killvxk/building-detection-rule-with-splunk-spl
skills/building-detection-rule-with-splunk-spl/SKILL.md
使用 Splunk 搜索处理语言(SPL)关联搜索构建有效的检测规则,在 SOC 环境中识别安全威胁。
$ install --global
skillsauthnpx skillsauth add killvxk/cybersecurity-skills-zh building-detection-rule-with-splunk-splInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 4:27 AM26.6s7 files scanned
SKILL.md
- name:
- building-detection-rule-with-splunk-spl
- description:
- 使用 Splunk 搜索处理语言(SPL)关联搜索构建有效的检测规则,在 SOC 环境中识别安全威胁。
- domain:
- cybersecurity
- subdomain:
- soc-operations
- tags:
- [splunk, spl, detection-engineering, correlation-search, siem, soc, threat-detection, enterprise-security]
- version:
- 1.0
- author:
- mahipal
- license:
- Apache-2.0
使用 Splunk SPL 构建检测规则
概述
Splunk 搜索处理语言(SPL,Search Processing Language)是 Splunk Enterprise Security 中用于构建关联搜索的主要查询语言,用于检测可疑事件和模式。精心设计的检测规则可聚合、关联和富化安全事件,为 SOC 分析师生成可操作的重要事件。企业级 SIEM 平均仅覆盖 MITRE ATT&CK 技术的 21%,这使得熟练编写 SPL 规则对于填补检测空白至关重要。
前置条件
- 已部署并配置 Splunk Enterprise Security(ES)
- 具有适当角色的 Splunk 搜索与报告应用访问权限
- 了解通用信息模型(CIM,Common Information Model)数据模型
- 熟悉 MITRE ATT&CK 框架技术
- 了解组织的日志来源和数据流
核心 SPL 检测规则模式
1. 基于阈值的检测
检测在时间窗口内超过定义计数的事件。
index=wineventlog sourcetype=WinEventLog:Security EventCode=4625
| stats count as failed_logins dc(TargetUserName) as unique_users by src_ip
| where failed_logins > 10 AND unique_users > 3
| eval severity="high"
| eval description="Brute force attack detected from ".src_ip." with ".failed_logins." failed logins across ".unique_users." accounts"
2. 基于序列的检测(失败登录后成功)
关联事件序列以指示成功的暴力破解攻击。
index=wineventlog sourcetype=WinEventLog:Security (EventCode=4625 OR EventCode=4624)
| eval login_status=case(EventCode=4625, "failure", EventCode=4624, "success")
| stats count(eval(login_status="failure")) as failures count(eval(login_status="success")) as successes latest(_time) as last_event by src_ip, TargetUserName
| where failures > 5 AND successes > 0
| eval description="Account ".TargetUserName." compromised via brute force from ".src_ip
| eval urgency="critical"
3. 与基线比较的异常检测
将当前活动与基线周期进行比较以检测异常峰值。
index=proxy sourcetype=squid
| bin _time span=1h
| stats count as current_count by src_ip, _time
| join src_ip type=left [
search index=proxy sourcetype=squid earliest=-7d@d latest=-1d@d
| stats avg(count) as avg_count stdev(count) as stdev_count by src_ip
]
| eval threshold=avg_count + (3 * stdev_count)
| where current_count > threshold
| eval deviation=round((current_count - avg_count) / stdev_count, 2)
| eval description="Anomalous web traffic from ".src_ip." - ".deviation." standard deviations above baseline"
4. 横向移动检测
使用 Windows 登录事件识别潜在横向移动。
index=wineventlog sourcetype=WinEventLog:Security EventCode=4624 Logon_Type=3
| where NOT match(TargetUserName, ".*\$$")
| stats dc(dest) as unique_hosts values(dest) as hosts by src_ip, TargetUserName
| where unique_hosts > 5
| eval severity=case(unique_hosts > 20, "critical", unique_hosts > 10, "high", true(), "medium")
| eval description=TargetUserName." accessed ".unique_hosts." unique hosts from ".src_ip." via network logon"
5. 数据外泄检测
监控大规模出站数据传输。
index=firewall sourcetype=pan:traffic action=allowed direction=outbound
| stats sum(bytes_out) as total_bytes_out dc(dest_ip) as unique_destinations by src_ip, user
| eval total_mb=round(total_bytes_out/1048576, 2)
| where total_mb > 500 OR unique_destinations > 50
| lookup asset_lookup ip as src_ip OUTPUT asset_category, asset_owner
| eval severity=case(total_mb > 2000, "critical", total_mb > 1000, "high", true(), "medium")
| eval description=user." transferred ".total_mb."MB to ".unique_destinations." unique destinations"
6. PowerShell 可疑执行检测
检测编码或混淆的 PowerShell 命令。
index=wineventlog sourcetype=WinEventLog:Security EventCode=4104
| where match(ScriptBlockText, "(?i)(encodedcommand|invoke-expression|iex|downloadstring|frombase64string|net\.webclient|invoke-webrequest|bitstransfer|invoke-mimikatz|invoke-shellcode)")
| eval decoded_length=len(ScriptBlockText)
| stats count values(ScriptBlockText) as commands by Computer, UserName
| where count > 0
| eval severity="high"
| eval mitre_technique="T1059.001"
| eval description="Suspicious PowerShell execution on ".Computer." by ".UserName
在 Splunk ES 中构建关联搜索
逐步流程
- 定义用例:映射到 MITRE ATT&CK 技术,定义要检测的行为
- 识别数据源:确定哪些索引和 sourcetype 包含相关事件
- 编写基础搜索:构建提取相关事件的 SPL
- 添加聚合:使用
stats、eventstats或streamstats进行汇总 - 应用阈值:用
where子句设置区分正常与异常的条件 - 富化上下文:添加资产信息、身份数据和威胁情报的查找表
- 配置重要事件:设置严重性、紧急程度和描述字段
- 调度与测试:针对历史数据运行并验证检测准确性
关联搜索配置模板
| tstats summariesonly=true count from datamodel=Authentication
where Authentication.action=failure
by Authentication.src, Authentication.user, _time span=5m
| rename "Authentication.*" as *
| stats count as total_failures dc(user) as unique_users values(user) as targeted_users by src
| where total_failures > 20 AND unique_users > 5
| lookup dnslookup clientip as src OUTPUT clienthost as src_dns
| lookup asset_lookup ip as src OUTPUT priority as asset_priority, category as asset_category
| eval urgency=case(asset_priority=="critical", "critical", asset_priority=="high", "high", true(), "medium")
| eval rule_name="Brute Force Against Multiple Accounts"
| eval rule_description="Multiple authentication failures from ".src." targeting ".unique_users." unique accounts"
| eval mitre_attack="T1110.001 - Password Guessing"
富化最佳实践
| lookup identity_lookup identity as user OUTPUT department, manager, risk_score as user_risk
| lookup asset_lookup ip as src_ip OUTPUT asset_name, asset_category, asset_priority, asset_owner
| lookup threatintel_lookup ip as src_ip OUTPUT threat_type, threat_confidence, threat_source
| eval context=case(
isnotnull(threat_type), "Known threat: ".threat_type,
user_risk > 80, "High-risk user: risk score ".user_risk,
asset_priority=="critical", "Critical asset: ".asset_name,
true(), "Standard context"
)
性能优化
使用 tstats 搭配数据模型
| tstats summariesonly=true count from datamodel=Network_Traffic
where All_Traffic.action=allowed
by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.dest_port, _time span=1h
| rename "All_Traffic.*" as *
限制时间范围并使用索引字段
index=wineventlog source="WinEventLog:Security" EventCode=4688
earliest=-15m latest=now()
| where NOT match(New_Process_Name, "(?i)(svchost|csrss|lsass|services)")
使用摘要索引建立历史基线
| tstats count from datamodel=Authentication where Authentication.action=failure by Authentication.src, _time span=1h
| collect index=summary source="auth_failure_baseline" marker="report_name=auth_failure_hourly"
测试与验证
针对已知攻击模式测试
| makeresults count=1
| eval src_ip="10.0.0.50", failed_logins=25, unique_users=8, severity="high"
| eval description="Test brute force detection"
| append [
search index=wineventlog sourcetype=WinEventLog:Security EventCode=4625
earliest=-24h latest=now()
| stats count as failed_logins dc(TargetUserName) as unique_users by src_ip
| where failed_logins > 10 AND unique_users > 3
| eval severity="high"
]
计算检测指标
index=notable
| search rule_name="Brute Force*"
| stats count as total_alerts count(eval(status_label="Closed - True Positive")) as true_positives count(eval(status_label="Closed - False Positive")) as false_positives by rule_name
| eval precision=round(true_positives / (true_positives + false_positives) * 100, 2)
| eval fpr=round(false_positives / total_alerts * 100, 2)
MITRE ATT&CK 映射
| 技术 ID | 技术名称 | SPL 检测方法 | |---|---|---| | T1110.001 | 密码猜测(Password Guessing) | 按 src_ip 对 EventCode 4625 设置阈值 | | T1059.001 | PowerShell | 对 EventCode 4104 ScriptBlockText 进行模式匹配 | | T1021.002 | SMB/Windows 管理共享 | Logon Type 3 搭配 dc(dest) 阈值 | | T1048 | 通过 C2 信道数据外泄 | 在时间窗口内聚合 bytes_out | | T1053.005 | 计划任务 | EventCode 4698 搭配可疑命令模式 | | T1003.001 | LSASS 内存 | 通过 Sysmon EventCode 10 检测对 lsass.exe 的进程访问 |
参考资料
- Splunk ES 关联搜索最佳实践
- 编写实用 Splunk 检测规则
- 配置关联搜索 - Splunk 文档
- SOC Prime - Splunk 中的关联事件
Related Skills
killvxk/conducting-social-engineering-penetration-test
testing
VerifiedTrustedCommunity
设计并执行社会工程学渗透测试,包括钓鱼、语音钓鱼、短信钓鱼和物理借口活动,以衡量人员安全韧性并识别培训差距。
10SKILL.mdUpdated Apr 29, 2026
killvxk/conducting-post-incident-lessons-learned
testing
VerifiedTrustedCommunity
主持结构化的事件后审查,以识别根本原因、记录有效和无效的措施,并提出可操作的改进建议以提升未来的事件响应能力。
10SKILL.mdUpdated Apr 29, 2026
killvxk/conducting-phishing-incident-response
testing
VerifiedTrustedCommunity
通过分析举报的邮件、提取指标、评估凭据受攻陷情况、在全组织范围隔离恶意邮件并修复受影响账号来响应网络钓鱼事件。涵盖邮件头分析、URL/附件沙箱检测和邮箱范围清除操作。适用于网络钓鱼响应、邮件事件、凭据钓鱼、鱼叉式网络钓鱼调查或钓鱼修复相关请求。
10SKILL.mdUpdated Apr 29, 2026
killvxk/conducting-pass-the-ticket-attack
tools
VerifiedTrustedCommunity
票据传递(Pass-the-Ticket,PtT)是一种横向移动技术,使用窃取的 Kerberos 票据(TGT 或 TGS)在不知道用户密码的情况下向服务进行认证。通过从已控制的主机内存中提取 Kerberos 票据,攻击者可以将这些票据注入自己的会话以模拟票据所有者。
10SKILL.mdUpdated Apr 29, 2026