building-detection-rule-with-splunk-spl

使用 Splunk 搜索处理语言(SPL)关联搜索构建有效的检测规则,在 SOC 环境中识别安全威胁。

9 stars

Best use case

building-detection-rule-with-splunk-spl is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

使用 Splunk 搜索处理语言(SPL)关联搜索构建有效的检测规则,在 SOC 环境中识别安全威胁。

Teams using building-detection-rule-with-splunk-spl should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/building-detection-rule-with-splunk-spl/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/building-detection-rule-with-splunk-spl/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/building-detection-rule-with-splunk-spl/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How building-detection-rule-with-splunk-spl Compares

Feature / Agentbuilding-detection-rule-with-splunk-splStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

使用 Splunk 搜索处理语言(SPL)关联搜索构建有效的检测规则,在 SOC 环境中识别安全威胁。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 使用 Splunk SPL 构建检测规则

## 概述

Splunk 搜索处理语言(SPL,Search Processing Language)是 Splunk Enterprise Security 中用于构建关联搜索的主要查询语言,用于检测可疑事件和模式。精心设计的检测规则可聚合、关联和富化安全事件,为 SOC 分析师生成可操作的重要事件。企业级 SIEM 平均仅覆盖 MITRE ATT&CK 技术的 21%,这使得熟练编写 SPL 规则对于填补检测空白至关重要。

## 前置条件

- 已部署并配置 Splunk Enterprise Security(ES)
- 具有适当角色的 Splunk 搜索与报告应用访问权限
- 了解通用信息模型(CIM,Common Information Model)数据模型
- 熟悉 MITRE ATT&CK 框架技术
- 了解组织的日志来源和数据流

## 核心 SPL 检测规则模式

### 1. 基于阈值的检测

检测在时间窗口内超过定义计数的事件。

```spl
index=wineventlog sourcetype=WinEventLog:Security EventCode=4625
| stats count as failed_logins dc(TargetUserName) as unique_users by src_ip
| where failed_logins > 10 AND unique_users > 3
| eval severity="high"
| eval description="Brute force attack detected from ".src_ip." with ".failed_logins." failed logins across ".unique_users." accounts"
```

### 2. 基于序列的检测(失败登录后成功)

关联事件序列以指示成功的暴力破解攻击。

```spl
index=wineventlog sourcetype=WinEventLog:Security (EventCode=4625 OR EventCode=4624)
| eval login_status=case(EventCode=4625, "failure", EventCode=4624, "success")
| stats count(eval(login_status="failure")) as failures count(eval(login_status="success")) as successes latest(_time) as last_event by src_ip, TargetUserName
| where failures > 5 AND successes > 0
| eval description="Account ".TargetUserName." compromised via brute force from ".src_ip
| eval urgency="critical"
```

### 3. 与基线比较的异常检测

将当前活动与基线周期进行比较以检测异常峰值。

```spl
index=proxy sourcetype=squid
| bin _time span=1h
| stats count as current_count by src_ip, _time
| join src_ip type=left [
    search index=proxy sourcetype=squid earliest=-7d@d latest=-1d@d
    | stats avg(count) as avg_count stdev(count) as stdev_count by src_ip
]
| eval threshold=avg_count + (3 * stdev_count)
| where current_count > threshold
| eval deviation=round((current_count - avg_count) / stdev_count, 2)
| eval description="Anomalous web traffic from ".src_ip." - ".deviation." standard deviations above baseline"
```

### 4. 横向移动检测

使用 Windows 登录事件识别潜在横向移动。

```spl
index=wineventlog sourcetype=WinEventLog:Security EventCode=4624 Logon_Type=3
| where NOT match(TargetUserName, ".*\$$")
| stats dc(dest) as unique_hosts values(dest) as hosts by src_ip, TargetUserName
| where unique_hosts > 5
| eval severity=case(unique_hosts > 20, "critical", unique_hosts > 10, "high", true(), "medium")
| eval description=TargetUserName." accessed ".unique_hosts." unique hosts from ".src_ip." via network logon"
```

### 5. 数据外泄检测

监控大规模出站数据传输。

```spl
index=firewall sourcetype=pan:traffic action=allowed direction=outbound
| stats sum(bytes_out) as total_bytes_out dc(dest_ip) as unique_destinations by src_ip, user
| eval total_mb=round(total_bytes_out/1048576, 2)
| where total_mb > 500 OR unique_destinations > 50
| lookup asset_lookup ip as src_ip OUTPUT asset_category, asset_owner
| eval severity=case(total_mb > 2000, "critical", total_mb > 1000, "high", true(), "medium")
| eval description=user." transferred ".total_mb."MB to ".unique_destinations." unique destinations"
```

### 6. PowerShell 可疑执行检测

检测编码或混淆的 PowerShell 命令。

```spl
index=wineventlog sourcetype=WinEventLog:Security EventCode=4104
| where match(ScriptBlockText, "(?i)(encodedcommand|invoke-expression|iex|downloadstring|frombase64string|net\.webclient|invoke-webrequest|bitstransfer|invoke-mimikatz|invoke-shellcode)")
| eval decoded_length=len(ScriptBlockText)
| stats count values(ScriptBlockText) as commands by Computer, UserName
| where count > 0
| eval severity="high"
| eval mitre_technique="T1059.001"
| eval description="Suspicious PowerShell execution on ".Computer." by ".UserName
```

## 在 Splunk ES 中构建关联搜索

### 逐步流程

1. **定义用例**:映射到 MITRE ATT&CK 技术,定义要检测的行为
2. **识别数据源**:确定哪些索引和 sourcetype 包含相关事件
3. **编写基础搜索**:构建提取相关事件的 SPL
4. **添加聚合**:使用 `stats`、`eventstats` 或 `streamstats` 进行汇总
5. **应用阈值**:用 `where` 子句设置区分正常与异常的条件
6. **富化上下文**:添加资产信息、身份数据和威胁情报的查找表
7. **配置重要事件**:设置严重性、紧急程度和描述字段
8. **调度与测试**:针对历史数据运行并验证检测准确性

### 关联搜索配置模板

```spl
| tstats summariesonly=true count from datamodel=Authentication
    where Authentication.action=failure
    by Authentication.src, Authentication.user, _time span=5m
| rename "Authentication.*" as *
| stats count as total_failures dc(user) as unique_users values(user) as targeted_users by src
| where total_failures > 20 AND unique_users > 5
| lookup dnslookup clientip as src OUTPUT clienthost as src_dns
| lookup asset_lookup ip as src OUTPUT priority as asset_priority, category as asset_category
| eval urgency=case(asset_priority=="critical", "critical", asset_priority=="high", "high", true(), "medium")
| eval rule_name="Brute Force Against Multiple Accounts"
| eval rule_description="Multiple authentication failures from ".src." targeting ".unique_users." unique accounts"
| eval mitre_attack="T1110.001 - Password Guessing"
```

### 富化最佳实践

```spl
| lookup identity_lookup identity as user OUTPUT department, manager, risk_score as user_risk
| lookup asset_lookup ip as src_ip OUTPUT asset_name, asset_category, asset_priority, asset_owner
| lookup threatintel_lookup ip as src_ip OUTPUT threat_type, threat_confidence, threat_source
| eval context=case(
    isnotnull(threat_type), "Known threat: ".threat_type,
    user_risk > 80, "High-risk user: risk score ".user_risk,
    asset_priority=="critical", "Critical asset: ".asset_name,
    true(), "Standard context"
)
```

## 性能优化

### 使用 tstats 搭配数据模型

```spl
| tstats summariesonly=true count from datamodel=Network_Traffic
    where All_Traffic.action=allowed
    by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.dest_port, _time span=1h
| rename "All_Traffic.*" as *
```

### 限制时间范围并使用索引字段

```spl
index=wineventlog source="WinEventLog:Security" EventCode=4688
    earliest=-15m latest=now()
| where NOT match(New_Process_Name, "(?i)(svchost|csrss|lsass|services)")
```

### 使用摘要索引建立历史基线

```spl
| tstats count from datamodel=Authentication where Authentication.action=failure by Authentication.src, _time span=1h
| collect index=summary source="auth_failure_baseline" marker="report_name=auth_failure_hourly"
```

## 测试与验证

### 针对已知攻击模式测试

```spl
| makeresults count=1
| eval src_ip="10.0.0.50", failed_logins=25, unique_users=8, severity="high"
| eval description="Test brute force detection"
| append [
    search index=wineventlog sourcetype=WinEventLog:Security EventCode=4625
    earliest=-24h latest=now()
    | stats count as failed_logins dc(TargetUserName) as unique_users by src_ip
    | where failed_logins > 10 AND unique_users > 3
    | eval severity="high"
]
```

### 计算检测指标

```spl
index=notable
| search rule_name="Brute Force*"
| stats count as total_alerts count(eval(status_label="Closed - True Positive")) as true_positives count(eval(status_label="Closed - False Positive")) as false_positives by rule_name
| eval precision=round(true_positives / (true_positives + false_positives) * 100, 2)
| eval fpr=round(false_positives / total_alerts * 100, 2)
```

## MITRE ATT&CK 映射

| 技术 ID | 技术名称 | SPL 检测方法 |
|---|---|---|
| T1110.001 | 密码猜测(Password Guessing) | 按 src_ip 对 EventCode 4625 设置阈值 |
| T1059.001 | PowerShell | 对 EventCode 4104 ScriptBlockText 进行模式匹配 |
| T1021.002 | SMB/Windows 管理共享 | Logon Type 3 搭配 dc(dest) 阈值 |
| T1048 | 通过 C2 信道数据外泄 | 在时间窗口内聚合 bytes_out |
| T1053.005 | 计划任务 | EventCode 4698 搭配可疑命令模式 |
| T1003.001 | LSASS 内存 | 通过 Sysmon EventCode 10 检测对 lsass.exe 的进程访问 |

## 参考资料

- [Splunk ES 关联搜索最佳实践](https://detect.fyi/splunk-es-correlation-searches-rules-best-cool-practices-06ef94884170)
- [编写实用 Splunk 检测规则](https://medium.com/@vitbukac/practical-splunk-detection-rules-how-to-part-1-crawl-a24bc39a4b9d)
- [配置关联搜索 - Splunk 文档](https://help.splunk.com/en/splunk-enterprise-security-8/splunk-app-for-pci-compliance/installation-and-configuration-manual/6.1/configure-correlation-searches/configure-correlation-searches)
- [SOC Prime - Splunk 中的关联事件](https://socprime.com/blog/creating-correlation-events-in-splunk-using-alerts/)

Related Skills

triaging-security-alerts-in-splunk

9
from killvxk/cybersecurity-skills-zh

在 Splunk Enterprise Security 中对安全告警进行分类,通过 SPL 查询和事件审查(Incident Review) 仪表板对重要事件进行严重性分类、调查、关联相关遥测并做出升级或关闭决策。 适用于 SOC 分析师需要处理关联搜索产生的告警队列、确定调查优先级, 或需要为交接给二/三级分析师记录分类决策时。

performing-yara-rule-development-for-detection

9
from killvxk/cybersecurity-skills-zh

通过识别可执行文件中的唯一字节模式、字符串和行为指标,开发精准的 YARA 恶意软件检测规则,同时将误报率降至最低。

performing-threat-hunting-with-yara-rules

9
from killvxk/cybersecurity-skills-zh

使用 YARA 模式匹配规则在文件系统和内存转储中狩猎恶意软件、可疑文件和入侵指标。 涵盖规则编写、yara-python 扫描以及与威胁情报源的集成。

performing-steganography-detection

9
from killvxk/cybersecurity-skills-zh

使用隐写分析(Steganalysis)工具检测和提取嵌入在图像、音频及其他媒体文件中的隐藏数据,揭露隐蔽通信渠道。

performing-lateral-movement-detection

9
from killvxk/cybersecurity-skills-zh

检测横向移动(Lateral Movement)技术,包括哈希传递(Pass-the-Hash)、PsExec、WMI 执行、 RDP 转移和基于 SMB 的传播,使用 SIEM 关联 Windows 事件日志、网络流数据和终端遥测, 映射到 MITRE ATT&CK 横向移动战术(TA0008)技术。

performing-dns-tunneling-detection

9
from killvxk/cybersecurity-skills-zh

通过计算 DNS 查询名称的香农熵(Shannon Entropy)、分析查询长度分布、检测 TXT 记录载荷以及 识别高子域名基数,检测 DNS 隧道(DNS Tunneling)攻击。使用 scapy 进行数据包捕获分析, 结合统计方法区分合法 DNS 流量和隐蔽信道。适用于数据泄露猎威场景。

performing-container-escape-detection

9
from killvxk/cybersecurity-skills-zh

通过分析命名空间配置、特权容器检查、危险能力分配和宿主机路径挂载,使用 kubernetes Python 客户端检测容器逃逸尝试。识别通过 cgroup 滥用的 CVE-2022-0492 类型逃逸。 适用于审计容器安全态势或调查逃逸尝试。

performing-adversary-in-the-middle-phishing-detection

9
from killvxk/cybersecurity-skills-zh

检测和响应中间人(AiTM)钓鱼攻击,这类攻击使用 EvilProxy、Evilginx 和 Tycoon 2FA 等反向代理工具包绕过 MFA 并窃取会话令牌。

implementing-siem-use-cases-for-detection

9
from killvxk/cybersecurity-skills-zh

通过设计映射到 MITRE ATT&CK 技术的关联规则、阈值告警和行为分析, 在 Splunk、Elastic 和 Sentinel 中实施 SIEM 检测用例。 适用于 SOC 团队需要扩展检测覆盖范围、规范用例生命周期管理, 或构建与组织威胁画像对齐的检测库时。

implementing-siem-correlation-rules-for-apt

9
from killvxk/cybersecurity-skills-zh

编写多事件关联规则,通过链接跨主机的 Windows 身份验证事件、进程执行遥测和网络连接日志, 检测高级持续性威胁(APT)的横向移动。使用 Splunk SPL 和 Sigma 规则格式, 在滑动时间窗口内关联事件 ID 4624、4648、4688 和 Sysmon 事件 1/3, 以发现单一事件检测无法识别的攻击序列。

implementing-semgrep-for-custom-sast-rules

9
from killvxk/cybersecurity-skills-zh

使用 YAML 编写自定义 Semgrep SAST 规则,以检测应用程序特定漏洞、执行编码标准并集成到 CI/CD 管道中。

implementing-honeytokens-for-breach-detection

9
from killvxk/cybersecurity-skills-zh

部署金丝雀令牌(canary tokens)和蜜标(honeytokens),包括伪造的 AWS 凭据、DNS 金丝雀、 文档信标和数据库记录,当攻击者访问时触发告警。使用 Canarytokens API 和自定义 Webhook 集成 实现入侵检测。适用于构建基于欺骗技术的早期预警入侵检测系统的场景。