03 Dec 2025
Splunk Did you SIEM?Most of the room to this point was narrowing things down, identifying the attacker and the intrusion vector. Now focusing on seeing what actually happened. All the following items are based on having a known IP address for the attacker. Items start by going through web server log events and then firewall.
To search for the initial probing of exposed config files: sourcetype=web_traffic client_ip="<ip-attack>" AND path IN ("/.env","/*phpinfo*", "/.git*") | table _time, path, user_agent, status
To search for common path traversal and open redirect vulnerabilities: sourcetype=web_traffic client_ip="<ip-attack>" AND path="*..*" OR path="*redriect*"
To find the automated attack tool and itβs payload: sourcetype=web_traffic client_ip="<ip-attack>" AND user_agent IN ("*sqlmap*", "*Havij*") |table _time, path, status
To search for attempts to download large, sensitive files: sourcetype=web_traffic client_ip="<ip-attack>" AND path IN ("*backup.zip*", "*logs.tar.gz*") | table _time, path, user_agent
If know there is extorsion going on, search for locking programs and RCE with search like: sourcetype=web_traffic client_ip="<ip-attack>" AND path IN ("*bunnylock.bin*", "*shell.php?cmd=*") table _time, path, user_agent, status
Use firewall logs to check traffic, using the IP address of the compromised server. Sample query: sourcetype=firewall_logs src_ip="<ip-srv>" AND dest_ip="<ip-attack>" AND action="ALLOWED" | table _time, action, protocol, src_ip, dest_ip, dest_port, reason
To sum the bytes transferred: sourcetype=firewall_logs src_ip="<ip-srv>" AND dest_ip="<ip-attack>" AND action="ALLOWED" | stats sum(bytes_transferred) by src_ip
Incident Handling with Splunk room