Splunk searches relating to Security

clear
[ | tstats count where index=* AND punct IN ("*${*","*$%*") earliest=-7d latest=now by index, sourcetype | fields - count | format ] AND (((punct=*$* AND punct=*:*) OR (punct=*%*)) AND ("*${*" OR "*%24{*" OR "$%7B*" OR "*%24%7B*"") AND ("//" OR "%2F%2F" OR "/%2F" OR "%2F/") ) | eval decoded_raw = urldecode(_raw) | regex decoded_raw="\$\S*?{\S*?j[A-Za-z:\-\$[]]*?n[A-Za-z:\-\$[]]*?d[A-Za-z:\-\$[]]*?i[^\s\/]*//.*"
0 comments