Splunk Queries for Zeek

___ # Tags #homelab #zeek #splunk-queries # Helpful Docs - https://www.ericooi.com/zeekurity-zen-part-iv-threat-hunting-with-zeek/ # Notes ### Zeek ##### Packetloss Avg Over Time ```txt index IN (zeek-nsm) percent_lost IN (*) | fields percent_lost | stats avg(percent_lost) ``` ##### Top 10 Sources by Bytes Sent ```txt index IN (so-zeek) sourcetype IN (bro:conn:json) | stats values(service) as Services sum(orig_bytes) as Bytes by src_ip | sort -Bytes | head 10 | eval Megabytes = round(Bytes/1024/1024,2) | eval Gigabytes = round(Megabytes/1024,2) | rename src_ip as Source | fields Source, Bytes, Megabytes, Gigabytes, Services ``` ##### Connections by Service Over Dest Port Number 1024 ```txt index IN (so-zeek) sourcetype IN (bro:conn:json) dest_port > 1024 | chart count over app by dest_port ``` ##### Connections Top 10 Talkers by Src IP ```txt index IN (so-zeek) sourcetype IN (bro:conn:json) `src_ip_is_not_wan` | top src_ip | head 10 ``` ##### Connections by Src IP by Data Usage ```txt index IN (so-zeek) sourcetype IN (bro:conn:json) `src_ip_is_not_wan` `src_ip_is_local` | stats values(app) as services sum(orig_bytes) as bytes by src_ip | sort -bytes | head 10 | eval megabytes = round(bytes/1024/1024,2) | eval gigabytes = round(megabytes/1024,2) | fields src_ip, bytes, megabytes, gigabytes, services ``` ##### Expired Certificates ```txt index IN (so-zeek) sourcetype IN (bro:x509:json) | convert num(certificate.not_valid_after) AS cert_expire | eval current_time = now(), cert_expire_readable = strftime(cert_expire,"%Y-%m-%dT%H:%M:%S.%Q"), current_time_readable=strftime(current_time,"%Y-%m-%dT%H:%M:%S.%Q") | where current_time > cert_expire ``` ##### Large DNS Queries ```txt index IN (so-zeek) sourcetype IN (bro:dns:json) `src_ip_is_not_wan` | eval query_length = len(query) | where query_length > 75 | table _time src_ip, dest_ip, proto, query, query_length, answer ``` ##### Large DNS Answer Responses ```txt index IN (so-zeek) sourcetype IN (bro:dns:json) `src_ip_is_not_wan` | eval answer_length = len(answer) | where answer_length > 80 | table _time, src_ip, dest_ip, dest_port, proto, query, answer, answer_length ``` ##### DNS Requests for Domains That Don't Exist - This search looks for any query where the domain doesn't exist and dedups it so the original src request and dest response are left ```txt index IN (so-zeek) sourcetype IN (bro:dns:json) rcode_name=NXDOMAIN ```this is the dns whitelist``` NOT query IN ("*in-addr*", "*_*", "*malware.hash.cymru*", "*synology.com*", "*andersencorp.com", "*api.splkmobile.com*") `src_ip_is_not_wan` | table _time src_ip, dest_ip, proto, query | dedup query ``` ##### Converting to a CSV Lookup ```txt ```limiting to zeek dns logs``` index IN (so-zeek) sourcetype IN (bro:dns:json) ```whitelist of expected dns activity``` NOT query IN ( "*hash.cymru.com", "*in-addr.arpa", "_ldap._tcp*", "*andersencorp.com", "*connect.drive.infomaniak*", "_https._*", "_http._*", "*accounts.nintendo.com", "analytics.infomaniak.com", "alb.reddit.com", "andersenb2c.b2clogin.com", "*fp.measure.office.com", "*veryawesomeprivacy.org", "*safeframe.googlesyndication.com", "*clo.footprintdns.com", "*_sub._googlecast._tcp.local", ) ```declaring internal ips only``` `src_ip_is_not_wan` `src_ip_is_local` ```filtering by long dns query strings``` | eval query_length = len(query) | where query_length > 50 ```limiting fields of interest``` | fields src_ip, src_port, dest_ip, dest_port, query, answer, query_length, reply_code ```showing rare dns queries only``` | rare 20 query ```removing extra fields``` | fields - count, percent ``` ##### WIP ```txt ```limiting to zeek dns logs``` index IN (so-zeek) sourcetype IN (bro:dns:json) ```declaring IPs, using macros``` `src_ip_is_not_wan` `src_ip_is_local` ```whitelist of expected dns activity``` | lookup dns-query-whitelist.csv dns-whitelist output dns-whitelist | search query NOT dns-whitelist ```filtering by long dns query strings``` | eval query_length = len(query) | where query_length > 50 ```limiting fields of interest``` | fields src_ip, src_port, dest_ip, dest_port, query, answer, query_length, reply_code ```showing rare dns queries only``` | rare 20 query ```removing extra fields``` | fields - count, percent ``` ##### Outbound Connections by Country ```txt index IN (so-zeek) `src_ip_is_local` `dest_ip_is_not_local` | fields src_ip, src_port, dest_ip, dest_port, service | iplocation, dest_ip | geostats, count by Country ```