10/11/2023 0 Comments Splunk eval max![]() My function will be len(CommandLine) where len is short for length of the field in parenthesis, in this case the field CommandLine. The output of that function will reside within our new field. ![]() To determine the length of a string, I will use eval to define a new field that I will call cl_length and then I will call a function. I want to establish which-if any-hosts have long process strings executing and if they do, I want to know when they executed. My hypothesis states that long command line strings are of concern due to their ability to harbor badness within them. With the initial search in place, I can start using eval. Index=main sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" CommandLine=*īasically, I am searching the Sysmon data and using the table command to put it into easy to read columns. My initial search of Sysmon isolated on process, time and host would look something like this: As always, it's important to focus the hunt on data sets that are relevant. With that in mind, let’s start hunting.įor this initial search, I will leverage Microsoft Sysmon data because of its ability to provide insight into processes executing on our systems. For this hunt, I am hypothesizing that abnormally long process strings are of interest to us. With that in mind, let’s dive straight into an example where eval is incredibly useful. Converting fields to all upper or lower caseĪs discussed throughout this blog series, the building and testing of hypothesis is so important when hunting.Calculating the time between two events.To do justice to the power of eval would take many pages, so today I am going to keep it to four examples: From conditional functions-like if, case and match-to mathematical functions (round, square root) to date/time functions to cryptographic functions (MD5, SHA1, SHA256, SHA512) and so much more. Eval allows you to take search results and perform all sorts of, well, evaluations of the data. If I had to pick a couple of Splunk commands that I would want to be stuck on a desert island with, the eval command is up there right next to stats and sort. Today’s post will touch on another foundational capability within Splunk-the eval command. I hope you're all enjoying this series on Hunting with Splunk as much as we enjoy bringing it to you. The eval command is one of the most important commands at a Splunker's disposal so I hope everyone learns some hunting goodness! John Stoner has wanted to bring the power of eval to light for awhile. This is part eleven of the " Hunting with Splunk: The Basics" series.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |