Splunk Indicator Hunting

Queries Splunk for indicators such as file hashes, IP addresses, domains, or urls. It outputs detected users, IP addresses, and hostnames related to the indicators.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

This playbook does not use any sub-playbooks.

Integrations

This playbook does not use any integrations.

Scripts

  • commentsToContext
  • IsIPInRanges
  • SetAndHandleEmpty
  • IsInternalHostName
  • Set

Commands

  • splunk-search

Playbook Inputs


NameDescriptionDefault ValueRequired
MD5The MD5 hash or an array of hashes for which to search.-Optional
SplunkMD5FieldThe name of the fields, in Splunk, in which to find the MD5 hash. You can enter multiple field names using a comma-separated format. If no field is specified, the search uses quick filter.-Optional
SHA1The SHA1 hash or an array of hashes on which to search.-Optional
SplunkSHA1FieldThe name of the fields, in Splunk, in which to find the SHA1 field. You can enter multiple field names using a comma-separated format. If no field is specified, the search uses quick filter.-Optional
SHA256The SHA256 hash or an array of hashes on which to search.-Optional
SplunkSHA256FieldThe name of the fields, in Splunk, in which to find the SHA256. You can enter multiple field names using a comma-separated format. If no field is specified, the search uses quick filter.-Optional
IPAddressThe source or destination IP address on which to search. Can be a single address or an array of addresses.-Optional
SplunkIPFieldThe name of the fields, in Splunk, in which to find the IP addresses. You can enter multiple field names using a comma-separated format. For example, sourceip,destinationip.-Optional
URLDomainThe domain or URL can be single or an array of domain/urls to search. By default the LIKE clause is used.-Optional
SplunkURLDomainFieldThe name of the fields, in Splunk, in which to find the URL/Domain. If no field is specified, the search uses quick filter. Only one field can be used in this parameter.-Optional
earliest_timeThe earliest time to search. For example, -7d, -24h. More examples can be found here. For more examples click here. It is recommended to set a limit for the time frame.-1dOptional
latest_timeThe latest time to search. For example, -6d, -23h. For more examples see here. For even more examples click here It is recommended to set a limit for the time frame.-Optional
event_limitLimits the number of events returned by query. This argument is not mandatory for the command, but is mandatory for the playbook.100Required
IPFieldsToReturnThe value of the IP address fields to return from Splunk when the specified indicator is found. These values are used as inputs in the setting, IP addresses section. For example, src,src_ip,dst,dst_ip.-Optional
UserFieldsToReturnThe value of the username fields to return from Splunk when the specified indicator is found. These values are used as inputs in the setting, user names section. For example, username,src_username,dst_username.-Optional
HostFieldsToReturnThe value of the hostname fields to return from Splunk when the specified indicator is found. These values are used as inputs in the setting, host names section. For example, hostname,src_hostname, dst_hostname.-Optional
InternalIPRangeA list of internal IP address ranges to check IP addresses against. The list should be provided in CIDR format, separated by commas. An example of a list of ranges could be: 172.16.0.0/12,10.0.0.0/8,192.168.0.0/16. If a list of IP address ranges is not provided, the list provided in the IsIPInRanges script. The known IPv4 private address ranges is used by default.-Optional
IndexNameA single Splunk index to use in the search.*Required
SelectFieldsUse this field to include additional enrichment data for the Splunk query. If you have defined one or more investigation fields, the SelectField should not include those fields. If there are no other investigation fields defined, the SelectField must contain some value. Enter a comma-separated list of field names as they appear in Splunk. * is a valid value, but not recommended since it creates large output.source,timestampRequired
InternalDomainNameThe organizations internal domain name. This is provided for the script IsInternalHostName that checks if the detected host names are internal or external if the hosts contain the internal domains suffix. For example, demisto.com. If there is more than one domain, use the "" character to separate values such as (demisto.com|test.com)Optional
InternalHostRegexThis is provided for the script IsInternalHostName that checks if the detected host names are internal or external. if the hosts match the organizations naming convention. For example the host testpc1 will have the following regex w{6}d{1}.-Optional

Playbook Outputs


PathDescriptionType
Splunk.DetectedUsersThe users detected based on the username field in your search.string
Splunk.DetectedInternalIPsTHe internal IP addresses detected by your search.string
Splunk.DetectedExternalIPsThe external IP addresses detected by your search.string
Splunk.DetectedInternalHostsThe internal host names detected based on the fields in your search.string
Splunk.DetectedExternalHostsThe external host names detected based on the fields in your search.string

Playbook Image


Splunk_Indicator_Hunting