reserved. © 2015 The MITRE Corporation. All rights reserved.
Overall lessons
§ Read Splunk Search Manual § Try multiple methods § Use the Job Inspector § Understand what Splunk is doing “under the hood”
© 2015 The MITRE Corporation. All rights reserved.
| 56 |
Thank you!