Publication Date – July 10, 2020
Splunk allows users to search for data by leveraging Search Processing Language (SPL). If you are not familiar with SPL, please refer to the Splunk SPL documentation.
Once the Bitsight add-on starts logging data to your Splunk instance, you can leverage SPL to query for the data. Below are a couple of examples to help you get started.
Example #1: Query for all data logged by Bitsight.
To query for all data logged by Bitsight, you can simply type in “index= sourcetype=bitsight” into the search bar. This query will return all observations logged by the Bitsight add-on.
Example #2: Correlating Bitsight data with data enrichment tools.
For investigating an IP address using NSlookup, use the following correlation search NSlookup:
Correlation query:
index= sourcetype="bitsight" |head 1| spath "observations.data{}" output=Results
| stats count by Results
| eval _raw=Results
| spath forensics.host_ip output=HostIP
| stats count by HostIP | where HostIP="XXX.XXX.XXX.XXX"
| nslookup host_field=HostIP
Virustotal:
Correlation query:
index= sourcetype="bitsight" |head 1| spath "observations.data{}" output=Results
| stats count by Results
| eval _raw=Results
| spath forensics.host_ip output=HostIP
| stats count by HostIP | where HostIP=" XXX.XXX.XXX.XXX "
| virustotal ip=HostIP