Cheat Sheets Splunk Data On-boarding A quick reference for important settings when on-boarding a new sourcetype. Syslog Hints and quick tips for setting up rsyslogd or syslog-ng. Splunk AppDev Reference for settings and commands for Splunk App development. Securing Splunk Some of the key settings and guidelines for hardening your Splunk. Cheat sheets for Splunk administration, data on-boarding, App development, search head clustering, and syslog configurations. Extract JSON data from an JSON array. The following will try to find ten matches for strings contained in curly brackets. Next it will be expanded to a multi value field so we can use spath on each extracted field. Splunk Cheat Sheet Edit Cheat Sheet SPL Syntax Basic Searching Concepts. Simple searches look like the following examples. Note that there are literals with and without quoting and that there are data field as well as date source selections done with an “=”. The Splunk Machine Learning Toolkit App delivers new SPL commands, custom visualizations, assistants, and examples to explore a variety of ml concepts. Each assistant includes end-to-end examples with datasets, plus the ability to apply the visualizations and SPL commands to your own data.
I’m the Splunk Marine; meaning I’m both a Splunker and a Marine. After five months of working at Splunk, I realized some of my core Unix and Linux skills were getting a little rusty. In a former life, I was a Linux Systems Engineer for a government agency, so it’s important to me to keep those skills sharp. One of the most important skill sets as a Unix/Linux Systems Engineer, in my opinion, is the ability to utilize a console based text editor. My editor of choice is VI, although many prefer EMACS. Many of these console based text editors are quite complicated. One of the things I do to both remember all the commands for VI and try to stay sharp in that specific skillset is to set my desktop background as a VI cheat sheet. This is especially important, as Splunk configuration files are all editable text files. With some well-developed VI skills, it makes it quite easy to configure or reconfigure your Splunk installs, especially those installs such as the Universal Forwarder, which does not have a Splunk Web UI. So here:
is the cheat sheet I use. It’s not an all-inclusive cheat sheet, but it covers about 90% of the commands that are available to you in VI. One other interesting fact is that VI is the only text editor, by default, that is built into all Unix/Linux operating systems. I hope this tidbit of information is helpful to you. Please check back soon for more Tips and Tricks from this old Jarhead.
Semper Fi!
For your convenience:
- Links to the above cheat sheet:
- Link to EMACs cheat sheet:
- Link to Splunk quick reference for RegEx:
----------------------------------------------------
Thanks!
Mark White
In looking into compromised systems, often what is needed by incident responders and investigators is not enabled or configured when it comes to logging. To help get system logs properly Enabled and Configured, below are some cheat sheets to help you do logging well and so the needed data we all need is there when we look.
Cheat Sheets to help you in configuring your systems:
The Windows Logging Cheat SheetUpdated Feb 2019
The Windows Advanced Logging Cheat SheetUpdated Feb 2019
The Windows HUMIO Logging Cheat Sheet Released June 2018
The Windows Splunk Logging Cheat Sheet Updated Sept 2019
The Windows File Auditing Logging Cheat Sheet Updated Nov 2017
The Windows Registry Auditing Logging Cheat Sheet Updated Aug 2019
The Windows PowerShell Logging Cheat Sheet Updated Sept 2018
The Windows Sysmon Logging Cheat Sheet Updated Jan 2020
MITRE ATT&CK Cheat Sheets
Splunk Spl Commands Cheat Sheet
The Windows ATT&CK Logging Cheat Sheet Released Sept 2018
The Windows LOG-MD ATT&CK Cheat Sheet Released Sept 2018
The MITRE ATT&CK Logging Cheat Sheets are available in Excel spreadsheet form on the following Github:
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Update Log:
SysmonLCS:Jan 2020 ver 1.1
Fixed GB to Kb on log size
WSplunkLCS:Sept 2019 ver 2.22
Minor code tweaks, conversion
WSysmonLCS:Aug 2019 ver 1.0
Initial release
WRACS:Aug 2019 ver 2.5
Added a few more items
WSLCS:Feb 2019 ver 2.21
Fixed shifted box, cleanup only
WLCS:Feb 2018 ver 2.3
Added a couple items from Advanced
Adjust a couple settings
General Clean up
Referenced the Windows Advanced Logging Cheat Sheet
WALCS: Feb 2019 ver 1.2
Updated and added several items
WHLCS:June 2018 ver 1.0
Initial release
WFACS: Oct 2016 ver 1.2
Added a few new locations
WRACS: oct 2016 ver 1.2
Added many autorun keys
Sorted the keys better
WSLCS:Mar 2018 ver 2.1.1
Fixed shifted box, cleanup only
WLCS:Jan 2016 ver 2.0
Added Event code 4720 - New user account created
Changed references to File and Registry auditing to point to the new File and Registry auditing Cheat Sheets
Expanded info on Command Line Logging
WRACS: Jan 2016 ver 1.1
Splunk Cheat Sheet Pdf
Splunk Commands Pdf
Sort HKLM Keys
Added keys to monitor PowerShell and Command Line log settings
Updated HKCU and USERs.DEFAULT info
Added info about HKCU unable to be set in Security Templates
Added PowerShell script to set HKCU Registry Auditing