Splunk searches relating to Security
clear
[ | tstats count where index=* AND punct IN ("*${*","*$%*") earliest=-7d latest=now by index, sourcetype
| fields - count
| format ] AND (((punct=*$* AND punct=*:*) OR (punct=*%*)) AND ("*${*" OR "*%24{*" OR "$%7B*" OR "*%24%7B*"") AND ("//" OR "%2F%2F" OR "/%2F" OR "%2F/") )
| eval decoded_raw = urldecode(_raw)
| regex decoded_raw="\$\S*?{\S*?j[A-Za-z:\-\$[]]*?n[A-Za-z:\-\$[]]*?d[A-Za-z:\-\$[]]*?i[^\s\/]*//.*"
1 comment
[0]
[1]
[0]
[1]