- Macros
- You can edit the macro using Settings > Advanced Search > Search macros.
- For index name change, update the precrime_index macro.
- For data model acceleration use summariesonly macro. If it set to true data will populate from the summary index else it will populate from the local indexes.
- You can edit the macro using Settings > Advanced Search > Search macros.
- Data Model
- You can accelerate the data model by clicking Settings > Data Model > precrime > edit.
- Update the settings and the cron job according to your needs
Search objects
You can use the Stats and Tstats Splunk search method.
Some query example that can be saved as dashboard or alert:
List the malicious domains
search index=precrime24 sourcetype=PreCrime Score>=0.8
Correlate the data with your DNS resolver log:
index="dns_queries" sourcetype="dns_query"
| rex field="_raw" ".*query: (?<domain>[^\s*]*).*"
| join domain
[| search index=precrime24 sourcetype=PreCrime Score>=0.8
| rename Name as domain ]
| table domain
Correlate the data with your web proxy log :
index="proxylogs" sourcetype="proxy_entry"
| rex field="_raw" "Host: (?<domain>[^\s*]*)"
| rex field="_raw" "from client (?<client>[^\s*]*)"
| rex field="_raw" "\[PROXY\] (?<status>[^\s*]*)"
| join domain
[| search index=precrime24 sourcetype=PreCrime Score>=0.8
| rename Name as domain] | table domain,client,status,Score