back to day 11
WEEK_2 · DAY_11 · LAB
Lab 11 — Hunt with Advanced SPL
Power tools that turn an analyst into a hunter
LAB PROGRESS0/5 steps · 0%
Lab Objectives
- ›Use eval for case logic, math, type conversion
- ›Extract with rex regex
- ›Enrich with lookup
- ›Accelerate with tstats on data models
Lab Instructions
- 1Open Splunk → Search.
- 2Run the pre-loaded beaconing detection query.
- 3Identify the 3 src→dest pairs with lowest jitter.
- 4Pivot: which user is on the source host? (use a lookup).
- 5Recommend a containment playbook.
SPL for this Lab
Risk score pipeline open in Splunk
index=notable | eval risk = case(urgency=="critical",100,urgency=="high",50,urgency=="medium",25,1=1,10) | stats sum(risk) as total by user, src | where total > 100
// Per-entity rolling risk — foundation of RBA.
Beaconing detection open in Splunk
index=network sourcetype=zeek:conn | streamstats current=f last(_time) as prev_time by src_ip, dest_ip | eval delta = _time - prev_time | stats count avg(delta) as avg_int stdev(delta) as jitter by src_ip, dest_ip | where count > 20 AND jitter < 5
// Periodic outbound = textbook C2.
tstats on Authentication DM open in Splunk
| tstats summariesonly=t count from datamodel=Authentication where Authentication.action=failure earliest=-1h by Authentication.src, Authentication.user | where count > 20
// Brute force at scale.