SOC Analyst - SPL Commands - Begginer Deck
Call Kai
Learn
Practice Test
Spaced Repetition
Match
Flashcards
Knowt Play1/50
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced | Call with Kai |
|---|
No analytics yet
Send a link to your students to track their progress
51 Terms
index=botsv3
Searches all events in the botsv3 index. This is the most basic SPL search.
index=botsv3 error
Searches for events containing the keyword error.
index=botsv3 sourcetype=stream:http
Searches only HTTP stream events.
index=botsv3 sourcetype=stream:http method=POST
Finds HTTP events where the method is POST.
index=botsv3 sourcetype=stream:http (method=POST OR method=GET)
Finds HTTP events using either POST or GET.
index=botsv3 sourcetype=stream:http NOT status=200
Finds HTTP events where the status code is not 200.
index=botsv3 sourcetype=stream:http status!=200
Excludes a field value. Useful for finding errors or abnormal responses.
"index=botsv3 sourcetype=stream:http uri_path=""*.php"""
Finds HTTP requests to PHP files.
index=botsv3 earliest=-24h latest=now
Searches only the last 24 hours.
index=botsv3 | head 20
Shows the first 20 events returned by the search.
index=botsv3 | tail 20
Shows the last 20 events returned by the search.
index=botsv3 sourcetype=stream:http | table _time src_ip dest_ip http_method uri status
Displays selected fields in a clean table.
index=botsv3 sourcetype=stream:http | fields _time src_ip dest_ip uri status
"Keeps only selected fields
index=botsv3 | fields - _raw
Removes a field from the results. Useful when you do not want to display large raw events.
index=botsv3 sourcetype=stream:http | rename src_ip AS Source_IP dest_ip AS Destination_IP uri AS URL | table _time Source_IP Destination_IP URL
Renames fields to make output easier to read.
index=botsv3 sourcetype=stream:http | sort - _time | table _time src_ip dest_ip uri status
Sorts results by newest events first.
index=botsv3 sourcetype=stream:http | dedup src_ip | table src_ip dest_ip uri
Removes duplicate values and shows one event per unique source IP.
index=botsv3 sourcetype=stream:http | sort _time | reverse | table _time src_ip dest_ip uri
Reverses the event order. Useful after sorting.
index=botsv3 | stats count
Counts the total number of events.
index=botsv3 sourcetype=stream:http | stats count by src_ip
Counts events by source IP. Useful for finding noisy hosts.
index=botsv3 sourcetype=stream:http | top src_ip
Shows the most common source IPs.
index=botsv3 sourcetype=stream:http | rare uri
Shows the least common URI values. Useful for finding unusual requests.
index=botsv3 sourcetype=stream:http | stats dc(uri) AS unique_uris by src_ip
Counts distinct URI values per source IP. Useful for spotting scanning or crawling behavior.
index=botsv3 sourcetype=stream:http | stats values(uri) AS requested_uris by src_ip
Lists all URI values seen per source IP.
index=botsv3 sourcetype=stream:http | stats list(uri) AS uri_list by src_ip
"Lists URI values in event order. Unlike values()
index=botsv3 sourcetype=stream:http | stats earliest(_time) AS first_seen by src_ip
Finds the first time each source IP was seen.
index=botsv3 sourcetype=stream:http | stats latest(_time) AS last_seen by src_ip
Finds the most recent time each source IP was seen.
index=botsv3 sourcetype=stream:http bytes=* | stats min(bytes) AS smallest_response by src_ip
Finds the smallest byte count per source IP.
index=botsv3 sourcetype=stream:http bytes=* | stats max(bytes) AS largest_response by src_ip
Finds the largest byte count per source IP.
index=botsv3 sourcetype=stream:http bytes=* | stats avg(bytes) AS avg_bytes by src_ip
Calculates average bytes per source IP.
index=botsv3 sourcetype=stream:http bytes=* | stats sum(bytes) AS total_bytes by src_ip
Calculates total bytes transferred per source IP.
"index=botsv3 sourcetype=stream:http | eval suspicious_status=if(status>=400
""yes""
"index=botsv3 sourcetype=stream:http | eval result=if(status=200
""success""
"index=botsv3 sourcetype=stream:http | eval status_category=case(status>=200 AND status<300
""success""
index=botsv3 sourcetype=stream:http | where status>=400 | table _time src_ip uri status
Filters results using an expression.
"index=botsv3 sourcetype=stream:http | where like(uri
""%admin%"") | table _time src_ip uri status"
"index=botsv3 sourcetype=stream:http | where match(uri
""(?i)(cmd|powershell|wget|curl)"") | table _time src_ip uri"
index=botsv3 sourcetype=stream:http | search status=404 | table _time src_ip uri status
Filters results after an initial search.
index=botsv3 sourcetype=stream:http | timechart span=5m count
Creates a time-based count of events.
index=botsv3 sourcetype=stream:http | timechart span=5m count by src_ip limit=10
Shows activity over time by the top source IPs.
index=botsv3 sourcetype=stream:http | chart count over src_ip by status
Creates a matrix of status codes by source IP.
index=botsv3 src_ip=* | iplocation src_ip | table _time src_ip Country City Region
Adds geographic location information for public IPs.
index=botsv3 src_ip=* | iplocation src_ip | geostats count by Country
Creates geographic statistics. Useful for visualizing source countries.
index=botsv3 src_ip=* | lookup local=true threatintel ip AS src_ip OUTPUT threat AS threat_name | table _time src_ip threat_name
Enriches events with data from a lookup table. The lookup file must already exist.
| inputlookup threatintel.csv
Reads a lookup file directly. Useful for checking threat intel lists or asset inventories.
index=botsv3 sourcetype=stream:http | stats count by src_ip | outputlookup observed_src_ips.csv
Saves search results into a lookup file. Useful for building watchlists.
"index=botsv3 src_ip=* | where cidrmatch(""10.0.0.0/8""
src_ip) | table _time src_ip sourcetype"
"index=botsv3 | eval suspicious=if(match(_raw
""(?i)(powershell|cmd.exe|mimikatz|encodedcommand)"")
"index=botsv3 sourcetype=stream:http | eval admin_request=if(like(uri
""%admin%"")
"index=botsv3 sourcetype=stream:http | where in(status
""401""