Count events by Source IP

index=* | stats count by src_ip | sort - count

Find rare failed logins

index=auth action=failure | rare dest_user

Extract IP using Regex

index=* | rex field=_raw "(?<extracted_ip>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})"

Correlate parent and child processes

index=windows sourcetype=WinEventLog:Security EventCode=4688 | transaction parent_process_id child_process_id

Identify brute force attempts (time window)

index=auth action=failure | bucket _time span=5m | stats count by src_ip, _time | where count > 10

Identify anomalous daily spikes using streamstats

index=web | timechart count | streamstats avg(count) as average stdev(count) as standard_deviation | eval spike=if(count > average+(2*standard_deviation), 1, 0)

View internal Splunk errors

index=_internal log_level=ERROR OR log_level=FATAL | stats count by component, host

List indexes and sourcetypes

| metasearch index=* sourcetype=* | stats values(sourcetype) as sourcetype count by index

Check daily license usage

index=_internal source=*license_usage.log | timechart span=1d sum(b) as bytes | eval GB = round(bytes/1024/1024/1024, 2)

Search across all indexes fast (metadata)

| tstats count where index=* by index, sourcetype

Capture local packets on port 443

tcpdump -i any port 443 -nn -s0 -w /tmp/capture.pcap

Capture packets avoiding SSH noise

tcpdump -i eth0 'not port 22' -nn

Find process listening on a port

lsof -i :8080

List all active TCP connections

netstat -ntp | grep ESTABLISHED

Search history for a specific command

history | grep 'ssh'

Extract specific columns from log using awk

cat /var/log/syslog | awk '{print $1, $2, $3, $5}'

Monitor systemd logs in real-time

journalctl -u sshd -f

Find recently modified files (last 24h)

find /etc -type f -mtime -1

Check real-time resource utilization

top -o %MEM

View disk space usage by mounted partitions

df -h

Find the top 10 largest sub-directories in /var

du -ah /var | sort -rh | head -n 10

Identify files larger than 1GB across the system

find / -type f -size +1G -exec ls -lh {} +

Check inode usage (if disk fails but df shows space)

df -i

Clear systemd journal logs older than 3 days

journalctl --vacuum-time=3d

Search by specific IP (Lucene Syntax)

IPAddress:"192.168.1.10" OR Object:"192.168.1.10"

Find authentication failures across all logs

Classification:"Authentication Failure"

Hunt for outbound traffic to specific country

Direction:"Outbound" AND DestinationCountry:"Russia"

Search for specific malware hash

Hash:"0ea04c99bf188c2e4207f60f92ca7c6f5088c7943ee63f45c50032bbd2bf7ea9"

Look for administrative group additions

MPE_Rule_Name:"Group Membership Modified" AND Subject:"Administrator"

Look for specific process execution

#event_simpleName=ProcessRollup2 FileName="cmd.exe"

Group execution by command line arguments

#event_simpleName=ProcessRollup2 | groupBy([CommandLine], function=count())

Identify suspicious PowerShell encodings

#event_simpleName=ProcessRollup2 FileName="powershell.exe" | CommandLine=/enc|encodedCommand/i

Find DNS requests to a specific domain

#event_simpleName=DnsRequest DomainName="*malicious.com"

Search for lateral movement via WMI

#event_simpleName=ProcessRollup2 ParentBaseFileName=WmiPrvSE.exe

Identify suspicious PowerShell usage

ProcessName = 'powershell.exe' AND EndpointOS = 'windows'

Hunt for outbound connections by process

EventType = 'TCPv4' AND DstPort = '4444' AND Direction = 'Outbound'

Find cross-process injection events

EventType = 'Process Injection' OR EventType = 'Cross Process Open'

Locate files created in temporary directories

EventType = 'File Creation' AND FilePath ContainsAnycase '\\AppData\\Local\\Temp\\'

DNS lookups to rare TLDs

EventType = 'DNS' AND DnsRequest ContainsAnycase '.xyz' OR DnsRequest ContainsAnycase '.top'

Summarize failed sign-ins by user

SigninLogs | where ResultType != 0 | summarize count() by UserPrincipalName, IPAddress | sort by count_ desc

Detect base64 encoded PowerShell execution

DeviceProcessEvents | where ProcessCommandLine has_any ("-enc", "-EncodedCommand", "-e ") | where FileName =~ "powershell.exe"

Find malicious emails bypassing filters

EmailEvents | where DeliveryAction == "Delivered" | where ThreatTypes has "Phish"

Identify mass file deletion (Ransomware behavior)

DeviceFileEvents | where ActionType == "FileDeleted" | summarize DeletedCount = count() by DeviceId, InitiatingProcessFileName, bin(TimeGenerated, 5m) | where DeletedCount > 50

Look for newly created admin accounts

AuditLogs | where OperationName == "Add member to role" | where TargetResources[0].displayName contains "Admin"

List distinct hostnames communicating with IP

dataset = xdr_data | filter action_remote_ip = "10.0.0.1" | dedup agent_hostname

Failed logon attempts tracking

dataset = xdr_data | filter event_type = "LOGON" and action_evtlog_message contains "failed" | fields agent_hostname, action_local_ip, actor_effective_username

Detect scheduled task creation

dataset = xdr_data | filter event_type = "PROCESS" and action_process_image_name = "schtasks.exe" and action_process_image_command_line contains "/create"

Find LolBin usage (Certutil downloading)

dataset = xdr_data | filter action_process_image_name = "certutil.exe" and action_process_image_command_line contains "urlcache"

Parse JSON and count instances

_sourceCategory=aws/cloudtrail | json "userIdentity.userName" as user | count by user

Search for specific error string and extract timestamp

"Exception" OR "Error" | parse "* Exception: *" as timestamp, error_msg

Identify multiple 404 errors by IP

_sourceCategory=apache | parse "* - - [*] \"* * *\" * *" as ip, time, method, uri, protocol, status, bytes | where status="404" | count by ip | where _count > 50

Map status codes to explicit categories

| if(status matches "5*", "Server Error", if(status matches "4*", "Client Error", "Success")) as ErrorCategory

Search by risk score threshold

risk_score:>90

Find specific event types assigned to a user

user:"admin_user" AND event_type:"login-failed"

Search for abnormal lateral movement

rule_name:"Abnormal Asset Access" OR rule_name:"First Time Asset Access"

Track data exfiltration patterns

event_type:"dlp-alert" AND volume:>1000000

UDM Search for specific target IP

target.ip = "8.8.8.8"

Search for multiple related IOCs using UDM

(target.ip = "10.0.0.1" OR principal.ip = "10.0.0.1") AND target.url = "*malicious*"

Simple YARA-L rule skeleton for blocking

rule Suspicious_Login { 
  meta: 
    author = "Analyst" 
  events: 
    $e.metadata.event_type = "USER_LOGIN" 
    $e.security_result.action = "BLOCK" 
  condition: 
    $e 
}

YARA-L Join Rule (Brute Force to Success)

rule BruteForce_To_Success {
  events:
    $fail.metadata.event_type = "USER_LOGIN"
    $fail.security_result.action = "BLOCK"
    $fail.principal.user = $user

    $success.metadata.event_type = "USER_LOGIN"
    $success.security_result.action = "ALLOW"
    $success.principal.user = $user

  match:
    $user over 10m

  condition:
    #fail > 5 and $success
}

Group events by category

SELECT devicetype, INCIDENT_CATEGORY(highlevelcategory) FROM events GROUP BY devicetype

Search payload for malicious string

SELECT * FROM events WHERE UTF8(payload) ILIKE '%malware.exe%'

Find top source IPs generating denies

SELECT sourceip, COUNT(*) FROM events WHERE action = 'Deny' GROUP BY sourceip ORDER BY COUNT(*) DESC LIMIT 10

Identify long-running network flows

SELECT sourceip, destinationip, application, flowduration FROM flows WHERE flowduration > 3600000

Isolate brute force by time interval

SELECT username, sourceip, COUNT(*) FROM events WHERE category=14013 GROUP BY username, sourceip HAVING COUNT(*) > 5 LAST 5 MINUTES