Builds Splunk SPL correlation searches for detection rules identifying threats like brute force attacks, anomalous traffic, lateral movement, and data exfiltration in SOC environments.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
Splunk 搜索处理语言(SPL,Search Processing Language)是 Splunk Enterprise Security 中用于构建关联搜索的主要查询语言,用于检测可疑事件和模式。精心设计的检测规则可聚合、关联和富化安全事件,为 SOC 分析师生成可操作的重要事件。企业级 SIEM 平均仅覆盖 MITRE ATT&CK 技术的 21%,这使得熟练编写 SPL 规则对于填补检测空白至关重要。
Builds Splunk SPL correlation searches for SOC threat detection using threshold, sequence, and anomaly patterns to identify brute force, compromises, and spikes.
Builds Splunk SPL correlation searches for SOC threat detection using threshold, sequence, and anomaly patterns like brute force and baseline spikes.
Investigates security incidents using Splunk Enterprise Security and SPL for log correlation, timeline reconstruction, and anomaly detection in Windows event logs, firewalls, proxies, and authentication data.
Share bugs, ideas, or general feedback.
Splunk 搜索处理语言(SPL,Search Processing Language)是 Splunk Enterprise Security 中用于构建关联搜索的主要查询语言,用于检测可疑事件和模式。精心设计的检测规则可聚合、关联和富化安全事件,为 SOC 分析师生成可操作的重要事件。企业级 SIEM 平均仅覆盖 MITRE ATT&CK 技术的 21%,这使得熟练编写 SPL 规则对于填补检测空白至关重要。
检测在时间窗口内超过定义计数的事件。
index=wineventlog sourcetype=WinEventLog:Security EventCode=4625
| stats count as failed_logins dc(TargetUserName) as unique_users by src_ip
| where failed_logins > 10 AND unique_users > 3
| eval severity="high"
| eval description="Brute force attack detected from ".src_ip." with ".failed_logins." failed logins across ".unique_users." accounts"
关联事件序列以指示成功的暴力破解攻击。
index=wineventlog sourcetype=WinEventLog:Security (EventCode=4625 OR EventCode=4624)
| eval login_status=case(EventCode=4625, "failure", EventCode=4624, "success")
| stats count(eval(login_status="failure")) as failures count(eval(login_status="success")) as successes latest(_time) as last_event by src_ip, TargetUserName
| where failures > 5 AND successes > 0
| eval description="Account ".TargetUserName." compromised via brute force from ".src_ip
| eval urgency="critical"
将当前活动与基线周期进行比较以检测异常峰值。
index=proxy sourcetype=squid
| bin _time span=1h
| stats count as current_count by src_ip, _time
| join src_ip type=left [
search index=proxy sourcetype=squid earliest=-7d@d latest=-1d@d
| stats avg(count) as avg_count stdev(count) as stdev_count by src_ip
]
| eval threshold=avg_count + (3 * stdev_count)
| where current_count > threshold
| eval deviation=round((current_count - avg_count) / stdev_count, 2)
| eval description="Anomalous web traffic from ".src_ip." - ".deviation." standard deviations above baseline"
使用 Windows 登录事件识别潜在横向移动。
index=wineventlog sourcetype=WinEventLog:Security EventCode=4624 Logon_Type=3
| where NOT match(TargetUserName, ".*\$$")
| stats dc(dest) as unique_hosts values(dest) as hosts by src_ip, TargetUserName
| where unique_hosts > 5
| eval severity=case(unique_hosts > 20, "critical", unique_hosts > 10, "high", true(), "medium")
| eval description=TargetUserName." accessed ".unique_hosts." unique hosts from ".src_ip." via network logon"
监控大规模出站数据传输。
index=firewall sourcetype=pan:traffic action=allowed direction=outbound
| stats sum(bytes_out) as total_bytes_out dc(dest_ip) as unique_destinations by src_ip, user
| eval total_mb=round(total_bytes_out/1048576, 2)
| where total_mb > 500 OR unique_destinations > 50
| lookup asset_lookup ip as src_ip OUTPUT asset_category, asset_owner
| eval severity=case(total_mb > 2000, "critical", total_mb > 1000, "high", true(), "medium")
| eval description=user." transferred ".total_mb."MB to ".unique_destinations." unique destinations"
检测编码或混淆的 PowerShell 命令。
index=wineventlog sourcetype=WinEventLog:Security EventCode=4104
| where match(ScriptBlockText, "(?i)(encodedcommand|invoke-expression|iex|downloadstring|frombase64string|net\.webclient|invoke-webrequest|bitstransfer|invoke-mimikatz|invoke-shellcode)")
| eval decoded_length=len(ScriptBlockText)
| stats count values(ScriptBlockText) as commands by Computer, UserName
| where count > 0
| eval severity="high"
| eval mitre_technique="T1059.001"
| eval description="Suspicious PowerShell execution on ".Computer." by ".UserName
stats、eventstats 或 streamstats 进行汇总where 子句设置区分正常与异常的条件| tstats summariesonly=true count from datamodel=Authentication
where Authentication.action=failure
by Authentication.src, Authentication.user, _time span=5m
| rename "Authentication.*" as *
| stats count as total_failures dc(user) as unique_users values(user) as targeted_users by src
| where total_failures > 20 AND unique_users > 5
| lookup dnslookup clientip as src OUTPUT clienthost as src_dns
| lookup asset_lookup ip as src OUTPUT priority as asset_priority, category as asset_category
| eval urgency=case(asset_priority=="critical", "critical", asset_priority=="high", "high", true(), "medium")
| eval rule_name="Brute Force Against Multiple Accounts"
| eval rule_description="Multiple authentication failures from ".src." targeting ".unique_users." unique accounts"
| eval mitre_attack="T1110.001 - Password Guessing"
| lookup identity_lookup identity as user OUTPUT department, manager, risk_score as user_risk
| lookup asset_lookup ip as src_ip OUTPUT asset_name, asset_category, asset_priority, asset_owner
| lookup threatintel_lookup ip as src_ip OUTPUT threat_type, threat_confidence, threat_source
| eval context=case(
isnotnull(threat_type), "Known threat: ".threat_type,
user_risk > 80, "High-risk user: risk score ".user_risk,
asset_priority=="critical", "Critical asset: ".asset_name,
true(), "Standard context"
)
| tstats summariesonly=true count from datamodel=Network_Traffic
where All_Traffic.action=allowed
by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.dest_port, _time span=1h
| rename "All_Traffic.*" as *
index=wineventlog source="WinEventLog:Security" EventCode=4688
earliest=-15m latest=now()
| where NOT match(New_Process_Name, "(?i)(svchost|csrss|lsass|services)")
| tstats count from datamodel=Authentication where Authentication.action=failure by Authentication.src, _time span=1h
| collect index=summary source="auth_failure_baseline" marker="report_name=auth_failure_hourly"
| makeresults count=1
| eval src_ip="10.0.0.50", failed_logins=25, unique_users=8, severity="high"
| eval description="Test brute force detection"
| append [
search index=wineventlog sourcetype=WinEventLog:Security EventCode=4625
earliest=-24h latest=now()
| stats count as failed_logins dc(TargetUserName) as unique_users by src_ip
| where failed_logins > 10 AND unique_users > 3
| eval severity="high"
]
index=notable
| search rule_name="Brute Force*"
| stats count as total_alerts count(eval(status_label="Closed - True Positive")) as true_positives count(eval(status_label="Closed - False Positive")) as false_positives by rule_name
| eval precision=round(true_positives / (true_positives + false_positives) * 100, 2)
| eval fpr=round(false_positives / total_alerts * 100, 2)
| 技术 ID | 技术名称 | SPL 检测方法 |
|---|---|---|
| T1110.001 | 密码猜测(Password Guessing) | 按 src_ip 对 EventCode 4625 设置阈值 |
| T1059.001 | PowerShell | 对 EventCode 4104 ScriptBlockText 进行模式匹配 |
| T1021.002 | SMB/Windows 管理共享 | Logon Type 3 搭配 dc(dest) 阈值 |
| T1048 | 通过 C2 信道数据外泄 | 在时间窗口内聚合 bytes_out |
| T1053.005 | 计划任务 | EventCode 4698 搭配可疑命令模式 |
| T1003.001 | LSASS 内存 | 通过 Sysmon EventCode 10 检测对 lsass.exe 的进程访问 |