From ef390082b9ba7a1705a21099830f48f273ae6920 Mon Sep 17 00:00:00 2001 From: Sindre Breda Date: Wed, 30 Jul 2025 01:53:07 +0200 Subject: [PATCH 1/3] fix(demos): Fix Splunk integration in Corelight notebook Previous implementation had broken JSON parsing in splunkToPandas function causing data retrieval failures. * Fix splunkToPandas to use JSONResultsReader with proper output_mode * Fix regex escape sequence warnings in helper functions * Add proper error handling for pagination * Clean up notebook structure This ensures the demo notebook works correctly with current Splunk SDK and maintains clean example code. --- .../graphistry_corelight_webinar.ipynb | 1721 ++++++++--------- 1 file changed, 784 insertions(+), 937 deletions(-) diff --git a/demos/demos_by_use_case/logs/network-threat-hunting-masterclass-zeek-bro/graphistry_corelight_webinar.ipynb b/demos/demos_by_use_case/logs/network-threat-hunting-masterclass-zeek-bro/graphistry_corelight_webinar.ipynb index a62cdc6a0..8ba87bf1e 100644 --- a/demos/demos_by_use_case/logs/network-threat-hunting-masterclass-zeek-bro/graphistry_corelight_webinar.ipynb +++ b/demos/demos_by_use_case/logs/network-threat-hunting-masterclass-zeek-bro/graphistry_corelight_webinar.ipynb @@ -46,7 +46,7 @@ }, { "cell_type": "code", - "execution_count": null, + "execution_count": 1, "metadata": { "colab": {}, "colab_type": "code", @@ -66,6 +66,20 @@ " 'port': 8089,\n", " 'username': 'corelight_tutorial',\n", " 'password': 'MY_SPLUNK_PWD' \n", + "}\n" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": {}, + "outputs": [], + "source": [ + "GRAPHISTRY = {\n", + " \"api\":3,\n", + " \"personal_key_id\": \"YOUR_KEY_ID\",\n", + " \"personal_key_secret\": \"YOUR_SECRET\",\n", + " \"server\": \"hub.graphistry.com\"\n", "}" ] }, @@ -91,27 +105,7 @@ "id": "0g6e1kZO6OVV", "outputId": "b789aeb7-27da-4bf2-ed51-beb16f1f617e" }, - "outputs": [ - { - "name": "stdout", - "output_type": "stream", - "text": [ - "\u001b[?25l\r\n", - "\u001b[K |███▏ | 10kB 14.9MB/s eta 0:00:01\r\n", - "\u001b[K |██████▎ | 20kB 1.8MB/s eta 0:00:01\r\n", - "\u001b[K |█████████▍ | 30kB 2.6MB/s eta 0:00:01\r\n", - "\u001b[K |████████████▌ | 40kB 1.7MB/s eta 0:00:01\r\n", - "\u001b[K |███████████████▊ | 51kB 2.1MB/s eta 0:00:01\r\n", - "\u001b[K |██████████████████▉ | 61kB 2.5MB/s eta 0:00:01\r\n", - "\u001b[K |██████████████████████ | 71kB 2.9MB/s eta 0:00:01\r\n", - "\u001b[K |█████████████████████████ | 81kB 3.3MB/s eta 0:00:01\r\n", - "\u001b[K |████████████████████████████▎ | 92kB 3.7MB/s eta 0:00:01\r\n", - "\u001b[K |███████████████████████████████▍| 102kB 2.8MB/s eta 0:00:01\r\n", - "\u001b[K |████████████████████████████████| 112kB 2.8MB/s \n", - "\u001b[?25h Building wheel for splunk-sdk (setup.py) ... \u001b[?25l\u001b[?25hdone\n" - ] - } - ], + "outputs": [], "source": [ "!pip install graphistry -q\n", "!pip install splunk-sdk -q" @@ -119,13 +113,24 @@ }, { "cell_type": "code", - "execution_count": null, + "execution_count": 3, "metadata": { "colab": {}, "colab_type": "code", "id": "SPEFa-Hv6UNu" }, - "outputs": [], + "outputs": [ + { + "data": { + "text/plain": [ + "" + ] + }, + "execution_count": 3, + "metadata": {}, + "output_type": "execute_result" + } + ], "source": [ "import pandas as pd\n", "pd.set_option('display.max_rows', 500)\n", @@ -145,7 +150,7 @@ }, { "cell_type": "code", - "execution_count": null, + "execution_count": 4, "metadata": { "colab": {}, "colab_type": "code", @@ -182,13 +187,24 @@ }, { "cell_type": "code", - "execution_count": null, + "execution_count": 5, "metadata": { "colab": {}, "colab_type": "code", "id": "hvt6EDJYFRdJ" }, - "outputs": [], + "outputs": [ + { + "name": "stderr", + "output_type": "stream", + "text": [ + "<>:14: SyntaxWarning: invalid escape sequence '\\('\n", + "<>:14: SyntaxWarning: invalid escape sequence '\\('\n", + "/tmp/ipykernel_32288/2162898159.py:14: SyntaxWarning: invalid escape sequence '\\('\n", + " for c in [c for c in df.columns if re.match('.*bytes.*', c) and not re.match('log\\(.*', c)]:\n" + ] + } + ], "source": [ "def safe_log(v):\n", " try:\n", @@ -223,15 +239,11 @@ }, { "cell_type": "code", - "execution_count": null, - "metadata": { - "colab": {}, - "colab_type": "code", - "id": "mXrEI7u46hjV" - }, + "execution_count": 11, + "metadata": {}, "outputs": [], "source": [ - "STEP = 50000; \n", + "STEP=5000\n", "def splunkToPandas(qry, overrides={}):\n", " kwargs_blockingsearch = {\n", " \"count\": 0,\n", @@ -239,31 +251,38 @@ " \"latest_time\": \"now\",\n", " \"search_mode\": \"normal\",\n", " \"exec_mode\": \"blocking\",\n", - " **overrides}\n", - " job = service.jobs.create(qry, **kwargs_blockingsearch)\n", - "\n", - " print(\"Search results:\\n\")\n", - " resultCount = job[\"resultCount\"]\n", - " offset = 0; \n", - "\n", - " print('results', resultCount)\n", - " out = None\n", - " while (offset < int(resultCount)):\n", - " print(\"fetching:\", offset, '-', offset + STEP)\n", - " kwargs_paginate = {**kwargs_blockingsearch,\n", - " \"count\": STEP,\n", - " \"offset\": offset}\n", - "\n", - " # Get the search results and display them\n", + " **overrides\n", + " }\n", + "\n", + " # Key fix: ensure output_mode=json here\n", + " job = service.jobs.create(qry, output_mode=\"json\", **kwargs_blockingsearch)\n", + " resultCount = int(job[\"resultCount\"])\n", + " offset = 0\n", + " all_data = []\n", + "\n", + " print(f\"Search results: {resultCount}\")\n", + "\n", + " while offset < resultCount:\n", + " print(f\"Fetching: {offset} - {offset + STEP}\")\n", + " kwargs_paginate = {\n", + " \"count\": STEP,\n", + " \"offset\": offset,\n", + " \"output_mode\": \"json\"\n", + " }\n", + "\n", " blocksearch_results = job.results(**kwargs_paginate)\n", - " reader = results.ResultsReader(blocksearch_results)\n", - " lst = [x for x in reader]\n", - " df2 = pd.DataFrame(lst) \n", - " out = df2 if type(out) == type(None) else pd.concat([out, df2], ignore_index=True)\n", + " reader = results.JSONResultsReader(blocksearch_results)\n", + "\n", + " batch = [event for event in reader if isinstance(event, dict)]\n", + " all_data.extend(batch)\n", " offset += STEP\n", - " for c in out.columns:\n", - " out[c] = out[c].astype(str)\n", - " return out" + "\n", + " df = pd.DataFrame(all_data)\n", + "\n", + " for c in df.columns:\n", + " df[c] = df[c].astype(str)\n", + "\n", + " return df\n" ] }, { @@ -280,7 +299,7 @@ }, { "cell_type": "code", - "execution_count": null, + "execution_count": 7, "metadata": { "colab": {}, "colab_type": "code", @@ -309,7 +328,7 @@ }, { "cell_type": "code", - "execution_count": null, + "execution_count": 8, "metadata": { "colab": {}, "colab_type": "code", @@ -355,7 +374,7 @@ }, { "cell_type": "code", - "execution_count": null, + "execution_count": 9, "metadata": { "colab": {}, "colab_type": "code", @@ -446,7 +465,7 @@ }, { "cell_type": "code", - "execution_count": 10, + "execution_count": 12, "metadata": { "colab": { "base_uri": "https://localhost:8080/", @@ -461,11 +480,9 @@ "name": "stdout", "output_type": "stream", "text": [ - "Search results:\n", - "\n", - "results 79\n", - "fetching: 0 - 50000\n", - "# rows 79\n" + "Search results: 73\n", + "Fetching: 0 - 5000\n", + "# rows 73\n" ] }, { @@ -489,88 +506,58 @@ " \n", " \n", " \n", - " host\n", + " uid\n", " id.orig_h\n", " id.resp_h\n", - " index\n", - " linecount\n", " name\n", - " source\n", - " sourcetype\n", - " splunk_server\n", - " uid\n", - " size\n", " \n", " \n", " \n", " \n", - " 24\n", - " splunk.graphistry.com\n", - " 192.168.0.54\n", - " 213.155.151.181\n", - " corelight_tutorial\n", - " 1\n", - " data_before_established\n", - " logs.tar:./weird_20180803_16:37:08-16:40:00-07...\n", - " weird\n", - " splunk.graphistry.com\n", - " C4cXEP3YqYEkVgiD5i\n", - " nan\n", - " \n", - " \n", - " 11\n", - " splunk.graphistry.com\n", + " 59\n", + " Cg9lHg3DsPYSEp87i6\n", " 192.168.0.53\n", " 192.168.0.1\n", - " corelight_tutorial\n", - " 1\n", - " unknown_HTTP_method\n", - " logs.tar:./weird_20180803_16:37:08-16:40:00-07...\n", - " weird\n", - " splunk.graphistry.com\n", - " CkbyH62jwxViOw5VN2\n", - " nan\n", + " dns_unmatched_reply\n", " \n", " \n", - " 52\n", - " splunk.graphistry.com\n", + " 20\n", + " CY24OW2LAYMT2QjBEf\n", " 192.168.0.54\n", - " 193.149.88.236\n", - " corelight_tutorial\n", - " 1\n", + " 108.160.167.35\n", + " data_before_established\n", + " \n", + " \n", + " 11\n", + " CbSLLe2PMAkU8BUBpi\n", + " 192.168.0.51\n", + " 213.155.151.150\n", " data_before_established\n", - " logs.tar:./weird_20180803_16:37:08-16:40:00-07...\n", - " weird\n", - " splunk.graphistry.com\n", - " CA76K70LJd4XYlDl4\n", - " nan\n", " \n", " \n", "\n", "" ], "text/plain": [ - " host id.orig_h id.resp_h index linecount name source sourcetype splunk_server uid size\n", - "24 splunk.graphistry.com 192.168.0.54 213.155.151.181 corelight_tutorial 1 data_before_established logs.tar:./weird_20180803_16:37:08-16:40:00-07... weird splunk.graphistry.com C4cXEP3YqYEkVgiD5i nan\n", - "11 splunk.graphistry.com 192.168.0.53 192.168.0.1 corelight_tutorial 1 unknown_HTTP_method logs.tar:./weird_20180803_16:37:08-16:40:00-07... weird splunk.graphistry.com CkbyH62jwxViOw5VN2 nan\n", - "52 splunk.graphistry.com 192.168.0.54 193.149.88.236 corelight_tutorial 1 data_before_established logs.tar:./weird_20180803_16:37:08-16:40:00-07... weird splunk.graphistry.com CA76K70LJd4XYlDl4 nan" + " uid id.orig_h id.resp_h name\n", + "59 Cg9lHg3DsPYSEp87i6 192.168.0.53 192.168.0.1 dns_unmatched_reply\n", + "20 CY24OW2LAYMT2QjBEf 192.168.0.54 108.160.167.35 data_before_established\n", + "11 CbSLLe2PMAkU8BUBpi 192.168.0.51 213.155.151.150 data_before_established" ] }, - "execution_count": 10, - "metadata": { - "tags": [] - }, + "execution_count": 12, + "metadata": {}, "output_type": "execute_result" } ], "source": [ "df = splunkToPandas(\n", " \"\"\"\n", - " search index=corelight_tutorial \n", - " | dedup id.orig_h, id.resp_h, name \n", - " | fields - _* \n", - " | head 100\n", - " \"\"\",\n", + "search index=corelight_tutorial \n", + "| dedup id.orig_h, id.resp_h, name \n", + "| table uid id.orig_h id.resp_h name \n", + "| head 100\n", + "\"\"\",\n", " {'sample_ratio': 10}) # Optional, means \"sample 1 in 10\"\n", "\n", "print('# rows', len(df))\n", @@ -579,7 +566,18 @@ }, { "cell_type": "code", - "execution_count": 11, + "execution_count": 13, + "metadata": {}, + "outputs": [], + "source": [ + "# For demo, making all plots public.\n", + "\n", + "graphistry.privacy(mode=\"public\")" + ] + }, + { + "cell_type": "code", + "execution_count": 14, "metadata": { "colab": { "base_uri": "https://localhost:8080/", @@ -594,25 +592,27 @@ "name": "stdout", "output_type": "stream", "text": [ - "# links 474\n", - "# events 79\n", - "# attrib entities 154\n" + "# links 438\n", + "# events 73\n", + "# attrib entities 138\n" ] }, { "data": { "text/html": [ "\n", - " \n", " \n", " \n", " " ], @@ -620,10 +620,8 @@ "" ] }, - "execution_count": 11, - "metadata": { - "tags": [] - }, + "execution_count": 14, + "metadata": {}, "output_type": "execute_result" } ], @@ -668,7 +666,7 @@ }, { "cell_type": "code", - "execution_count": 11, + "execution_count": 15, "metadata": { "colab": { "base_uri": "https://localhost:8080/", @@ -683,10 +681,9 @@ "name": "stdout", "output_type": "stream", "text": [ - "Search results:\n", - "\n", - "results 5429\n", - "fetching: 0 - 50000\n", + "Search results: 5429\n", + "Fetching: 0 - 5000\n", + "Fetching: 5000 - 10000\n", "# rows 5429\n" ] }, @@ -723,7 +720,6 @@ " date_year\n", " date_zone\n", " established\n", - " eventtype\n", " host\n", " id.orig_h\n", " id.orig_p\n", @@ -735,7 +731,6 @@ " linecount\n", " punct\n", " resumed\n", - " server_name\n", " source\n", " sourcetype\n", " splunk_server\n", @@ -745,34 +740,32 @@ " timestartpos\n", " ts\n", " uid\n", - " unix_category\n", - " unix_group\n", " validation_status\n", " version\n", - " last_alert\n", + " server_name\n", " next_protocol\n", + " last_alert\n", " \n", " \n", " \n", " \n", - " 1320\n", - " ['FQZjFv40RSQpUy84Uj', 'FLBUia3CvV6rXlaco9', '...\n", + " 4161\n", + " ['Fqx5Sk1AYbuGv1toF3', 'FabRJ61BxafTjg1SHa', '...\n", " TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\n", " secp256r1\n", " 23\n", - " 3\n", + " 14\n", " 38\n", - " august\n", - " 48\n", + " february\n", + " 18\n", " friday\n", - " 2018\n", + " 2025\n", " 0\n", " true\n", - " nix-all-logs\n", " splunk.graphistry.com\n", " 192.168.0.54\n", - " 58973\n", - " 108.160.162.115\n", + " 61529\n", + " 108.160.167.175\n", " 443\n", " corelight_tutorial\n", " CN=Go Daddy Secure Certificate Authority - G2,...\n", @@ -780,214 +773,199 @@ " 1\n", " {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"...\n", " false\n", - " nan\n", - " logs.tar:./ssl_20180803_16:37:08-16:40:00-0700...\n", - " conn\n", + " /datadrive/splunk/var/log/corelight-tutorial/s...\n", + " dns-2\n", " splunk.graphistry.com\n", " ['dmc_group_cluster_master', 'dmc_group_deploy...\n", " CN=*.dropbox.com,OU=Domain Control Validated\n", " 34\n", - " 7\n", - " 2018-08-03T23:38:48.865254Z\n", - " Cb2FMh1dXasX8ErQS7\n", - " all_hosts\n", - " default\n", + " 18\n", + " 2018-08-03T23:38:18.796898Z\n", + " CG1lF65E0RwG3bv75\n", " certificate has expired\n", " TLSv10\n", " nan\n", " nan\n", + " nan\n", " \n", " \n", - " 447\n", - " ['F5FcVbezfJGgnXJMh', 'FMOZCdFRjdUImboB7', 'Ft...\n", - " TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\n", - " secp256r1\n", + " 683\n", + " ['FwjILy3taZBAPh6sVi', 'FcKu4D1pfpBvNRCbF4', '...\n", + " TLS_RSA_WITH_3DES_EDE_CBC_SHA\n", + " nan\n", " 23\n", - " 3\n", - " 38\n", - " august\n", - " 52\n", - " friday\n", - " 2018\n", + " 9\n", + " 37\n", + " july\n", + " 49\n", + " wednesday\n", + " 2025\n", " 0\n", " true\n", - " nix-all-logs\n", " splunk.graphistry.com\n", - " 192.168.0.54\n", - " 60552\n", - " 213.155.151.185\n", + " 192.168.0.53\n", + " 1678\n", + " 217.72.201.130\n", " 443\n", " corelight_tutorial\n", - " CN=Google Internet Authority G2,O=Google Inc,C=US\n", - " e417b0731e0f2c81dc81ca57cb597b25\n", + " CN=thawte SSL CA - G2,O=thawte\\, Inc.,C=US\n", + " de350869b8c85de67a350c8d186f11e6\n", " 1\n", " {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"...\n", " false\n", - " play.google.com\n", - " logs.tar:./ssl_20180803_16:37:08-16:40:00-0700...\n", - " conn\n", + " /datadrive/splunk/var/log/corelight-tutorial/s...\n", + " dns-2\n", " splunk.graphistry.com\n", " ['dmc_group_cluster_master', 'dmc_group_deploy...\n", - " CN=*.google.com,O=Google Inc,L=Mountain View,S...\n", + " CN=3c-bs.gmx.com,O=1&1 Mail & Media Inc.,L=Che...\n", " 34\n", - " 7\n", - " 2018-08-03T23:38:52.096438Z\n", - " CTmqJD21MWioFpGYj5\n", - " all_hosts\n", - " default\n", + " 18\n", + " 2018-08-03T23:37:49.938525Z\n", + " CqILfRyd7VPTXQeb9\n", " certificate has expired\n", - " TLSv12\n", + " TLSv10\n", + " nan\n", " nan\n", " nan\n", " \n", " \n", - " 1365\n", - " ['FPgvM233HvfObdRu1a', 'FBXJYA2TX28U8rhjG8', '...\n", - " TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n", - " secp256r1\n", + " 3583\n", + " ['FqiaqT2iBRe9fDhgD1', 'FrtBBp16lvpDY6aPNh']\n", + " TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\n", + " secp384r1\n", " 23\n", - " 3\n", + " 14\n", " 38\n", - " august\n", - " 48\n", + " february\n", + " 46\n", " friday\n", - " 2018\n", + " 2025\n", " 0\n", " true\n", - " nix-all-logs\n", " splunk.graphistry.com\n", " 192.168.0.54\n", - " 58691\n", - " 54.230.99.217\n", + " 57476\n", + " 64.4.61.94\n", " 443\n", " corelight_tutorial\n", - " CN=VeriSign Class 3 Secure Server CA - G3,OU=T...\n", - " e03fdb6b99211ce6d1ed8a21abf4b25b\n", + " CN=Microsoft IT SSL SHA2,OU=Microsoft IT,O=Mic...\n", + " 06207a1730b5deeb207b0556e102ded2\n", " 1\n", " {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"...\n", " false\n", - " d2d8g5sjza4b48.cloudfront.net\n", - " logs.tar:./ssl_20180803_16:37:08-16:40:00-0700...\n", - " conn\n", + " /datadrive/splunk/var/log/corelight-tutorial/s...\n", + " dns-2\n", " splunk.graphistry.com\n", " ['dmc_group_cluster_master', 'dmc_group_deploy...\n", - " CN=*.cloudfront.net,O=Amazon.com\\, Inc.,L=Seat...\n", + " CN=*.gateway.messenger.live.com\n", " 34\n", - " 7\n", - " 2018-08-03T23:38:48.149782Z\n", - " COskUkJOeimG7c8He\n", - " all_hosts\n", - " default\n", + " 18\n", + " 2018-08-03T23:38:46.396124Z\n", + " CxI5Ni25P8fKKIyDXa\n", " certificate has expired\n", - " TLSv12\n", + " TLSv10\n", + " nan\n", " nan\n", " nan\n", " \n", " \n", - " 4318\n", - " ['FTPLH52E1n47WYWsZ3', 'FKngDk166EFPRwl8Kj', '...\n", - " TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\n", - " secp256r1\n", + " 1963\n", + " ['Fmoam8lgG3fJH9hzh', 'FJUhV1aeezOahOpii']\n", + " TLS_DHE_RSA_WITH_AES_128_CBC_SHA\n", + " nan\n", " 23\n", - " 3\n", + " 9\n", " 37\n", - " august\n", - " 47\n", - " friday\n", - " 2018\n", + " july\n", + " 18\n", + " wednesday\n", + " 2025\n", " 0\n", " true\n", - " nix-all-logs\n", " splunk.graphistry.com\n", " 192.168.0.51\n", - " 47228\n", - " 217.72.201.130\n", + " 34390\n", + " 63.245.217.20\n", " 443\n", " corelight_tutorial\n", - " CN=thawte SSL CA - G2,O=thawte\\, Inc.,C=US\n", - " 01f79a7537bf2cb8b8e8f450d291c632\n", + " CN=DigiCert SHA2 Secure Server CA,O=DigiCert I...\n", + " ce694315cbb81ce95e6ae4ae8cbafde6\n", " 1\n", " {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"...\n", " false\n", - " 3c-bs.gmx.com\n", - " logs.tar:./ssl_20180803_16:37:08-16:40:00-0700...\n", - " conn\n", + " /datadrive/splunk/var/log/corelight-tutorial/s...\n", + " dns-2\n", " splunk.graphistry.com\n", " ['dmc_group_cluster_master', 'dmc_group_deploy...\n", - " CN=3c-bs.gmx.com,O=1&1 Mail & Media Inc.,L=Che...\n", + " CN=static-san.mozilla.org,O=Mozilla Foundation...\n", " 34\n", - " 7\n", - " 2018-08-03T23:37:47.443768Z\n", - " C9zRQz4DJgIiOzRG68\n", - " all_hosts\n", - " default\n", + " 18\n", + " 2018-08-03T23:37:18.250476Z\n", + " C5WDaE4EbcIYQfkyLb\n", " certificate has expired\n", " TLSv12\n", + " live.mozillamessaging.com\n", " nan\n", " nan\n", " \n", " \n", - " 3832\n", - " ['F3smzS84KN50e0ail', 'FMiALu2wPM6lmSaYNf', 'F...\n", - " TLS_RSA_WITH_3DES_EDE_CBC_SHA\n", + " 4490\n", + " ['FR35Dk4yZpN9bgx3Pc', 'FfBVQ52tMzrdpurg0i']\n", + " TLS_RSA_WITH_RC4_128_SHA\n", " nan\n", " 23\n", - " 3\n", - " 37\n", - " august\n", - " 54\n", + " 14\n", + " 38\n", + " february\n", + " 12\n", " friday\n", - " 2018\n", + " 2025\n", " 0\n", " true\n", - " nix-all-logs\n", " splunk.graphistry.com\n", - " 192.168.0.53\n", - " 2140\n", - " 212.227.111.53\n", + " 192.168.0.54\n", + " 50186\n", + " 2.23.132.158\n", " 443\n", " corelight_tutorial\n", - " CN=thawte SSL CA - G2,O=thawte\\, Inc.,C=US\n", - " de350869b8c85de67a350c8d186f11e6\n", + " CN=GeoTrust SSL CA - G4,O=GeoTrust Inc.,C=US\n", + " 2a458dd9c65afbcf591cd8c2a194b804\n", " 1\n", " {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"...\n", " false\n", - " nan\n", - " logs.tar:./ssl_20180803_16:37:08-16:40:00-0700...\n", - " conn\n", + " /datadrive/splunk/var/log/corelight-tutorial/s...\n", + " dns-2\n", " splunk.graphistry.com\n", " ['dmc_group_cluster_master', 'dmc_group_deploy...\n", - " CN=navigator-bs.gmx.com,O=1&1 Mail & Media Inc...\n", + " CN=www.skypeassets.com,O=Skype\\, Inc.,L=Redmon...\n", " 34\n", - " 7\n", - " 2018-08-03T23:37:54.484612Z\n", - " CndgSe2hXssGB423Cb\n", - " all_hosts\n", - " default\n", + " 18\n", + " 2018-08-03T23:38:12.609952Z\n", + " CcQizhZVrSVEsJMz\n", " certificate has expired\n", - " TLSv10\n", + " TLSv12\n", + " static.skypeassets.com\n", " nan\n", " nan\n", " \n", " \n", - " 108\n", - " ['FWNhow4DgTw6wjM2n5', 'FyqNa4Jfi3ugk0kNi', 'F...\n", - " TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n", + " 5394\n", + " ['F7AKbYgGDYjqMeIIc', 'FFVEPe1eLPbzc57U6', 'Fh...\n", + " TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\n", " secp256r1\n", " 23\n", - " 3\n", + " 14\n", " 38\n", - " august\n", - " 58\n", + " february\n", + " 3\n", " friday\n", - " 2018\n", + " 2025\n", " 0\n", " true\n", - " nix-all-logs\n", " splunk.graphistry.com\n", " 192.168.0.54\n", - " 65169\n", - " 173.194.71.189\n", + " 59940\n", + " 216.58.209.129\n", " 443\n", " corelight_tutorial\n", " CN=Google Internet Authority G2,O=Google Inc,C=US\n", @@ -995,193 +973,179 @@ " 1\n", " {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"...\n", " false\n", - " 6.client-channel.google.com\n", - " logs.tar:./ssl_20180803_16:37:08-16:40:00-0700...\n", - " conn\n", + " /datadrive/splunk/var/log/corelight-tutorial/s...\n", + " dns-2\n", " splunk.graphistry.com\n", " ['dmc_group_cluster_master', 'dmc_group_deploy...\n", - " CN=*.mail.google.com,O=Google Inc,L=Mountain V...\n", + " CN=*.googleusercontent.com,O=Google Inc,L=Moun...\n", " 34\n", - " 7\n", - " 2018-08-03T23:38:58.478453Z\n", - " CI0Gi9sVsgaAxk8ea\n", - " all_hosts\n", - " default\n", + " 18\n", + " 2018-08-03T23:38:03.766636Z\n", + " CR0jwp4BfmSkd9jg7l\n", " certificate has expired\n", " TLSv12\n", + " s2.googleusercontent.com\n", " nan\n", " nan\n", " \n", " \n", - " 3647\n", - " ['FpqQSy49nt4FcSjhb', 'FG2diV2hbPbjisW39h', 'F...\n", - " TLS_RSA_WITH_3DES_EDE_CBC_SHA\n", + " 3031\n", + " ['FkURzA3lnvLD9uLIP4', 'FSgiu444Nr8mgrRGI3']\n", + " TLS_RSA_WITH_RC4_128_SHA\n", " nan\n", " 23\n", - " 3\n", - " 37\n", - " august\n", - " 55\n", + " 14\n", + " 38\n", + " february\n", + " 50\n", " friday\n", - " 2018\n", + " 2025\n", " 0\n", " true\n", - " nix-all-logs\n", " splunk.graphistry.com\n", " 192.168.0.53\n", - " 3172\n", - " 217.72.201.130\n", + " 4217\n", + " 157.55.239.247\n", " 443\n", " corelight_tutorial\n", - " CN=thawte SSL CA - G2,O=thawte\\, Inc.,C=US\n", + " CN=Microsoft IT SSL SHA2,OU=Microsoft IT,O=Mic...\n", " de350869b8c85de67a350c8d186f11e6\n", " 1\n", " {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"...\n", " false\n", - " nan\n", - " logs.tar:./ssl_20180803_16:37:08-16:40:00-0700...\n", - " conn\n", + " /datadrive/splunk/var/log/corelight-tutorial/s...\n", + " dns-2\n", " splunk.graphistry.com\n", " ['dmc_group_cluster_master', 'dmc_group_deploy...\n", - " CN=3c-bs.gmx.com,O=1&1 Mail & Media Inc.,L=Che...\n", + " CN=urs.microsoft.com\n", " 34\n", - " 7\n", - " 2018-08-03T23:37:55.876996Z\n", - " C1Yfgb4mn7cCixGvmg\n", - " all_hosts\n", - " default\n", + " 18\n", + " 2018-08-03T23:38:50.098917Z\n", + " CrZZXoNGKXlS9OBf1\n", " certificate has expired\n", " TLSv10\n", " nan\n", " nan\n", + " nan\n", " \n", " \n", - " 3490\n", - " ['FWIxfa2SDjdMzrnoCi', 'FWh9rP1nEb2WaKquqc', '...\n", - " TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\n", + " 902\n", + " ['Frc21R1ZGhtC80B7g', 'FABXetnjdX7rnBodk']\n", + " TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n", " secp256r1\n", " 23\n", - " 3\n", - " 38\n", - " august\n", - " 1\n", - " friday\n", - " 2018\n", + " 9\n", + " 37\n", + " july\n", + " 47\n", + " wednesday\n", + " 2025\n", " 0\n", " true\n", - " nix-all-logs\n", " splunk.graphistry.com\n", " 192.168.0.54\n", - " 54325\n", - " 213.155.151.151\n", + " 49790\n", + " 54.72.42.191\n", " 443\n", " corelight_tutorial\n", - " CN=Google Internet Authority G2,O=Google Inc,C=US\n", - " e03fdb6b99211ce6d1ed8a21abf4b25b\n", + " CN=RapidSSL CA,O=GeoTrust\\, Inc.,C=US\n", + " 0a7d2a1f4e376ba050fdcc5fd6b59021\n", " 1\n", " {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"...\n", " false\n", - " encrypted-tbn0.gstatic.com\n", - " logs.tar:./ssl_20180803_16:37:08-16:40:00-0700...\n", - " conn\n", + " /datadrive/splunk/var/log/corelight-tutorial/s...\n", + " dns-2\n", " splunk.graphistry.com\n", " ['dmc_group_cluster_master', 'dmc_group_deploy...\n", - " CN=*.google.com,O=Google Inc,L=Mountain View,S...\n", + " CN=*.wtp101.com,OU=Domain Control Validated - ...\n", " 34\n", - " 7\n", - " 2018-08-03T23:38:01.197148Z\n", - " Cba4DE4Joy5sToH3Ga\n", - " all_hosts\n", - " default\n", + " 18\n", + " 2018-08-03T23:37:47.526753Z\n", + " CiWfUq3dko8hEkhCC7\n", " certificate has expired\n", " TLSv12\n", + " www.wtp101.com\n", " nan\n", " nan\n", " \n", " \n", - " 4254\n", - " ['FuTIDr2sly1alWQmdc', 'FIvCEv4orb8wRYCzVb', '...\n", - " TLS_RSA_WITH_AES_128_GCM_SHA256\n", - " nan\n", + " 1698\n", + " ['FjsOQZ2nyUckgewCtg', 'F5lywt3SUFBifAXhid', '...\n", + " TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n", + " secp256r1\n", " 23\n", - " 3\n", + " 9\n", " 37\n", - " august\n", - " 47\n", - " friday\n", - " 2018\n", + " july\n", + " 33\n", + " wednesday\n", + " 2025\n", " 0\n", " true\n", - " nix-all-logs\n", " splunk.graphistry.com\n", " 192.168.0.54\n", - " 49791\n", - " 37.252.162.22\n", + " 52290\n", + " 216.58.209.129\n", " 443\n", " corelight_tutorial\n", - " CN=GeoTrust SSL CA - G2,O=GeoTrust Inc.,C=US\n", - " bfa1674e65282fa3b5444623156e83bd\n", + " CN=Google Internet Authority G2,O=Google Inc,C=US\n", + " 0a7d2a1f4e376ba050fdcc5fd6b59021\n", " 1\n", " {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"...\n", " false\n", - " secure.adnxs.com\n", - " logs.tar:./ssl_20180803_16:37:08-16:40:00-0700...\n", - " conn\n", + " /datadrive/splunk/var/log/corelight-tutorial/s...\n", + " dns-2\n", " splunk.graphistry.com\n", " ['dmc_group_cluster_master', 'dmc_group_deploy...\n", - " CN=*.adnxs.com,O=AppNexus\\, Inc.,L=New York,ST...\n", + " CN=tpc.googlesyndication.com,O=Google Inc,L=Mo...\n", " 34\n", - " 7\n", - " 2018-08-03T23:37:47.528301Z\n", - " CV5iOU3t71sYvLrsdl\n", - " all_hosts\n", - " default\n", + " 18\n", + " 2018-08-03T23:37:33.528232Z\n", + " CJG5F3emXLRu6uqvi\n", " certificate has expired\n", " TLSv12\n", - " nan\n", + " tpc.googlesyndication.com\n", + " h2-14\n", " nan\n", " \n", " \n", - " 984\n", - " ['FWDhHf30wTgq26Xkdd', 'FU0AuM32YTbHwyQPSi']\n", - " TLS_RSA_WITH_RC4_128_SHA\n", - " nan\n", + " 1286\n", + " ['FCuIV61dVOGul24zB9', 'FF9oXa4bIWM5aGWKSe', '...\n", + " TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n", + " secp256r1\n", " 23\n", - " 3\n", - " 38\n", - " august\n", - " 49\n", - " friday\n", - " 2018\n", + " 9\n", + " 37\n", + " july\n", + " 44\n", + " wednesday\n", + " 2025\n", " 0\n", " true\n", - " nix-all-logs\n", " splunk.graphistry.com\n", - " 192.168.0.53\n", - " 4094\n", - " 157.55.239.247\n", + " 192.168.0.54\n", + " 49167\n", + " 216.58.209.138\n", " 443\n", " corelight_tutorial\n", - " CN=Microsoft IT SSL SHA2,OU=Microsoft IT,O=Mic...\n", - " de350869b8c85de67a350c8d186f11e6\n", + " CN=Google Internet Authority G2,O=Google Inc,C=US\n", + " 6062f6c7c72e5cf557cc9698f4f31fce\n", " 1\n", " {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"...\n", " false\n", - " nan\n", - " logs.tar:./ssl_20180803_16:37:08-16:40:00-0700...\n", - " conn\n", + " /datadrive/splunk/var/log/corelight-tutorial/s...\n", + " dns-2\n", " splunk.graphistry.com\n", " ['dmc_group_cluster_master', 'dmc_group_deploy...\n", - " CN=urs.microsoft.com\n", + " CN=*.googleapis.com,O=Google Inc,L=Mountain Vi...\n", " 34\n", - " 7\n", - " 2018-08-03T23:38:49.851328Z\n", - " CEuC7D2BGQVsNZCn83\n", - " all_hosts\n", - " default\n", + " 18\n", + " 2018-08-03T23:37:44.636431Z\n", + " CI825GxULSxHD4OX4\n", " certificate has expired\n", - " TLSv10\n", - " nan\n", + " TLSv12\n", + " www.googleapis.com\n", + " h2-14\n", " nan\n", " \n", " \n", @@ -1189,23 +1153,21 @@ "" ], "text/plain": [ - " cert_chain_fuids{} cipher curve date_hour date_mday date_minute date_month date_second date_wday date_year date_zone established eventtype host id.orig_h id.orig_p id.resp_h id.resp_p index issuer ja3 linecount punct resumed server_name source sourcetype splunk_server splunk_server_group subject timeendpos timestartpos ts uid unix_category unix_group validation_status version last_alert next_protocol\n", - "1320 ['FQZjFv40RSQpUy84Uj', 'FLBUia3CvV6rXlaco9', '... TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp256r1 23 3 38 august 48 friday 2018 0 true nix-all-logs splunk.graphistry.com 192.168.0.54 58973 108.160.162.115 443 corelight_tutorial CN=Go Daddy Secure Certificate Authority - G2,... 8d0230b6ce881f161d1875364f4a156b 1 {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... false nan logs.tar:./ssl_20180803_16:37:08-16:40:00-0700... conn splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... CN=*.dropbox.com,OU=Domain Control Validated 34 7 2018-08-03T23:38:48.865254Z Cb2FMh1dXasX8ErQS7 all_hosts default certificate has expired TLSv10 nan nan\n", - "447 ['F5FcVbezfJGgnXJMh', 'FMOZCdFRjdUImboB7', 'Ft... TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 secp256r1 23 3 38 august 52 friday 2018 0 true nix-all-logs splunk.graphistry.com 192.168.0.54 60552 213.155.151.185 443 corelight_tutorial CN=Google Internet Authority G2,O=Google Inc,C=US e417b0731e0f2c81dc81ca57cb597b25 1 {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... false play.google.com logs.tar:./ssl_20180803_16:37:08-16:40:00-0700... conn splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... CN=*.google.com,O=Google Inc,L=Mountain View,S... 34 7 2018-08-03T23:38:52.096438Z CTmqJD21MWioFpGYj5 all_hosts default certificate has expired TLSv12 nan nan\n", - "1365 ['FPgvM233HvfObdRu1a', 'FBXJYA2TX28U8rhjG8', '... TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 23 3 38 august 48 friday 2018 0 true nix-all-logs splunk.graphistry.com 192.168.0.54 58691 54.230.99.217 443 corelight_tutorial CN=VeriSign Class 3 Secure Server CA - G3,OU=T... e03fdb6b99211ce6d1ed8a21abf4b25b 1 {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... false d2d8g5sjza4b48.cloudfront.net logs.tar:./ssl_20180803_16:37:08-16:40:00-0700... conn splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... CN=*.cloudfront.net,O=Amazon.com\\, Inc.,L=Seat... 34 7 2018-08-03T23:38:48.149782Z COskUkJOeimG7c8He all_hosts default certificate has expired TLSv12 nan nan\n", - "4318 ['FTPLH52E1n47WYWsZ3', 'FKngDk166EFPRwl8Kj', '... TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp256r1 23 3 37 august 47 friday 2018 0 true nix-all-logs splunk.graphistry.com 192.168.0.51 47228 217.72.201.130 443 corelight_tutorial CN=thawte SSL CA - G2,O=thawte\\, Inc.,C=US 01f79a7537bf2cb8b8e8f450d291c632 1 {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... false 3c-bs.gmx.com logs.tar:./ssl_20180803_16:37:08-16:40:00-0700... conn splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... CN=3c-bs.gmx.com,O=1&1 Mail & Media Inc.,L=Che... 34 7 2018-08-03T23:37:47.443768Z C9zRQz4DJgIiOzRG68 all_hosts default certificate has expired TLSv12 nan nan\n", - "3832 ['F3smzS84KN50e0ail', 'FMiALu2wPM6lmSaYNf', 'F... TLS_RSA_WITH_3DES_EDE_CBC_SHA nan 23 3 37 august 54 friday 2018 0 true nix-all-logs splunk.graphistry.com 192.168.0.53 2140 212.227.111.53 443 corelight_tutorial CN=thawte SSL CA - G2,O=thawte\\, Inc.,C=US de350869b8c85de67a350c8d186f11e6 1 {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... false nan logs.tar:./ssl_20180803_16:37:08-16:40:00-0700... conn splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... CN=navigator-bs.gmx.com,O=1&1 Mail & Media Inc... 34 7 2018-08-03T23:37:54.484612Z CndgSe2hXssGB423Cb all_hosts default certificate has expired TLSv10 nan nan\n", - "108 ['FWNhow4DgTw6wjM2n5', 'FyqNa4Jfi3ugk0kNi', 'F... TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 23 3 38 august 58 friday 2018 0 true nix-all-logs splunk.graphistry.com 192.168.0.54 65169 173.194.71.189 443 corelight_tutorial CN=Google Internet Authority G2,O=Google Inc,C=US e03fdb6b99211ce6d1ed8a21abf4b25b 1 {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... false 6.client-channel.google.com logs.tar:./ssl_20180803_16:37:08-16:40:00-0700... conn splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... CN=*.mail.google.com,O=Google Inc,L=Mountain V... 34 7 2018-08-03T23:38:58.478453Z CI0Gi9sVsgaAxk8ea all_hosts default certificate has expired TLSv12 nan nan\n", - "3647 ['FpqQSy49nt4FcSjhb', 'FG2diV2hbPbjisW39h', 'F... TLS_RSA_WITH_3DES_EDE_CBC_SHA nan 23 3 37 august 55 friday 2018 0 true nix-all-logs splunk.graphistry.com 192.168.0.53 3172 217.72.201.130 443 corelight_tutorial CN=thawte SSL CA - G2,O=thawte\\, Inc.,C=US de350869b8c85de67a350c8d186f11e6 1 {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... false nan logs.tar:./ssl_20180803_16:37:08-16:40:00-0700... conn splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... CN=3c-bs.gmx.com,O=1&1 Mail & Media Inc.,L=Che... 34 7 2018-08-03T23:37:55.876996Z C1Yfgb4mn7cCixGvmg all_hosts default certificate has expired TLSv10 nan nan\n", - "3490 ['FWIxfa2SDjdMzrnoCi', 'FWh9rP1nEb2WaKquqc', '... TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 secp256r1 23 3 38 august 1 friday 2018 0 true nix-all-logs splunk.graphistry.com 192.168.0.54 54325 213.155.151.151 443 corelight_tutorial CN=Google Internet Authority G2,O=Google Inc,C=US e03fdb6b99211ce6d1ed8a21abf4b25b 1 {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... false encrypted-tbn0.gstatic.com logs.tar:./ssl_20180803_16:37:08-16:40:00-0700... conn splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... CN=*.google.com,O=Google Inc,L=Mountain View,S... 34 7 2018-08-03T23:38:01.197148Z Cba4DE4Joy5sToH3Ga all_hosts default certificate has expired TLSv12 nan nan\n", - "4254 ['FuTIDr2sly1alWQmdc', 'FIvCEv4orb8wRYCzVb', '... TLS_RSA_WITH_AES_128_GCM_SHA256 nan 23 3 37 august 47 friday 2018 0 true nix-all-logs splunk.graphistry.com 192.168.0.54 49791 37.252.162.22 443 corelight_tutorial CN=GeoTrust SSL CA - G2,O=GeoTrust Inc.,C=US bfa1674e65282fa3b5444623156e83bd 1 {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... false secure.adnxs.com logs.tar:./ssl_20180803_16:37:08-16:40:00-0700... conn splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... CN=*.adnxs.com,O=AppNexus\\, Inc.,L=New York,ST... 34 7 2018-08-03T23:37:47.528301Z CV5iOU3t71sYvLrsdl all_hosts default certificate has expired TLSv12 nan nan\n", - "984 ['FWDhHf30wTgq26Xkdd', 'FU0AuM32YTbHwyQPSi'] TLS_RSA_WITH_RC4_128_SHA nan 23 3 38 august 49 friday 2018 0 true nix-all-logs splunk.graphistry.com 192.168.0.53 4094 157.55.239.247 443 corelight_tutorial CN=Microsoft IT SSL SHA2,OU=Microsoft IT,O=Mic... de350869b8c85de67a350c8d186f11e6 1 {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... false nan logs.tar:./ssl_20180803_16:37:08-16:40:00-0700... conn splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... CN=urs.microsoft.com 34 7 2018-08-03T23:38:49.851328Z CEuC7D2BGQVsNZCn83 all_hosts default certificate has expired TLSv10 nan nan" + " cert_chain_fuids{} cipher curve date_hour date_mday date_minute date_month date_second date_wday date_year date_zone established host id.orig_h id.orig_p id.resp_h id.resp_p index issuer ja3 linecount punct resumed source sourcetype splunk_server splunk_server_group subject timeendpos timestartpos ts uid validation_status version server_name next_protocol last_alert\n", + "4161 ['Fqx5Sk1AYbuGv1toF3', 'FabRJ61BxafTjg1SHa', '... TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp256r1 23 14 38 february 18 friday 2025 0 true splunk.graphistry.com 192.168.0.54 61529 108.160.167.175 443 corelight_tutorial CN=Go Daddy Secure Certificate Authority - G2,... 8d0230b6ce881f161d1875364f4a156b 1 {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... false /datadrive/splunk/var/log/corelight-tutorial/s... dns-2 splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... CN=*.dropbox.com,OU=Domain Control Validated 34 18 2018-08-03T23:38:18.796898Z CG1lF65E0RwG3bv75 certificate has expired TLSv10 nan nan nan\n", + "683 ['FwjILy3taZBAPh6sVi', 'FcKu4D1pfpBvNRCbF4', '... TLS_RSA_WITH_3DES_EDE_CBC_SHA nan 23 9 37 july 49 wednesday 2025 0 true splunk.graphistry.com 192.168.0.53 1678 217.72.201.130 443 corelight_tutorial CN=thawte SSL CA - G2,O=thawte\\, Inc.,C=US de350869b8c85de67a350c8d186f11e6 1 {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... false /datadrive/splunk/var/log/corelight-tutorial/s... dns-2 splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... CN=3c-bs.gmx.com,O=1&1 Mail & Media Inc.,L=Che... 34 18 2018-08-03T23:37:49.938525Z CqILfRyd7VPTXQeb9 certificate has expired TLSv10 nan nan nan\n", + "3583 ['FqiaqT2iBRe9fDhgD1', 'FrtBBp16lvpDY6aPNh'] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp384r1 23 14 38 february 46 friday 2025 0 true splunk.graphistry.com 192.168.0.54 57476 64.4.61.94 443 corelight_tutorial CN=Microsoft IT SSL SHA2,OU=Microsoft IT,O=Mic... 06207a1730b5deeb207b0556e102ded2 1 {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... false /datadrive/splunk/var/log/corelight-tutorial/s... dns-2 splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... CN=*.gateway.messenger.live.com 34 18 2018-08-03T23:38:46.396124Z CxI5Ni25P8fKKIyDXa certificate has expired TLSv10 nan nan nan\n", + "1963 ['Fmoam8lgG3fJH9hzh', 'FJUhV1aeezOahOpii'] TLS_DHE_RSA_WITH_AES_128_CBC_SHA nan 23 9 37 july 18 wednesday 2025 0 true splunk.graphistry.com 192.168.0.51 34390 63.245.217.20 443 corelight_tutorial CN=DigiCert SHA2 Secure Server CA,O=DigiCert I... ce694315cbb81ce95e6ae4ae8cbafde6 1 {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... false /datadrive/splunk/var/log/corelight-tutorial/s... dns-2 splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... CN=static-san.mozilla.org,O=Mozilla Foundation... 34 18 2018-08-03T23:37:18.250476Z C5WDaE4EbcIYQfkyLb certificate has expired TLSv12 live.mozillamessaging.com nan nan\n", + "4490 ['FR35Dk4yZpN9bgx3Pc', 'FfBVQ52tMzrdpurg0i'] TLS_RSA_WITH_RC4_128_SHA nan 23 14 38 february 12 friday 2025 0 true splunk.graphistry.com 192.168.0.54 50186 2.23.132.158 443 corelight_tutorial CN=GeoTrust SSL CA - G4,O=GeoTrust Inc.,C=US 2a458dd9c65afbcf591cd8c2a194b804 1 {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... false /datadrive/splunk/var/log/corelight-tutorial/s... dns-2 splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... CN=www.skypeassets.com,O=Skype\\, Inc.,L=Redmon... 34 18 2018-08-03T23:38:12.609952Z CcQizhZVrSVEsJMz certificate has expired TLSv12 static.skypeassets.com nan nan\n", + "5394 ['F7AKbYgGDYjqMeIIc', 'FFVEPe1eLPbzc57U6', 'Fh... TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 secp256r1 23 14 38 february 3 friday 2025 0 true splunk.graphistry.com 192.168.0.54 59940 216.58.209.129 443 corelight_tutorial CN=Google Internet Authority G2,O=Google Inc,C=US e03fdb6b99211ce6d1ed8a21abf4b25b 1 {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... false /datadrive/splunk/var/log/corelight-tutorial/s... dns-2 splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... CN=*.googleusercontent.com,O=Google Inc,L=Moun... 34 18 2018-08-03T23:38:03.766636Z CR0jwp4BfmSkd9jg7l certificate has expired TLSv12 s2.googleusercontent.com nan nan\n", + "3031 ['FkURzA3lnvLD9uLIP4', 'FSgiu444Nr8mgrRGI3'] TLS_RSA_WITH_RC4_128_SHA nan 23 14 38 february 50 friday 2025 0 true splunk.graphistry.com 192.168.0.53 4217 157.55.239.247 443 corelight_tutorial CN=Microsoft IT SSL SHA2,OU=Microsoft IT,O=Mic... de350869b8c85de67a350c8d186f11e6 1 {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... false /datadrive/splunk/var/log/corelight-tutorial/s... dns-2 splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... CN=urs.microsoft.com 34 18 2018-08-03T23:38:50.098917Z CrZZXoNGKXlS9OBf1 certificate has expired TLSv10 nan nan nan\n", + "902 ['Frc21R1ZGhtC80B7g', 'FABXetnjdX7rnBodk'] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 23 9 37 july 47 wednesday 2025 0 true splunk.graphistry.com 192.168.0.54 49790 54.72.42.191 443 corelight_tutorial CN=RapidSSL CA,O=GeoTrust\\, Inc.,C=US 0a7d2a1f4e376ba050fdcc5fd6b59021 1 {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... false /datadrive/splunk/var/log/corelight-tutorial/s... dns-2 splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... CN=*.wtp101.com,OU=Domain Control Validated - ... 34 18 2018-08-03T23:37:47.526753Z CiWfUq3dko8hEkhCC7 certificate has expired TLSv12 www.wtp101.com nan nan\n", + "1698 ['FjsOQZ2nyUckgewCtg', 'F5lywt3SUFBifAXhid', '... TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 23 9 37 july 33 wednesday 2025 0 true splunk.graphistry.com 192.168.0.54 52290 216.58.209.129 443 corelight_tutorial CN=Google Internet Authority G2,O=Google Inc,C=US 0a7d2a1f4e376ba050fdcc5fd6b59021 1 {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... false /datadrive/splunk/var/log/corelight-tutorial/s... dns-2 splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... CN=tpc.googlesyndication.com,O=Google Inc,L=Mo... 34 18 2018-08-03T23:37:33.528232Z CJG5F3emXLRu6uqvi certificate has expired TLSv12 tpc.googlesyndication.com h2-14 nan\n", + "1286 ['FCuIV61dVOGul24zB9', 'FF9oXa4bIWM5aGWKSe', '... TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 23 9 37 july 44 wednesday 2025 0 true splunk.graphistry.com 192.168.0.54 49167 216.58.209.138 443 corelight_tutorial CN=Google Internet Authority G2,O=Google Inc,C=US 6062f6c7c72e5cf557cc9698f4f31fce 1 {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... false /datadrive/splunk/var/log/corelight-tutorial/s... dns-2 splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... CN=*.googleapis.com,O=Google Inc,L=Mountain Vi... 34 18 2018-08-03T23:37:44.636431Z CI825GxULSxHD4OX4 certificate has expired TLSv12 www.googleapis.com h2-14 nan" ] }, - "execution_count": 11, - "metadata": { - "tags": [] - }, + "execution_count": 15, + "metadata": {}, "output_type": "execute_result" } ], @@ -1248,7 +1210,7 @@ }, { "cell_type": "code", - "execution_count": 26, + "execution_count": 16, "metadata": { "colab": { "base_uri": "https://localhost:8080/", @@ -1265,23 +1227,25 @@ "text": [ "# links 32574\n", "# events 5429\n", - "# attrib entities 6647\n" + "# attrib entities 6648\n" ] }, { "data": { "text/html": [ "\n", - " \n", " \n", " \n", " " ], @@ -1289,10 +1253,8 @@ "" ] }, - "execution_count": 26, - "metadata": { - "tags": [] - }, + "execution_count": 16, + "metadata": {}, "output_type": "execute_result" } ], @@ -1341,7 +1303,7 @@ }, { "cell_type": "code", - "execution_count": 23, + "execution_count": 17, "metadata": { "colab": { "base_uri": "https://localhost:8080/", @@ -1356,10 +1318,8 @@ "name": "stdout", "output_type": "stream", "text": [ - "Search results:\n", - "\n", - "results 46\n", - "fetching: 0 - 50000\n", + "Search results: 46\n", + "Fetching: 0 - 5000\n", "# rows 46\n" ] }, @@ -1393,7 +1353,6 @@ " date_wday\n", " date_year\n", " date_zone\n", - " eventtype\n", " host\n", " id.orig_h\n", " id.orig_p\n", @@ -1416,11 +1375,8 @@ " timestartpos\n", " ts\n", " uid\n", - " unix_category\n", - " unix_group\n", " _bkt\n", " _cd\n", - " _eventtype_color\n", " _indextime\n", " _raw\n", " _serial\n", @@ -1437,8 +1393,10 @@ " status\n", " success\n", " username\n", + " eventtype\n", " tag\n", " tag::eventtype\n", + " _eventtype_color\n", " actions{}\n", " dropped\n", " dst\n", @@ -1466,51 +1424,59 @@ " \n", " \n", " \n", - " 40\n", - " nan\n", + " 19\n", + " SMB::FILE_OPEN\n", " 23\n", - " 3\n", + " 9\n", " 39\n", - " august\n", - " 1\n", - " friday\n", - " 2018\n", + " july\n", + " 2\n", + " wednesday\n", + " 2025\n", " 0\n", - " nix-all-logs\n", " splunk.graphistry.com\n", - " 125.5.61.130\n", - " 4577\n", - " 10.0.0.11\n", + " 172.16.1.8\n", + " 38896\n", + " 172.16.1.7\n", " 445\n", " corelight_tutorial\n", " 1\n", + " \\hack\\jpg.string\n", + " {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"...\n", + " 12801\n", + " /datadrive/splunk/var/log/corelight-tutorial/s...\n", + " smb_files-too_small\n", + " splunk.graphistry.com\n", + " ['dmc_group_cluster_master', 'dmc_group_deploy...\n", + " 34\n", + " 2018-07-24T17:56:05.524403Z\n", + " 2018-07-24T17:56:05.524403Z\n", + " 2018-07-24T17:56:05.524403Z\n", + " 2018-07-24T17:56:05.524403Z\n", + " 18\n", + " 2018-08-03T23:39:02.812722Z\n", + " COGaRD3cM7jP2XFdy8\n", + " corelight_tutorial~0~67A851F4-1BFE-4874-B653-8...\n", + " 0:1460368\n", + " 1753827598\n", + " {\"ts\":\"2018-08-03T23:39:02.812722Z\",\"uid\":\"COG...\n", + " 19\n", + " ['splunk.graphistry.com', 'corelight_tutorial']\n", + " smb_files-too_small\n", + " .812722\n", + " 2025-07-10T01:39:02.812+02:00\n", + " nan\n", + " nan\n", + " nan\n", + " nan\n", + " nan\n", + " nan\n", " nan\n", - " {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"...\n", " nan\n", - " logs.tar:./notice_20180803_16:37:37-16:40:00-0...\n", - " notice-too_small\n", - " splunk.graphistry.com\n", - " ['dmc_group_cluster_master', 'dmc_group_deploy...\n", - " 34\n", " nan\n", " nan\n", " nan\n", " nan\n", - " 7\n", - " 2018-08-03T23:39:01.314346Z\n", - " C2P6jt32gESqlJqb32\n", - " all_hosts\n", - " default\n", - " corelight_tutorial~0~67A851F4-1BFE-4874-B653-8...\n", - " 0:8559886\n", - " none\n", - " 1558081367\n", - " {\"ts\":\"2018-08-03T23:39:01.314346Z\",\"uid\":\"C2P...\n", - " 40\n", - " ['splunk.graphistry.com', 'corelight_tutorial']\n", - " notice-too_small\n", - " .314346\n", - " 2018-08-03T23:39:01.314+00:00\n", " nan\n", " nan\n", " nan\n", @@ -1522,16 +1488,6 @@ " nan\n", " nan\n", " nan\n", - " Notice::ACTION_LOG\n", - " false\n", - " 10.0.0.11\n", - " SMBv1 Connection 125.5.61.130 to 10.0.0.11\n", - " FindSMBv1::Seen\n", - " 445\n", - " bro\n", - " tcp\n", - " 125.5.61.130\n", - " 3600.0\n", " nan\n", " nan\n", " nan\n", @@ -1547,60 +1503,58 @@ " nan\n", " \n", " \n", - " 30\n", - " nan\n", + " 7\n", + " SMB::FILE_OPEN\n", " 23\n", - " 3\n", + " 9\n", " 39\n", - " august\n", + " july\n", " 2\n", - " friday\n", - " 2018\n", + " wednesday\n", + " 2025\n", " 0\n", - " nix-all-logs\n", " splunk.graphistry.com\n", " 172.16.1.8\n", - " 38889\n", + " 38896\n", " 172.16.1.7\n", " 445\n", " corelight_tutorial\n", " 1\n", - " nan\n", + " \\hack\\jpg.jpg\n", " {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"...\n", - " nan\n", - " logs.tar:./ntlm_20180803_16:39:01-16:40:00-070...\n", - " ntlm-too_small\n", + " 61292\n", + " /datadrive/splunk/var/log/corelight-tutorial/s...\n", + " smb_files-too_small\n", " splunk.graphistry.com\n", " ['dmc_group_cluster_master', 'dmc_group_deploy...\n", " 34\n", + " 2018-07-24T17:56:04.824403Z\n", + " 2018-07-24T17:56:04.832403Z\n", + " 2018-07-24T17:56:04.824403Z\n", + " 2018-07-24T17:56:04.832403Z\n", + " 18\n", + " 2018-08-03T23:39:02.908827Z\n", + " COGaRD3cM7jP2XFdy8\n", + " corelight_tutorial~0~67A851F4-1BFE-4874-B653-8...\n", + " 0:1460514\n", + " 1753827598\n", + " {\"ts\":\"2018-08-03T23:39:02.908827Z\",\"uid\":\"COG...\n", + " 7\n", + " ['splunk.graphistry.com', 'corelight_tutorial']\n", + " smb_files-too_small\n", + " .908827\n", + " 2025-07-10T01:39:02.908+02:00\n", + " nan\n", + " nan\n", + " nan\n", " nan\n", " nan\n", " nan\n", " nan\n", - " 7\n", - " 2018-08-03T23:39:02.806384Z\n", - " CEYfiD3mbXWS12t6c1\n", - " all_hosts\n", - " default\n", - " corelight_tutorial~0~67A851F4-1BFE-4874-B653-8...\n", - " 0:8560022\n", - " none\n", - " 1558081367\n", - " {\"ts\":\"2018-08-03T23:39:02.806384Z\",\"uid\":\"CEY...\n", - " 30\n", - " ['splunk.graphistry.com', 'corelight_tutorial']\n", - " ntlm-too_small\n", - " .806384\n", - " 2018-08-03T23:39:02.806+00:00\n", " nan\n", " nan\n", " nan\n", " nan\n", - " WORKGROUP\n", - " INTENSE\n", - " SUCCESS\n", - " true\n", - " sonos\n", " nan\n", " nan\n", " nan\n", @@ -1628,65 +1582,50 @@ " nan\n", " \n", " \n", - " 13\n", - " SMB::FILE_OPEN\n", + " 41\n", + " nan\n", " 23\n", - " 3\n", + " 8\n", " 39\n", - " august\n", + " december\n", " 2\n", - " friday\n", - " 2018\n", + " wednesday\n", + " 2021\n", " 0\n", - " nix-all-logs\n", " splunk.graphistry.com\n", " 172.16.1.8\n", - " 38896\n", + " 38891\n", " 172.16.1.7\n", " 445\n", " corelight_tutorial\n", " 1\n", - " \\hack\\reporter.log\n", + " nan\n", " {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"...\n", - " 498\n", - " logs.tar:./smb_files_20180803_16:39:01-16:40:0...\n", - " smb_files-too_small\n", + " nan\n", + " /datadrive/splunk/var/log/corelight-tutorial/c...\n", + " conn\n", " splunk.graphistry.com\n", " ['dmc_group_cluster_master', 'dmc_group_deploy...\n", " 34\n", - " 2018-07-24T17:56:04.616403Z\n", - " 2018-07-24T17:56:04.620403Z\n", - " 2018-07-24T17:56:04.616403Z\n", - " 2018-07-24T17:56:04.620403Z\n", - " 7\n", - " 2018-08-03T23:39:02.858240Z\n", - " COGaRD3cM7jP2XFdy8\n", - " all_hosts\n", - " default\n", - " corelight_tutorial~0~67A851F4-1BFE-4874-B653-8...\n", - " 0:8560959\n", - " none\n", - " 1558081367\n", - " {\"ts\":\"2018-08-03T23:39:02.858240Z\",\"uid\":\"COG...\n", - " 13\n", - " ['splunk.graphistry.com', 'corelight_tutorial']\n", - " smb_files-too_small\n", - " .858240\n", - " 2018-08-03T23:39:02.858+00:00\n", - " nan\n", - " nan\n", - " nan\n", - " nan\n", - " nan\n", - " nan\n", - " nan\n", - " nan\n", " nan\n", " nan\n", " nan\n", " nan\n", + " 18\n", + " 2018-08-03T23:39:02.792963Z\n", + " Co7dkb3VZW4JUWlYV5\n", + " corelight_tutorial~2~67A851F4-1BFE-4874-B653-8...\n", + " 2:1187676\n", + " 1753827610\n", + " {\"ts\":\"2018-08-03T23:39:02.792963Z\",\"uid\":\"Co7...\n", + " 41\n", + " ['splunk.graphistry.com', 'corelight_tutorial']\n", + " conn\n", + " .792963\n", + " 2021-12-09T00:39:02.792+01:00\n", " nan\n", " nan\n", + " smb,gssapi,ntlm\n", " nan\n", " nan\n", " nan\n", @@ -1704,8 +1643,21 @@ " nan\n", " nan\n", " nan\n", + " tcp\n", " nan\n", " nan\n", + " SF\n", + " 0.000085\n", + " ShADadFf\n", + " false\n", + " false\n", + " 0\n", + " 886\n", + " 1310\n", + " 8\n", + " 506\n", + " 826\n", + " 6\n", " nan\n", " \n", " \n", @@ -1713,21 +1665,19 @@ "" ], "text/plain": [ - " action date_hour date_mday date_minute date_month date_second date_wday date_year date_zone eventtype host id.orig_h id.orig_p id.resp_h id.resp_p index linecount name punct size source sourcetype splunk_server splunk_server_group timeendpos times.accessed times.changed times.created times.modified timestartpos ts uid unix_category unix_group _bkt _cd _eventtype_color _indextime _raw _serial _si _sourcetype _subsecond _time native_file_system path service share_type domainname hostname status success \\\n", - "40 nan 23 3 39 august 1 friday 2018 0 nix-all-logs splunk.graphistry.com 125.5.61.130 4577 10.0.0.11 445 corelight_tutorial 1 nan {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... nan logs.tar:./notice_20180803_16:37:37-16:40:00-0... notice-too_small splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... 34 nan nan nan nan 7 2018-08-03T23:39:01.314346Z C2P6jt32gESqlJqb32 all_hosts default corelight_tutorial~0~67A851F4-1BFE-4874-B653-8... 0:8559886 none 1558081367 {\"ts\":\"2018-08-03T23:39:01.314346Z\",\"uid\":\"C2P... 40 ['splunk.graphistry.com', 'corelight_tutorial'] notice-too_small .314346 2018-08-03T23:39:01.314+00:00 nan nan nan nan nan nan nan nan \n", - "30 nan 23 3 39 august 2 friday 2018 0 nix-all-logs splunk.graphistry.com 172.16.1.8 38889 172.16.1.7 445 corelight_tutorial 1 nan {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... nan logs.tar:./ntlm_20180803_16:39:01-16:40:00-070... ntlm-too_small splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... 34 nan nan nan nan 7 2018-08-03T23:39:02.806384Z CEYfiD3mbXWS12t6c1 all_hosts default corelight_tutorial~0~67A851F4-1BFE-4874-B653-8... 0:8560022 none 1558081367 {\"ts\":\"2018-08-03T23:39:02.806384Z\",\"uid\":\"CEY... 30 ['splunk.graphistry.com', 'corelight_tutorial'] ntlm-too_small .806384 2018-08-03T23:39:02.806+00:00 nan nan nan nan WORKGROUP INTENSE SUCCESS true \n", - "13 SMB::FILE_OPEN 23 3 39 august 2 friday 2018 0 nix-all-logs splunk.graphistry.com 172.16.1.8 38896 172.16.1.7 445 corelight_tutorial 1 \\hack\\reporter.log {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... 498 logs.tar:./smb_files_20180803_16:39:01-16:40:0... smb_files-too_small splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... 34 2018-07-24T17:56:04.616403Z 2018-07-24T17:56:04.620403Z 2018-07-24T17:56:04.616403Z 2018-07-24T17:56:04.620403Z 7 2018-08-03T23:39:02.858240Z COGaRD3cM7jP2XFdy8 all_hosts default corelight_tutorial~0~67A851F4-1BFE-4874-B653-8... 0:8560959 none 1558081367 {\"ts\":\"2018-08-03T23:39:02.858240Z\",\"uid\":\"COG... 13 ['splunk.graphistry.com', 'corelight_tutorial'] smb_files-too_small .858240 2018-08-03T23:39:02.858+00:00 nan nan nan nan nan nan nan nan \n", + " action date_hour date_mday date_minute date_month date_second date_wday date_year date_zone host id.orig_h id.orig_p id.resp_h id.resp_p index linecount name punct size source sourcetype splunk_server splunk_server_group timeendpos times.accessed times.changed times.created times.modified timestartpos ts uid _bkt _cd _indextime _raw _serial _si _sourcetype _subsecond _time native_file_system path service share_type domainname hostname status success username eventtype tag tag::eventtype \\\n", + "19 SMB::FILE_OPEN 23 9 39 july 2 wednesday 2025 0 splunk.graphistry.com 172.16.1.8 38896 172.16.1.7 445 corelight_tutorial 1 \\hack\\jpg.string {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... 12801 /datadrive/splunk/var/log/corelight-tutorial/s... smb_files-too_small splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... 34 2018-07-24T17:56:05.524403Z 2018-07-24T17:56:05.524403Z 2018-07-24T17:56:05.524403Z 2018-07-24T17:56:05.524403Z 18 2018-08-03T23:39:02.812722Z COGaRD3cM7jP2XFdy8 corelight_tutorial~0~67A851F4-1BFE-4874-B653-8... 0:1460368 1753827598 {\"ts\":\"2018-08-03T23:39:02.812722Z\",\"uid\":\"COG... 19 ['splunk.graphistry.com', 'corelight_tutorial'] smb_files-too_small .812722 2025-07-10T01:39:02.812+02:00 nan nan nan nan nan nan nan nan nan nan nan nan \n", + "7 SMB::FILE_OPEN 23 9 39 july 2 wednesday 2025 0 splunk.graphistry.com 172.16.1.8 38896 172.16.1.7 445 corelight_tutorial 1 \\hack\\jpg.jpg {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... 61292 /datadrive/splunk/var/log/corelight-tutorial/s... smb_files-too_small splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... 34 2018-07-24T17:56:04.824403Z 2018-07-24T17:56:04.832403Z 2018-07-24T17:56:04.824403Z 2018-07-24T17:56:04.832403Z 18 2018-08-03T23:39:02.908827Z COGaRD3cM7jP2XFdy8 corelight_tutorial~0~67A851F4-1BFE-4874-B653-8... 0:1460514 1753827598 {\"ts\":\"2018-08-03T23:39:02.908827Z\",\"uid\":\"COG... 7 ['splunk.graphistry.com', 'corelight_tutorial'] smb_files-too_small .908827 2025-07-10T01:39:02.908+02:00 nan nan nan nan nan nan nan nan nan nan nan nan \n", + "41 nan 23 8 39 december 2 wednesday 2021 0 splunk.graphistry.com 172.16.1.8 38891 172.16.1.7 445 corelight_tutorial 1 nan {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... nan /datadrive/splunk/var/log/corelight-tutorial/c... conn splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... 34 nan nan nan nan 18 2018-08-03T23:39:02.792963Z Co7dkb3VZW4JUWlYV5 corelight_tutorial~2~67A851F4-1BFE-4874-B653-8... 2:1187676 1753827610 {\"ts\":\"2018-08-03T23:39:02.792963Z\",\"uid\":\"Co7... 41 ['splunk.graphistry.com', 'corelight_tutorial'] conn .792963 2021-12-09T00:39:02.792+01:00 nan nan smb,gssapi,ntlm nan nan nan nan nan nan nan nan nan \n", "\n", - " username tag tag::eventtype actions{} dropped dst msg note p peer_descr proto src suppress_for conn_state duration history local_orig local_resp missed_bytes orig_bytes orig_ip_bytes orig_pkts resp_bytes resp_ip_bytes resp_pkts orig_cc \n", - "40 nan nan nan Notice::ACTION_LOG false 10.0.0.11 SMBv1 Connection 125.5.61.130 to 10.0.0.11 FindSMBv1::Seen 445 bro tcp 125.5.61.130 3600.0 nan nan nan nan nan nan nan nan nan nan nan nan nan \n", - "30 sonos nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan \n", - "13 nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan " + " _eventtype_color actions{} dropped dst msg note p peer_descr proto src suppress_for conn_state duration history local_orig local_resp missed_bytes orig_bytes orig_ip_bytes orig_pkts resp_bytes resp_ip_bytes resp_pkts orig_cc \n", + "19 nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan \n", + "7 nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan \n", + "41 nan nan nan nan nan nan nan nan tcp nan nan SF 0.000085 ShADadFf false false 0 886 1310 8 506 826 6 nan " ] }, - "execution_count": 23, - "metadata": { - "tags": [] - }, + "execution_count": 17, + "metadata": {}, "output_type": "execute_result" } ], @@ -1765,7 +1715,7 @@ }, { "cell_type": "code", - "execution_count": 24, + "execution_count": 18, "metadata": { "colab": { "base_uri": "https://localhost:8080/", @@ -1782,23 +1732,25 @@ "text": [ "# links 460\n", "# events 46\n", - "# attrib entities 31\n" + "# attrib entities 36\n" ] }, { "data": { "text/html": [ "\n", - " \n", " \n", " \n", " " ], @@ -1806,10 +1758,8 @@ "" ] }, - "execution_count": 24, - "metadata": { - "tags": [] - }, + "execution_count": 18, + "metadata": {}, "output_type": "execute_result" } ], @@ -1862,7 +1812,7 @@ }, { "cell_type": "code", - "execution_count": 110, + "execution_count": 20, "metadata": { "colab": { "base_uri": "https://localhost:8080/", @@ -1877,11 +1827,11 @@ "name": "stdout", "output_type": "stream", "text": [ - "Search results:\n", - "\n", - "results 13412\n", - "fetching: 0 - 50000\n", - "# rows 13412\n" + "Search results: 13399\n", + "Fetching: 0 - 5000\n", + "Fetching: 5000 - 10000\n", + "Fetching: 10000 - 15000\n", + "# rows 13399\n" ] }, { @@ -1933,38 +1883,63 @@ " avg(resp_bytes)\n", " sum(orig_bytes)\n", " sum(resp_bytes)\n", - " answers\n", - " values(qtype_name)\n", - " values(issuer)\n", - " values(ja3)\n", - " values(subject)\n", - " values(last_alert)\n", " \n", " \n", " \n", " \n", - " 7526\n", + " 8223\n", + " 192.168.0.54\n", + " 73.170.185.232\n", + " 2\n", + " 1639006703.513396\n", + " 1752104303.513390\n", + " SF\n", + " 2.838849090737255\n", + " 0\n", + " 370\n", + " 320\n", + " 690\n", + " 2.555345348636877\n", + " 0\n", + " 236\n", + " 202.5\n", + " 438.5\n", + " 5.110690697273754\n", + " 0\n", + " 472\n", + " 405\n", + " 877\n", + " ['Dd', 'ShADadFf']\n", + " 78\n", + " 29\n", + " 62\n", + " 28.5\n", + " 124\n", + " 57\n", + " \n", + " \n", + " 8849\n", " 192.168.0.54\n", - " 54.149.255.94\n", + " 83.149.41.40\n", " 1\n", - " 1533339495.896320\n", - " 1533339495.896320\n", + " 1752104294.487483\n", + " 1752104294.487483\n", " S0\n", - " 2.0170333392987803\n", + " 2\n", " 0\n", - " 104\n", + " 100\n", " 0\n", - " 104\n", - " 2.0170333392987803\n", + " 100\n", + " 2\n", " 0\n", - " 104\n", + " 100\n", " 0\n", - " 104\n", - " 2.0170333392987803\n", + " 100\n", + " 2\n", " 0\n", - " 104\n", + " 100\n", " 0\n", - " 104\n", + " 100\n", " S\n", " 0\n", " 0\n", @@ -1972,102 +1947,51 @@ " 0\n", " 0\n", " 0\n", - " nan\n", - " nan\n", - " nan\n", - " nan\n", - " nan\n", - " nan\n", " \n", " \n", - " 2073\n", - " 192.168.0.51\n", - " 131.103.28.9\n", + " 9697\n", + " 192.168.0.54\n", + " 95.42.110.200\n", " 2\n", - " 1533339457.494446\n", - " 1533339457.495081\n", - " SF\n", - " 3.8985606449397117\n", + " 1639006700.978599\n", + " 1752104300.978589\n", + " S0\n", + " 2.1818435879447726\n", " 0\n", - " 1674\n", - " 6243\n", - " 7917\n", - " 3.8985606449397117\n", + " 152\n", " 0\n", - " 1674\n", - " 6243\n", - " 7917\n", - " 3.8985606449397117\n", + " 152\n", + " 1.93154241266018\n", " 0\n", - " 1674\n", - " 6243\n", - " 7917\n", - " ShADadtfF\n", - " 822\n", - " 5299\n", - " 822\n", - " 5299\n", - " 822\n", - " 5299\n", - " nan\n", - " nan\n", - " CN=DigiCert SHA2 High Assurance Server CA,OU=w...\n", - " aa7f5e2ada5d7bb8a7dceed01f5ffd7c\n", - " CN=*.atlassian.com,O=Atlassian Pty Ltd,L=Sydne...\n", - " nan\n", - " \n", - " \n", - " 8156\n", - " 192.168.0.54\n", - " 70.83.216.152\n", - " 1\n", - " 1533339495.028559\n", - " 1533339495.028559\n", - " S0\n", - " 1.7323937598229684\n", + " 100\n", + " 0\n", + " 100\n", + " 3.86308482532036\n", + " 0\n", + " 200\n", + " 0\n", + " 200\n", + " ['D', 'S']\n", " 0\n", - " 54\n", " 0\n", - " 54\n", - " 1.7323937598229684\n", " 0\n", - " 54\n", " 0\n", - " 54\n", - " 1.7323937598229684\n", " 0\n", - " 54\n", " 0\n", - " 54\n", - " D\n", - " nan\n", - " nan\n", - " nan\n", - " nan\n", - " nan\n", - " nan\n", - " nan\n", - " nan\n", - " nan\n", - " nan\n", - " nan\n", - " nan\n", " \n", " \n", "\n", "" ], "text/plain": [ - " id.orig_h id.resp_h count earliest(_time) latest(_time) values(conn_state) max(log_total_bytes) max(missed_bytes) max(orig_ip_bytes) max(resp_ip_bytes) max(total_bytes) avg(log_total_bytes) avg(missed_bytes) avg(orig_ip_bytes) avg(resp_ip_bytes) avg(total_bytes) sum(log_total_bytes) sum(missed_bytes) sum(orig_ip_bytes) sum(resp_ip_bytes) sum(total_bytes) values(history) max(orig_bytes) max(resp_bytes) avg(orig_bytes) avg(resp_bytes) sum(orig_bytes) sum(resp_bytes) answers values(qtype_name) values(issuer) values(ja3) values(subject) values(last_alert)\n", - "7526 192.168.0.54 54.149.255.94 1 1533339495.896320 1533339495.896320 S0 2.0170333392987803 0 104 0 104 2.0170333392987803 0 104 0 104 2.0170333392987803 0 104 0 104 S 0 0 0 0 0 0 nan nan nan nan nan nan\n", - "2073 192.168.0.51 131.103.28.9 2 1533339457.494446 1533339457.495081 SF 3.8985606449397117 0 1674 6243 7917 3.8985606449397117 0 1674 6243 7917 3.8985606449397117 0 1674 6243 7917 ShADadtfF 822 5299 822 5299 822 5299 nan nan CN=DigiCert SHA2 High Assurance Server CA,OU=w... aa7f5e2ada5d7bb8a7dceed01f5ffd7c CN=*.atlassian.com,O=Atlassian Pty Ltd,L=Sydne... nan\n", - "8156 192.168.0.54 70.83.216.152 1 1533339495.028559 1533339495.028559 S0 1.7323937598229684 0 54 0 54 1.7323937598229684 0 54 0 54 1.7323937598229684 0 54 0 54 D nan nan nan nan nan nan nan nan nan nan nan nan" + " id.orig_h id.resp_h count earliest(_time) latest(_time) values(conn_state) max(log_total_bytes) max(missed_bytes) max(orig_ip_bytes) max(resp_ip_bytes) max(total_bytes) avg(log_total_bytes) avg(missed_bytes) avg(orig_ip_bytes) avg(resp_ip_bytes) avg(total_bytes) sum(log_total_bytes) sum(missed_bytes) sum(orig_ip_bytes) sum(resp_ip_bytes) sum(total_bytes) values(history) max(orig_bytes) max(resp_bytes) avg(orig_bytes) avg(resp_bytes) sum(orig_bytes) sum(resp_bytes)\n", + "8223 192.168.0.54 73.170.185.232 2 1639006703.513396 1752104303.513390 SF 2.838849090737255 0 370 320 690 2.555345348636877 0 236 202.5 438.5 5.110690697273754 0 472 405 877 ['Dd', 'ShADadFf'] 78 29 62 28.5 124 57\n", + "8849 192.168.0.54 83.149.41.40 1 1752104294.487483 1752104294.487483 S0 2 0 100 0 100 2 0 100 0 100 2 0 100 0 100 S 0 0 0 0 0 0\n", + "9697 192.168.0.54 95.42.110.200 2 1639006700.978599 1752104300.978589 S0 2.1818435879447726 0 152 0 152 1.93154241266018 0 100 0 100 3.86308482532036 0 200 0 200 ['D', 'S'] 0 0 0 0 0 0" ] }, - "execution_count": 110, - "metadata": { - "tags": [] - }, + "execution_count": 20, + "metadata": {}, "output_type": "execute_result" } ], @@ -2121,7 +2045,7 @@ }, { "cell_type": "code", - "execution_count": 111, + "execution_count": 21, "metadata": { "colab": { "base_uri": "https://localhost:8080/", @@ -2136,9 +2060,9 @@ "name": "stdout", "output_type": "stream", "text": [ - "# links 13412\n", - "# events 13412\n", - "# attrib entities 11814\n", + "# links 13399\n", + "# events 13399\n", + "# attrib entities 11801\n", "coloring for range 1.591064607026499 8.528258188610675\n" ] }, @@ -2146,16 +2070,18 @@ "data": { "text/html": [ "\n", - " \n", " \n", " \n", " " ], @@ -2163,10 +2089,8 @@ "" ] }, - "execution_count": 111, - "metadata": { - "tags": [] - }, + "execution_count": 21, + "metadata": {}, "output_type": "execute_result" } ], @@ -2222,7 +2146,7 @@ }, { "cell_type": "code", - "execution_count": 121, + "execution_count": 22, "metadata": { "colab": { "base_uri": "https://localhost:8080/", @@ -2237,10 +2161,9 @@ "name": "stdout", "output_type": "stream", "text": [ - "Search results:\n", - "\n", - "results 10000\n", - "fetching: 0 - 50000\n", + "Search results: 10000\n", + "Fetching: 0 - 5000\n", + "Fetching: 5000 - 10000\n", "# rows 10000\n" ] }, @@ -2281,45 +2204,45 @@ " \n", " \n", " \n", - " 4002\n", + " 2695\n", " 192.168.1.128\n", " 34.215.241.13\n", - " 586301a21f2856f046af6810d4c9f859b4d2c256a9b638...\n", + " 3ba601a21f9d75cae406311fef410ee3862363c26f435f...\n", " 228\n", " 1\n", - " 1533339541.689877\n", - " 1533339541.689877\n", - " 108301a21f368b8052f9baffff18fed30b.sweetcoldwa...\n", + " 1639006741.798440\n", + " 1639006741.798440\n", + " 68f501a21f8dc4b0e7423dffff18fee307.sweetcoldwa...\n", " MX\n", " CaAbvy2ureWe5sifRf\n", " 228\n", " 53\n", " \n", " \n", - " 3204\n", + " 7625\n", " 192.168.1.128\n", " 34.215.241.13\n", - " 469501a21fd21adfdab9d4009aca8b170f9f3c8d5f060c...\n", + " a79301a21fd2003f4201660c9f407d0ba92aebcc4eeb83...\n", " 228\n", " 1\n", - " 1533339541.637895\n", - " 1533339541.637895\n", - " da6d01a21f319600da70b5ffff18e6782c.sweetcoldwa...\n", - " CNAME\n", + " 1639006741.680896\n", + " 1639006741.680896\n", + " 2a8901a21f20aa11843cfaffff18fe653d.sweetcoldwa...\n", + " nan\n", " CaAbvy2ureWe5sifRf\n", " 228\n", " 53\n", " \n", " \n", - " 9399\n", + " 7493\n", " 192.168.1.128\n", " 34.215.241.13\n", - " cf4201a21fed8911b08e25090722890fcf8d5fa7a4c436...\n", + " a4ca01a21fb84122d311fe19da1f5616ce725bf3935bf9...\n", " 228\n", " 1\n", - " 1533339541.664138\n", - " 1533339541.664138\n", - " fac401a21f7c72f814e2bbffff18fe302d.sweetcoldwa...\n", + " 1639006741.727527\n", + " 1639006741.727527\n", + " 4ca301a21fa137a2275d72ffff18fed5a5.sweetcoldwa...\n", " CNAME\n", " CaAbvy2ureWe5sifRf\n", " 228\n", @@ -2331,22 +2254,20 @@ ], "text/plain": [ " id.orig_h id.resp_h query query_length count earliest(_time) latest(_time) answers values(qtype_name) first(uid) max_query_or_answer_length max_long_answers_length\n", - "4002 192.168.1.128 34.215.241.13 586301a21f2856f046af6810d4c9f859b4d2c256a9b638... 228 1 1533339541.689877 1533339541.689877 108301a21f368b8052f9baffff18fed30b.sweetcoldwa... MX CaAbvy2ureWe5sifRf 228 53\n", - "3204 192.168.1.128 34.215.241.13 469501a21fd21adfdab9d4009aca8b170f9f3c8d5f060c... 228 1 1533339541.637895 1533339541.637895 da6d01a21f319600da70b5ffff18e6782c.sweetcoldwa... CNAME CaAbvy2ureWe5sifRf 228 53\n", - "9399 192.168.1.128 34.215.241.13 cf4201a21fed8911b08e25090722890fcf8d5fa7a4c436... 228 1 1533339541.664138 1533339541.664138 fac401a21f7c72f814e2bbffff18fe302d.sweetcoldwa... CNAME CaAbvy2ureWe5sifRf 228 53" + "2695 192.168.1.128 34.215.241.13 3ba601a21f9d75cae406311fef410ee3862363c26f435f... 228 1 1639006741.798440 1639006741.798440 68f501a21f8dc4b0e7423dffff18fee307.sweetcoldwa... MX CaAbvy2ureWe5sifRf 228 53\n", + "7625 192.168.1.128 34.215.241.13 a79301a21fd2003f4201660c9f407d0ba92aebcc4eeb83... 228 1 1639006741.680896 1639006741.680896 2a8901a21f20aa11843cfaffff18fe653d.sweetcoldwa... nan CaAbvy2ureWe5sifRf 228 53\n", + "7493 192.168.1.128 34.215.241.13 a4ca01a21fb84122d311fe19da1f5616ce725bf3935bf9... 228 1 1639006741.727527 1639006741.727527 4ca301a21fa137a2275d72ffff18fed5a5.sweetcoldwa... CNAME CaAbvy2ureWe5sifRf 228 53" ] }, - "execution_count": 121, - "metadata": { - "tags": [] - }, + "execution_count": 22, + "metadata": {}, "output_type": "execute_result" } ], "source": [ "dns_b_df = splunkToPandas(\"\"\"\n", "\n", - " search index=\"corelight_tutorial\" sourcetype=\"conn\"\n", + " search index=\"corelight_tutorial\" sourcetype=\"dns-2\"\n", " \n", " | eval total_bytes = orig_ip_bytes + resp_ip_bytes\n", " | eval log_total_bytes = log(orig_ip_bytes + resp_ip_bytes)\n", @@ -2410,7 +2331,7 @@ }, { "cell_type": "code", - "execution_count": 122, + "execution_count": 23, "metadata": { "colab": { "base_uri": "https://localhost:8080/", @@ -2427,25 +2348,26 @@ "text": [ "# links 40000\n", "# events 10000\n", - "# attrib entities 19444\n", - "coloring for range 228.0 252.0\n", - "Uploading 5279 kB. This may take a while...\n" + "# attrib entities 19445\n", + "coloring for range 228.0 252.0\n" ] }, { "data": { "text/html": [ "\n", - " \n", " \n", " \n", " " ], @@ -2453,10 +2375,8 @@ "" ] }, - "execution_count": 122, - "metadata": { - "tags": [] - }, + "execution_count": 23, + "metadata": {}, "output_type": "execute_result" } ], @@ -2494,7 +2414,7 @@ }, { "cell_type": "code", - "execution_count": 124, + "execution_count": 24, "metadata": { "colab": { "base_uri": "https://localhost:8080/", @@ -2509,10 +2429,15 @@ "name": "stdout", "output_type": "stream", "text": [ - "Search results:\n", - "\n", - "results 36352\n", - "fetching: 0 - 50000\n", + "Search results: 36352\n", + "Fetching: 0 - 5000\n", + "Fetching: 5000 - 10000\n", + "Fetching: 10000 - 15000\n", + "Fetching: 15000 - 20000\n", + "Fetching: 20000 - 25000\n", + "Fetching: 25000 - 30000\n", + "Fetching: 30000 - 35000\n", + "Fetching: 35000 - 40000\n", "# rows 36352\n" ] }, @@ -2545,7 +2470,6 @@ " date_wday\n", " date_year\n", " date_zone\n", - " eventtype\n", " host\n", " id.orig_h\n", " id.orig_p\n", @@ -2565,8 +2489,7 @@ " timestartpos\n", " ts\n", " uid\n", - " unix_category\n", - " unix_group\n", + " addl\n", " conn_state\n", " duration\n", " history\n", @@ -2599,42 +2522,56 @@ " rtt\n", " resp_cc\n", " service\n", - " addl\n", " \n", " \n", " \n", " \n", - " 27809\n", + " 3439\n", " 23\n", - " 3\n", + " 8\n", " 39\n", - " august\n", - " 1\n", - " friday\n", - " 2018\n", + " december\n", + " 2\n", + " wednesday\n", + " 2021\n", " 0\n", - " nix-all-logs\n", " splunk.graphistry.com\n", " 192.168.1.128\n", - " 62035\n", - " 34.215.241.13\n", - " 53\n", + " 56308\n", + " 192.168.1.139\n", + " 4443\n", " corelight_tutorial\n", " 1\n", " nan\n", " nan\n", " {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"...\n", - " logs.tar:./dns_20180803_16:36:44-16:40:00-0700...\n", + " /datadrive/splunk/var/log/corelight-tutorial/c...\n", " conn\n", " splunk.graphistry.com\n", " ['dmc_group_cluster_master', 'dmc_group_deploy...\n", - " 2018-08-03T23:39:01.801257Z\n", + " 2018-08-03T23:39:02.339922Z\n", " 34\n", - " 7\n", - " 2018-08-03T23:39:01.801257Z\n", - " CaAbvy2ureWe5sifRf\n", - " all_hosts\n", - " default\n", + " 18\n", + " 2018-08-03T23:39:02.339922Z\n", + " C6jDxd1F9k7DRiuRA1\n", + " nan\n", + " REJ\n", + " 0.000051\n", + " Sr\n", + " true\n", + " true\n", + " 0\n", + " 0\n", + " 44\n", + " 1\n", + " tcp\n", + " 0\n", + " 40\n", + " 1\n", + " nan\n", + " nan\n", + " nan\n", + " nan\n", " nan\n", " nan\n", " nan\n", @@ -2644,77 +2581,56 @@ " nan\n", " nan\n", " nan\n", - " udp\n", " nan\n", " nan\n", " nan\n", - " false\n", - " true\n", - " true\n", - " false\n", - " 0\n", - " 1\n", - " C_INTERNET\n", - " 16\n", - " TXT\n", - " 558601a21fe8d80facb642208680d56ffd9a327fabbde2...\n", - " false\n", - " 52644\n", - " 60.0\n", - " TXT 34 1ded01a21f9d26a538aec8ffff18fe16c1\n", - " 0\n", - " NOERROR\n", - " 0.000026\n", " nan\n", " nan\n", " nan\n", " \n", " \n", - " 4819\n", + " 7300\n", " 23\n", - " 3\n", + " 8\n", " 39\n", - " august\n", + " december\n", " 2\n", - " friday\n", - " 2018\n", + " wednesday\n", + " 2021\n", " 0\n", - " nix-all-logs\n", " splunk.graphistry.com\n", + " 192.168.1.105\n", + " 1039\n", " 192.168.1.128\n", " 56308\n", - " 192.168.1.180\n", - " 1070\n", " corelight_tutorial\n", " 1\n", " nan\n", " nan\n", " {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"...\n", - " logs.tar:./conn_20180803_16:37:13-16:40:00-070...\n", + " /datadrive/splunk/var/log/corelight-tutorial/c...\n", " conn\n", " splunk.graphistry.com\n", " ['dmc_group_cluster_master', 'dmc_group_deploy...\n", - " 2018-08-03T23:39:02.325427Z\n", + " 2018-08-03T23:39:02.300674Z\n", " 34\n", - " 7\n", - " 2018-08-03T23:39:02.325427Z\n", - " CSJA4w3NXtHNCDjKff\n", - " all_hosts\n", - " default\n", - " REJ\n", - " 0.000047\n", - " Sr\n", + " 18\n", + " 2018-08-03T23:39:02.300674Z\n", + " CFQz0L1Y7GPJkRZtBd\n", + " nan\n", + " RSTOS0\n", + " nan\n", + " R\n", " true\n", " true\n", " 0\n", - " 0\n", - " 44\n", - " 1\n", - " tcp\n", - " 0\n", + " nan\n", " 40\n", " 1\n", + " tcp\n", " nan\n", + " 0\n", + " 0\n", " nan\n", " nan\n", " nan\n", @@ -2736,16 +2652,15 @@ " nan\n", " \n", " \n", - " 27698\n", + " 33466\n", " 23\n", - " 3\n", + " 8\n", " 39\n", - " august\n", + " december\n", " 1\n", - " friday\n", - " 2018\n", + " wednesday\n", + " 2021\n", " 0\n", - " nix-all-logs\n", " splunk.graphistry.com\n", " 192.168.1.128\n", " 62035\n", @@ -2756,17 +2671,16 @@ " nan\n", " nan\n", " {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"...\n", - " logs.tar:./dns_20180803_16:36:44-16:40:00-0700...\n", - " conn\n", + " /datadrive/splunk/var/log/corelight-tutorial/d...\n", + " dns-2\n", " splunk.graphistry.com\n", " ['dmc_group_cluster_master', 'dmc_group_deploy...\n", - " 2018-08-03T23:39:01.803307Z\n", + " 2018-08-03T23:39:01.667083Z\n", " 34\n", - " 7\n", - " 2018-08-03T23:39:01.803307Z\n", + " 18\n", + " 2018-08-03T23:39:01.667083Z\n", " CaAbvy2ureWe5sifRf\n", - " all_hosts\n", - " default\n", + " nan\n", " nan\n", " nan\n", " nan\n", @@ -2787,35 +2701,32 @@ " 0\n", " 1\n", " C_INTERNET\n", - " 5\n", - " CNAME\n", - " 2a6901a21f468022f3acf320ede6e51fc0b952fb2be047...\n", + " 15\n", + " MX\n", + " ba2001a21f51a0795f0fb709a842c0c7423c26071707fc...\n", " false\n", - " 12869\n", + " 145\n", " 60.0\n", - " ab6101a21f33dc16682c22ffff18fe346b.sweetcoldwa...\n", + " 7feb01a21f805a26080da9ffff18fe7a33.sweetcoldwa...\n", " 0\n", " NOERROR\n", " 0.000007\n", " nan\n", " nan\n", - " nan\n", " \n", " \n", "\n", "" ], "text/plain": [ - " date_hour date_mday date_minute date_month date_second date_wday date_year date_zone eventtype host id.orig_h id.orig_p id.resp_h id.resp_p index linecount name notice punct source sourcetype splunk_server splunk_server_group time timeendpos timestartpos ts uid unix_category unix_group conn_state duration history local_orig local_resp missed_bytes orig_bytes orig_ip_bytes orig_pkts proto resp_bytes resp_ip_bytes resp_pkts AA RA RD TC Z qclass qclass_name qtype qtype_name query rejected trans_id TTLs{} answers rcode rcode_name rtt resp_cc service addl\n", - "27809 23 3 39 august 1 friday 2018 0 nix-all-logs splunk.graphistry.com 192.168.1.128 62035 34.215.241.13 53 corelight_tutorial 1 nan nan {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... logs.tar:./dns_20180803_16:36:44-16:40:00-0700... conn splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... 2018-08-03T23:39:01.801257Z 34 7 2018-08-03T23:39:01.801257Z CaAbvy2ureWe5sifRf all_hosts default nan nan nan nan nan nan nan nan nan udp nan nan nan false true true false 0 1 C_INTERNET 16 TXT 558601a21fe8d80facb642208680d56ffd9a327fabbde2... false 52644 60.0 TXT 34 1ded01a21f9d26a538aec8ffff18fe16c1 0 NOERROR 0.000026 nan nan nan\n", - "4819 23 3 39 august 2 friday 2018 0 nix-all-logs splunk.graphistry.com 192.168.1.128 56308 192.168.1.180 1070 corelight_tutorial 1 nan nan {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... logs.tar:./conn_20180803_16:37:13-16:40:00-070... conn splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... 2018-08-03T23:39:02.325427Z 34 7 2018-08-03T23:39:02.325427Z CSJA4w3NXtHNCDjKff all_hosts default REJ 0.000047 Sr true true 0 0 44 1 tcp 0 40 1 nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan\n", - "27698 23 3 39 august 1 friday 2018 0 nix-all-logs splunk.graphistry.com 192.168.1.128 62035 34.215.241.13 53 corelight_tutorial 1 nan nan {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... logs.tar:./dns_20180803_16:36:44-16:40:00-0700... conn splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... 2018-08-03T23:39:01.803307Z 34 7 2018-08-03T23:39:01.803307Z CaAbvy2ureWe5sifRf all_hosts default nan nan nan nan nan nan nan nan nan udp nan nan nan false true true false 0 1 C_INTERNET 5 CNAME 2a6901a21f468022f3acf320ede6e51fc0b952fb2be047... false 12869 60.0 ab6101a21f33dc16682c22ffff18fe346b.sweetcoldwa... 0 NOERROR 0.000007 nan nan nan" + " date_hour date_mday date_minute date_month date_second date_wday date_year date_zone host id.orig_h id.orig_p id.resp_h id.resp_p index linecount name notice punct source sourcetype splunk_server splunk_server_group time timeendpos timestartpos ts uid addl conn_state duration history local_orig local_resp missed_bytes orig_bytes orig_ip_bytes orig_pkts proto resp_bytes resp_ip_bytes resp_pkts AA RA RD TC Z qclass qclass_name qtype qtype_name query rejected trans_id TTLs{} answers rcode rcode_name rtt resp_cc service\n", + "3439 23 8 39 december 2 wednesday 2021 0 splunk.graphistry.com 192.168.1.128 56308 192.168.1.139 4443 corelight_tutorial 1 nan nan {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... /datadrive/splunk/var/log/corelight-tutorial/c... conn splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... 2018-08-03T23:39:02.339922Z 34 18 2018-08-03T23:39:02.339922Z C6jDxd1F9k7DRiuRA1 nan REJ 0.000051 Sr true true 0 0 44 1 tcp 0 40 1 nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan\n", + "7300 23 8 39 december 2 wednesday 2021 0 splunk.graphistry.com 192.168.1.105 1039 192.168.1.128 56308 corelight_tutorial 1 nan nan {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... /datadrive/splunk/var/log/corelight-tutorial/c... conn splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... 2018-08-03T23:39:02.300674Z 34 18 2018-08-03T23:39:02.300674Z CFQz0L1Y7GPJkRZtBd nan RSTOS0 nan R true true 0 nan 40 1 tcp nan 0 0 nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan nan\n", + "33466 23 8 39 december 1 wednesday 2021 0 splunk.graphistry.com 192.168.1.128 62035 34.215.241.13 53 corelight_tutorial 1 nan nan {\"\":\"--::.\",\"\":\"\",\".\":\"...\",\".\":,\".\":\"...\",\".\"... /datadrive/splunk/var/log/corelight-tutorial/d... dns-2 splunk.graphistry.com ['dmc_group_cluster_master', 'dmc_group_deploy... 2018-08-03T23:39:01.667083Z 34 18 2018-08-03T23:39:01.667083Z CaAbvy2ureWe5sifRf nan nan nan nan nan nan nan nan nan nan udp nan nan nan false true true false 0 1 C_INTERNET 15 MX ba2001a21f51a0795f0fb709a842c0c7423c26071707fc... false 145 60.0 7feb01a21f805a26080da9ffff18fe7a33.sweetcoldwa... 0 NOERROR 0.000007 nan nan" ] }, - "execution_count": 124, - "metadata": { - "tags": [] - }, + "execution_count": 24, + "metadata": {}, "output_type": "execute_result" } ], @@ -2841,7 +2752,7 @@ }, { "cell_type": "code", - "execution_count": 125, + "execution_count": 25, "metadata": { "colab": { "base_uri": "https://localhost:8080/", @@ -2865,16 +2776,18 @@ "data": { "text/html": [ "\n", - " \n", " \n", " \n", " " ], @@ -2882,10 +2795,8 @@ "" ] }, - "execution_count": 125, - "metadata": { - "tags": [] - }, + "execution_count": 25, + "metadata": {}, "output_type": "execute_result" } ], @@ -2912,7 +2823,7 @@ }, { "cell_type": "code", - "execution_count": 132, + "execution_count": 26, "metadata": { "colab": { "base_uri": "https://localhost:8080/", @@ -2927,10 +2838,9 @@ "name": "stdout", "output_type": "stream", "text": [ - "Search results:\n", - "\n", - "results 10000\n", - "fetching: 0 - 50000\n", + "Search results: 10000\n", + "Fetching: 0 - 5000\n", + "Fetching: 5000 - 10000\n", "# rows 10000\n" ] }, @@ -2971,46 +2881,46 @@ " \n", " \n", " \n", - " 1450\n", + " 4836\n", " 192.168.1.128\n", " 34.215.241.13\n", - " 1fa301a21fad17d74da48c2691f28cafc9d1174b4b4aa0...\n", + " 6ad301a21fdf70af44d345284fe366d976ef399381e80e...\n", " 228\n", " 1\n", - " 1533339541.827051\n", - " 1533339541.827051\n", - " 719b01a21fb4847a8590f6ffff18fe292d.sweetcoldwa...\n", + " 1639006741.832416\n", + " 1639006741.832416\n", + " 4ed101a21f69f323c2a42bffff18feb3f1.sweetcoldwa...\n", " nan\n", " CaAbvy2ureWe5sifRf\n", " 228\n", " 53\n", " \n", " \n", - " 9370\n", + " 5211\n", " 192.168.1.128\n", " 34.215.241.13\n", - " ceb101a21fa46c6c9589542b03c29258c9ed5a1eb36f55...\n", + " 731c01a21fab55b70f6ccd0a0ecc50946bd6f605799380...\n", " 228\n", " 1\n", - " 1533339541.838568\n", - " 1533339541.838568\n", - " ba4a01a21f2a46458b317effff18feab79.sweetcoldwa...\n", - " nan\n", + " 1639006741.669395\n", + " 1639006741.669395\n", + " 853801a21fe024bd1e9ad9ffff18fe9877.sweetcoldwa...\n", + " MX\n", " CaAbvy2ureWe5sifRf\n", " 228\n", " 53\n", " \n", " \n", - " 3141\n", + " 1841\n", " 192.168.1.128\n", " 34.215.241.13\n", - " 450601a21f17ea238c375d0eafb2c10619d0f9fde7b685...\n", + " 28ab01a21f5dc1685be27f0babf011f8830ec58888da9d...\n", " 228\n", " 1\n", - " 1533339541.685329\n", - " 1533339541.685329\n", - " 0d7901a21f18392f8a98f9ffff18fe2b9d.sweetcoldwa...\n", - " MX\n", + " 1639006741.677097\n", + " 1639006741.677097\n", + " ca1301a21fafc6527dd87effff18fe1735.sweetcoldwa...\n", + " CNAME\n", " CaAbvy2ureWe5sifRf\n", " 228\n", " 53\n", @@ -3021,22 +2931,20 @@ ], "text/plain": [ " id.orig_h id.resp_h query query_length count earliest(_time) latest(_time) answers values(qtype_name) first(uid) max_query_or_answer_length max_long_answers_length\n", - "1450 192.168.1.128 34.215.241.13 1fa301a21fad17d74da48c2691f28cafc9d1174b4b4aa0... 228 1 1533339541.827051 1533339541.827051 719b01a21fb4847a8590f6ffff18fe292d.sweetcoldwa... nan CaAbvy2ureWe5sifRf 228 53\n", - "9370 192.168.1.128 34.215.241.13 ceb101a21fa46c6c9589542b03c29258c9ed5a1eb36f55... 228 1 1533339541.838568 1533339541.838568 ba4a01a21f2a46458b317effff18feab79.sweetcoldwa... nan CaAbvy2ureWe5sifRf 228 53\n", - "3141 192.168.1.128 34.215.241.13 450601a21f17ea238c375d0eafb2c10619d0f9fde7b685... 228 1 1533339541.685329 1533339541.685329 0d7901a21f18392f8a98f9ffff18fe2b9d.sweetcoldwa... MX CaAbvy2ureWe5sifRf 228 53" + "4836 192.168.1.128 34.215.241.13 6ad301a21fdf70af44d345284fe366d976ef399381e80e... 228 1 1639006741.832416 1639006741.832416 4ed101a21f69f323c2a42bffff18feb3f1.sweetcoldwa... nan CaAbvy2ureWe5sifRf 228 53\n", + "5211 192.168.1.128 34.215.241.13 731c01a21fab55b70f6ccd0a0ecc50946bd6f605799380... 228 1 1639006741.669395 1639006741.669395 853801a21fe024bd1e9ad9ffff18fe9877.sweetcoldwa... MX CaAbvy2ureWe5sifRf 228 53\n", + "1841 192.168.1.128 34.215.241.13 28ab01a21f5dc1685be27f0babf011f8830ec58888da9d... 228 1 1639006741.677097 1639006741.677097 ca1301a21fafc6527dd87effff18fe1735.sweetcoldwa... CNAME CaAbvy2ureWe5sifRf 228 53" ] }, - "execution_count": 132, - "metadata": { - "tags": [] - }, + "execution_count": 26, + "metadata": {}, "output_type": "execute_result" } ], "source": [ "dns_b3_df = splunkToPandas(\"\"\"\n", "\n", - " search index=\"corelight_tutorial\" sourcetype=\"conn\"\n", + " search index=\"corelight_tutorial\" sourcetype=\"dns-2\"\n", " C3ApkJ3TwWW64DtnWb OR CaAbvy2ureWe5sifRf OR 10.0.2.30 OR 10.0.2.20 OR 34.215.241.13 OR 192.168.1.128\n", " \n", " | eval total_bytes = orig_ip_bytes + resp_ip_bytes\n", @@ -3084,7 +2992,7 @@ }, { "cell_type": "code", - "execution_count": 138, + "execution_count": 27, "metadata": { "colab": { "base_uri": "https://localhost:8080/", @@ -3101,25 +3009,26 @@ "text": [ "# links 40000\n", "# events 10000\n", - "# attrib entities 19446\n", - "coloring for range 228.0 252.0\n", - "Uploading 5280 kB. This may take a while...\n" + "# attrib entities 19447\n", + "coloring for range 228.0 252.0\n" ] }, { "data": { "text/html": [ "\n", - " \n", " \n", " \n", " " ], @@ -3127,10 +3036,8 @@ "" ] }, - "execution_count": 138, - "metadata": { - "tags": [] - }, + "execution_count": 27, + "metadata": {}, "output_type": "execute_result" } ], @@ -3173,7 +3080,7 @@ }, { "cell_type": "code", - "execution_count": 139, + "execution_count": 28, "metadata": { "colab": { "base_uri": "https://localhost:8080/", @@ -3188,10 +3095,8 @@ "name": "stdout", "output_type": "stream", "text": [ - "Search results:\n", - "\n", - "results 5\n", - "fetching: 0 - 50000\n", + "Search results: 5\n", + "Fetching: 0 - 5000\n", "# rows 10000\n" ] }, @@ -3232,46 +3137,46 @@ " \n", " \n", " \n", - " 1587\n", + " 880\n", " 192.168.1.128\n", " 34.215.241.13\n", - " 231b01a21f318daa80a49920b083b87c41939785632e31...\n", + " 12ca01a21fb477d69012f9126e3cdc6ffc24a3a83023ac...\n", " 228\n", " 1\n", - " 1533339541.802094\n", - " 1533339541.802094\n", - " e86101a21fe1d2f1f98635ffff18fe20ed.sweetcoldwa...\n", - " CNAME\n", + " 1639006741.694151\n", + " 1639006741.694151\n", + " TXT 34 b26501a21f3ed6a854a517ffff18fe6b6f\n", + " TXT\n", " CaAbvy2ureWe5sifRf\n", " 228\n", - " 53\n", + " nan\n", " \n", " \n", - " 8026\n", + " 4401\n", " 192.168.1.128\n", " 34.215.241.13\n", - " b0d601a21f98da0b6f7c8d041d959c7d209119e909e764...\n", + " 60ce01a21fcc7f5332d67608cb12cbe64f3f521b28fb4d...\n", " 228\n", " 1\n", - " 1533339541.640072\n", - " 1533339541.640072\n", - " TXT 34 ca1d01a21f02b47131a643ffff18fe9f83\n", - " TXT\n", + " 1639006741.662850\n", + " 1639006741.662850\n", + " 591801a21ff7605fae8fafffff18fe2cf5.sweetcoldwa...\n", + " CNAME\n", " CaAbvy2ureWe5sifRf\n", " 228\n", - " nan\n", + " 53\n", " \n", " \n", - " 2554\n", + " 8563\n", " 192.168.1.128\n", " 34.215.241.13\n", - " 38be01a21f0693e4ef0d9026781730d0d0e38957aff9f7...\n", + " bc9101a21f27d3494a7ffc28e4398fdef38b5632fe0317...\n", " 228\n", " 1\n", - " 1533339541.826877\n", - " 1533339541.826877\n", - " 80d001a21f4a8d7cda9a66ffff18fe11b7.sweetcoldwa...\n", - " nan\n", + " 1639006741.833688\n", + " 1639006741.833688\n", + " aa0201a21fcb82345d685fffff18fee10f.sweetcoldwa...\n", + " CNAME\n", " CaAbvy2ureWe5sifRf\n", " 228\n", " 53\n", @@ -3282,15 +3187,13 @@ ], "text/plain": [ " id.orig_h id.resp_h query query_length count earliest(_time) latest(_time) answers values(qtype_name) first(uid) max_query_or_answer_length max_long_answers_length\n", - "1587 192.168.1.128 34.215.241.13 231b01a21f318daa80a49920b083b87c41939785632e31... 228 1 1533339541.802094 1533339541.802094 e86101a21fe1d2f1f98635ffff18fe20ed.sweetcoldwa... CNAME CaAbvy2ureWe5sifRf 228 53\n", - "8026 192.168.1.128 34.215.241.13 b0d601a21f98da0b6f7c8d041d959c7d209119e909e764... 228 1 1533339541.640072 1533339541.640072 TXT 34 ca1d01a21f02b47131a643ffff18fe9f83 TXT CaAbvy2ureWe5sifRf 228 nan\n", - "2554 192.168.1.128 34.215.241.13 38be01a21f0693e4ef0d9026781730d0d0e38957aff9f7... 228 1 1533339541.826877 1533339541.826877 80d001a21f4a8d7cda9a66ffff18fe11b7.sweetcoldwa... nan CaAbvy2ureWe5sifRf 228 53" + "880 192.168.1.128 34.215.241.13 12ca01a21fb477d69012f9126e3cdc6ffc24a3a83023ac... 228 1 1639006741.694151 1639006741.694151 TXT 34 b26501a21f3ed6a854a517ffff18fe6b6f TXT CaAbvy2ureWe5sifRf 228 nan\n", + "4401 192.168.1.128 34.215.241.13 60ce01a21fcc7f5332d67608cb12cbe64f3f521b28fb4d... 228 1 1639006741.662850 1639006741.662850 591801a21ff7605fae8fafffff18fe2cf5.sweetcoldwa... CNAME CaAbvy2ureWe5sifRf 228 53\n", + "8563 192.168.1.128 34.215.241.13 bc9101a21f27d3494a7ffc28e4398fdef38b5632fe0317... 228 1 1639006741.833688 1639006741.833688 aa0201a21fcb82345d685fffff18fee10f.sweetcoldwa... CNAME CaAbvy2ureWe5sifRf 228 53" ] }, - "execution_count": 139, - "metadata": { - "tags": [] - }, + "execution_count": 28, + "metadata": {}, "output_type": "execute_result" } ], @@ -3308,66 +3211,10 @@ "dns_b3_df.sample(3)" ] }, - { - "cell_type": "markdown", - "metadata": { - "colab_type": "text", - "id": "06daL9vNISfX" - }, - "source": [ - "### The graph:\n", - "??" - ] - }, - { - "cell_type": "code", - "execution_count": null, - "metadata": { - "colab": {}, - "colab_type": "code", - "id": "deMdXbYPsAWI" - }, - "outputs": [], - "source": [ - "## Old a" - ] - }, - { - "cell_type": "markdown", - "metadata": { - "colab_type": "text", - "id": "xz28uSGQdcTT" - }, - "source": [ - "# Old A" - ] - }, - { - "cell_type": "markdown", - "metadata": { - "colab_type": "text", - "id": "YteH7bKkrxDG" - }, - "source": [] - }, - { - "cell_type": "markdown", - "metadata": { - "colab_type": "text", - "id": "Ux1mPZdLVbjC" - }, - "source": [ - "Graph Modeling" - ] - }, { "cell_type": "code", "execution_count": null, - "metadata": { - "colab": {}, - "colab_type": "code", - "id": "45qoFq4joW2u" - }, + "metadata": {}, "outputs": [], "source": [] } @@ -3380,7 +3227,7 @@ "version": "0.3.2" }, "kernelspec": { - "display_name": "Python 3.8.10 64-bit", + "display_name": "Python 3 (ipykernel)", "language": "python", "name": "python3" }, @@ -3394,7 +3241,7 @@ "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", - "version": "3.8.10" + "version": "3.12.3" }, "vscode": { "interpreter": { @@ -3403,5 +3250,5 @@ } }, "nbformat": 4, - "nbformat_minor": 1 + "nbformat_minor": 4 } From 5ba57f18c6d5281954aa95797c937a1bfa0ac8a5 Mon Sep 17 00:00:00 2001 From: Sindre Breda Date: Wed, 30 Jul 2025 16:55:14 +0200 Subject: [PATCH 2/3] feat(demos): Add .env file support to Corelight notebook Add secure credential management to the Corelight demo notebook while preserving the Splunk integration fixes. * Add python-dotenv dependency for environment variable support * Implement hierarchical configuration: manual > env vars > .env file * Add comprehensive documentation for all configuration options * Provide clear success/failure feedback for Graphistry registration * Maintain backward compatibility with manual configuration * Fix regex escape sequence warnings in helper functions * Preserve all existing Splunk integration fixes This combines secure credential management with the working Splunk functionality, providing users with a complete and secure demo experience. --- .../graphistry_corelight_webinar.ipynb | 36 ++++++------------- 1 file changed, 11 insertions(+), 25 deletions(-) diff --git a/demos/demos_by_use_case/logs/network-threat-hunting-masterclass-zeek-bro/graphistry_corelight_webinar.ipynb b/demos/demos_by_use_case/logs/network-threat-hunting-masterclass-zeek-bro/graphistry_corelight_webinar.ipynb index 8ba87bf1e..a9e46f2c8 100644 --- a/demos/demos_by_use_case/logs/network-threat-hunting-masterclass-zeek-bro/graphistry_corelight_webinar.ipynb +++ b/demos/demos_by_use_case/logs/network-threat-hunting-masterclass-zeek-bro/graphistry_corelight_webinar.ipynb @@ -46,28 +46,19 @@ }, { "cell_type": "code", - "execution_count": 1, + "execution_count": null, "metadata": { "colab": {}, "colab_type": "code", "id": "qCGyNd9Q52Uo" }, "outputs": [], - "source": [ - "#graphistry\n", - "# To specify Graphistry account & server, use:\n", - "# graphistry.register(api=3, username='...', password='...', protocol='https', server='hub.graphistry.com')\n", - "# For more options: https://pygraphistry.readthedocs.io/en/latest/server/register.html \n", - "\n", - "#splunk\n", - "SPLUNK = {\n", - " 'host': 'SPLUNK.MYSITE.COM',\n", - " 'scheme': 'https',\n", - " 'port': 8089,\n", - " 'username': 'corelight_tutorial',\n", - " 'password': 'MY_SPLUNK_PWD' \n", - "}\n" - ] + "source": "!pip install python-dotenv graphistry pandas -q" + }, + { + "cell_type": "markdown", + "source": "import os\nfrom dotenv import load_dotenv\n\n# Load environment variables from .env file (if it exists)\nload_dotenv()\n\n# Configuration options (in order of precedence):\n# 1. Manual configuration (highest priority) - uncomment to override\n# 2. Environment variables \n# 3. .env file (lowest priority)\n\nGRAPHISTRY_CONFIG = {\n # Uncomment and modify any values below to override environment variables:\n # 'api': 3,\n # 'username': 'your_username',\n # 'password': 'your_password', \n # 'protocol': 'https',\n # 'server': 'hub.graphistry.com'\n}\n\n# Load configuration from environment with fallbacks\nGRAPHISTRY = {\n 'api': GRAPHISTRY_CONFIG.get('api', int(os.getenv('GRAPHISTRY_API', '3'))),\n 'username': GRAPHISTRY_CONFIG.get('username', os.getenv('GRAPHISTRY_USERNAME')),\n 'password': GRAPHISTRY_CONFIG.get('password', os.getenv('GRAPHISTRY_PASSWORD')),\n 'protocol': GRAPHISTRY_CONFIG.get('protocol', os.getenv('GRAPHISTRY_PROTOCOL', 'https')),\n 'server': GRAPHISTRY_CONFIG.get('server', os.getenv('GRAPHISTRY_SERVER', 'hub.graphistry.com'))\n}\n\n# Remove None values\nGRAPHISTRY = {k: v for k, v in GRAPHISTRY.items() if v is not None}\n\n# Splunk configuration - fill in your details\nSPLUNK = {\n 'host': 'SPLUNK.MYSITE.COM',\n 'scheme': 'https',\n 'port': 8089,\n 'username': 'corelight_tutorial',\n 'password': 'MY_SPLUNK_PWD' \n}", + "metadata": {} }, { "cell_type": "code", @@ -95,7 +86,7 @@ }, { "cell_type": "code", - "execution_count": 2, + "execution_count": null, "metadata": { "colab": { "base_uri": "https://localhost:8080/", @@ -106,10 +97,7 @@ "outputId": "b789aeb7-27da-4bf2-ed51-beb16f1f617e" }, "outputs": [], - "source": [ - "!pip install graphistry -q\n", - "!pip install splunk-sdk -q" - ] + "source": "import pandas as pd\npd.set_option('display.max_rows', 500)\npd.set_option('display.max_columns', 500)\npd.set_option('display.width', 1000)\n\nimport sys\nimport numpy as np\nimport math\nnp.set_printoptions(threshold=sys.maxsize)\n\nimport re\n\nimport graphistry\n\nif GRAPHISTRY.get('username') and GRAPHISTRY.get('password'):\n graphistry.register(**GRAPHISTRY)\n print(\"✅ Registered with Graphistry successfully\")\n print(f\" Server: {GRAPHISTRY.get('server', 'hub.graphistry.com')}\")\n print(f\" Username: {GRAPHISTRY.get('username', 'N/A')}\")\nelse:\n print(\"⚠️ Graphistry credentials not found.\")\n print(\" Please configure using one of the methods described above.\")\n print(\" The notebook will continue but visualizations may not work.\")" }, { "cell_type": "code", @@ -181,9 +169,7 @@ "colab_type": "text", "id": "OHsCPWOsFQVY" }, - "source": [ - "### General" - ] + "source": "def safe_log(v):\n try:\n v2 = float(v)\n return math.log(round(v2) + 1) if not np.isnan(v2) else 0\n except:\n return 0\n \n \n# Convert bytes to log of numbers\n# Running this twice is safe (idempotent)\n# Returns a copy (no mutation of the original)\ndef log_of_bytes(df):\n df2 = df.copy()\n for c in [c for c in df.columns if re.match('.*bytes.*', c) and not re.match(r'log\\(.*', c)]:\n df2['log(' + c + ')'] = df[c].apply(safe_log) \n return df2" }, { "cell_type": "code", @@ -3251,4 +3237,4 @@ }, "nbformat": 4, "nbformat_minor": 4 -} +} \ No newline at end of file From 538e86cdcdd39cef44ce547e3d9909db9de7c30b Mon Sep 17 00:00:00 2001 From: Sindre Breda Date: Wed, 30 Jul 2025 17:16:59 +0200 Subject: [PATCH 3/3] feat(demos): Add .env support for Splunk credentials in Corelight notebook Extend environment variable support to include Splunk configuration, providing secure credential management for both services. * Add Splunk environment variable support with hierarchical configuration * Update documentation to show both Graphistry and Splunk .env settings * Add connection feedback for Splunk with clear success/failure messages * Maintain backward compatibility with manual configuration * Support all Splunk connection parameters: host, scheme, port, username, password This completes the secure credential management implementation by supporting both Graphistry and Splunk credentials through environment variables, making the demo easier and safer to use. --- .../graphistry_corelight_webinar.ipynb | 200 ++++++++++++++---- 1 file changed, 161 insertions(+), 39 deletions(-) diff --git a/demos/demos_by_use_case/logs/network-threat-hunting-masterclass-zeek-bro/graphistry_corelight_webinar.ipynb b/demos/demos_by_use_case/logs/network-threat-hunting-masterclass-zeek-bro/graphistry_corelight_webinar.ipynb index a9e46f2c8..15cfe72f0 100644 --- a/demos/demos_by_use_case/logs/network-threat-hunting-masterclass-zeek-bro/graphistry_corelight_webinar.ipynb +++ b/demos/demos_by_use_case/logs/network-threat-hunting-masterclass-zeek-bro/graphistry_corelight_webinar.ipynb @@ -45,20 +45,58 @@ ] }, { - "cell_type": "code", - "execution_count": null, + "cell_type": "markdown", "metadata": { "colab": {}, "colab_type": "code", "id": "qCGyNd9Q52Uo" }, - "outputs": [], - "source": "!pip install python-dotenv graphistry pandas -q" - }, - { - "cell_type": "markdown", - "source": "import os\nfrom dotenv import load_dotenv\n\n# Load environment variables from .env file (if it exists)\nload_dotenv()\n\n# Configuration options (in order of precedence):\n# 1. Manual configuration (highest priority) - uncomment to override\n# 2. Environment variables \n# 3. .env file (lowest priority)\n\nGRAPHISTRY_CONFIG = {\n # Uncomment and modify any values below to override environment variables:\n # 'api': 3,\n # 'username': 'your_username',\n # 'password': 'your_password', \n # 'protocol': 'https',\n # 'server': 'hub.graphistry.com'\n}\n\n# Load configuration from environment with fallbacks\nGRAPHISTRY = {\n 'api': GRAPHISTRY_CONFIG.get('api', int(os.getenv('GRAPHISTRY_API', '3'))),\n 'username': GRAPHISTRY_CONFIG.get('username', os.getenv('GRAPHISTRY_USERNAME')),\n 'password': GRAPHISTRY_CONFIG.get('password', os.getenv('GRAPHISTRY_PASSWORD')),\n 'protocol': GRAPHISTRY_CONFIG.get('protocol', os.getenv('GRAPHISTRY_PROTOCOL', 'https')),\n 'server': GRAPHISTRY_CONFIG.get('server', os.getenv('GRAPHISTRY_SERVER', 'hub.graphistry.com'))\n}\n\n# Remove None values\nGRAPHISTRY = {k: v for k, v in GRAPHISTRY.items() if v is not None}\n\n# Splunk configuration - fill in your details\nSPLUNK = {\n 'host': 'SPLUNK.MYSITE.COM',\n 'scheme': 'https',\n 'port': 8089,\n 'username': 'corelight_tutorial',\n 'password': 'MY_SPLUNK_PWD' \n}", - "metadata": {} + "source": [ + "## Graphistry and Splunk Configuration\n", + "\n", + "This notebook supports multiple ways to configure your credentials:\n", + "\n", + "### Option 1: .env file (Recommended)\n", + "Create a `.env` file in the notebook directory with:\n", + "\n", + "#### Graphistry Configuration:\n", + "```\n", + "GRAPHISTRY_USERNAME=your_username\n", + "GRAPHISTRY_PASSWORD=your_password\n", + "GRAPHISTRY_SERVER=hub.graphistry.com\n", + "GRAPHISTRY_PROTOCOL=https\n", + "GRAPHISTRY_API=3\n", + "```\n", + "\n", + "#### Splunk Configuration:\n", + "```\n", + "SPLUNK_HOST=SPLUNK.MYSITE.COM\n", + "SPLUNK_SCHEME=https\n", + "SPLUNK_PORT=8089\n", + "SPLUNK_USERNAME=corelight_tutorial\n", + "SPLUNK_PASSWORD=MY_SPLUNK_PWD\n", + "```\n", + "\n", + "### Option 2: Environment variables\n", + "Set environment variables directly:\n", + "```bash\n", + "# Graphistry\n", + "export GRAPHISTRY_USERNAME=your_username\n", + "export GRAPHISTRY_PASSWORD=your_password\n", + "\n", + "# Splunk\n", + "export SPLUNK_HOST=SPLUNK.MYSITE.COM\n", + "export SPLUNK_USERNAME=corelight_tutorial\n", + "export SPLUNK_PASSWORD=MY_SPLUNK_PWD\n", + "```\n", + "\n", + "### Option 3: Manual configuration\n", + "Uncomment and modify the `GRAPHISTRY_CONFIG` and `SPLUNK_CONFIG` dictionaries in the configuration cell below.\n", + "\n", + "**Security Note**: Never commit credentials to version control. Add `.env` to your `.gitignore` file.\n", + "\n", + "For more options: https://pygraphistry.readthedocs.io/en/latest/server/register.html" + ] }, { "cell_type": "code", @@ -66,12 +104,60 @@ "metadata": {}, "outputs": [], "source": [ + "import os\n", + "from dotenv import load_dotenv\n", + "\n", + "# Load environment variables from .env file (if it exists)\n", + "load_dotenv()\n", + "\n", + "# Configuration options (in order of precedence):\n", + "# 1. Manual configuration (highest priority) - uncomment to override\n", + "# 2. Environment variables \n", + "# 3. .env file (lowest priority)\n", + "\n", + "# Graphistry Configuration\n", + "GRAPHISTRY_CONFIG = {\n", + " # Uncomment and modify any values below to override environment variables:\n", + " # 'api': 3,\n", + " # 'username': 'your_username',\n", + " # 'password': 'your_password', \n", + " # 'protocol': 'https',\n", + " # 'server': 'hub.graphistry.com'\n", + "}\n", + "\n", + "# Load Graphistry configuration from environment with fallbacks\n", "GRAPHISTRY = {\n", - " \"api\":3,\n", - " \"personal_key_id\": \"YOUR_KEY_ID\",\n", - " \"personal_key_secret\": \"YOUR_SECRET\",\n", - " \"server\": \"hub.graphistry.com\"\n", - "}" + " 'api': GRAPHISTRY_CONFIG.get('api', int(os.getenv('GRAPHISTRY_API', '3'))),\n", + " 'username': GRAPHISTRY_CONFIG.get('username', os.getenv('GRAPHISTRY_USERNAME')),\n", + " 'password': GRAPHISTRY_CONFIG.get('password', os.getenv('GRAPHISTRY_PASSWORD')),\n", + " 'protocol': GRAPHISTRY_CONFIG.get('protocol', os.getenv('GRAPHISTRY_PROTOCOL', 'https')),\n", + " 'server': GRAPHISTRY_CONFIG.get('server', os.getenv('GRAPHISTRY_SERVER', 'hub.graphistry.com'))\n", + "}\n", + "\n", + "# Remove None values\n", + "GRAPHISTRY = {k: v for k, v in GRAPHISTRY.items() if v is not None}\n", + "\n", + "# Splunk Configuration\n", + "SPLUNK_CONFIG = {\n", + " # Uncomment and modify any values below to override environment variables:\n", + " # 'host': 'SPLUNK.MYSITE.COM',\n", + " # 'scheme': 'https',\n", + " # 'port': 8089,\n", + " # 'username': 'corelight_tutorial',\n", + " # 'password': 'MY_SPLUNK_PWD'\n", + "}\n", + "\n", + "# Load Splunk configuration from environment with fallbacks\n", + "SPLUNK = {\n", + " 'host': SPLUNK_CONFIG.get('host', os.getenv('SPLUNK_HOST', 'SPLUNK.MYSITE.COM')),\n", + " 'scheme': SPLUNK_CONFIG.get('scheme', os.getenv('SPLUNK_SCHEME', 'https')),\n", + " 'port': SPLUNK_CONFIG.get('port', int(os.getenv('SPLUNK_PORT', '8089'))),\n", + " 'username': SPLUNK_CONFIG.get('username', os.getenv('SPLUNK_USERNAME', 'corelight_tutorial')),\n", + " 'password': SPLUNK_CONFIG.get('password', os.getenv('SPLUNK_PASSWORD', 'MY_SPLUNK_PWD'))\n", + "}\n", + "\n", + "# Remove None values\n", + "SPLUNK = {k: v for k, v in SPLUNK.items() if v is not None}" ] }, { @@ -97,28 +183,6 @@ "outputId": "b789aeb7-27da-4bf2-ed51-beb16f1f617e" }, "outputs": [], - "source": "import pandas as pd\npd.set_option('display.max_rows', 500)\npd.set_option('display.max_columns', 500)\npd.set_option('display.width', 1000)\n\nimport sys\nimport numpy as np\nimport math\nnp.set_printoptions(threshold=sys.maxsize)\n\nimport re\n\nimport graphistry\n\nif GRAPHISTRY.get('username') and GRAPHISTRY.get('password'):\n graphistry.register(**GRAPHISTRY)\n print(\"✅ Registered with Graphistry successfully\")\n print(f\" Server: {GRAPHISTRY.get('server', 'hub.graphistry.com')}\")\n print(f\" Username: {GRAPHISTRY.get('username', 'N/A')}\")\nelse:\n print(\"⚠️ Graphistry credentials not found.\")\n print(\" Please configure using one of the methods described above.\")\n print(\" The notebook will continue but visualizations may not work.\")" - }, - { - "cell_type": "code", - "execution_count": 3, - "metadata": { - "colab": {}, - "colab_type": "code", - "id": "SPEFa-Hv6UNu" - }, - "outputs": [ - { - "data": { - "text/plain": [ - "" - ] - }, - "execution_count": 3, - "metadata": {}, - "output_type": "execute_result" - } - ], "source": [ "import pandas as pd\n", "pd.set_option('display.max_rows', 500)\n", @@ -133,7 +197,48 @@ "import re\n", "\n", "import graphistry\n", - "graphistry.register(**GRAPHISTRY)" + "\n", + "if GRAPHISTRY.get('username') and GRAPHISTRY.get('password'):\n", + " graphistry.register(**GRAPHISTRY)\n", + " print(\"✅ Registered with Graphistry successfully\")\n", + " print(f\" Server: {GRAPHISTRY.get('server', 'hub.graphistry.com')}\")\n", + " print(f\" Username: {GRAPHISTRY.get('username', 'N/A')}\")\n", + "else:\n", + " print(\"⚠️ Graphistry credentials not found.\")\n", + " print(\" Please configure using one of the methods described above.\")\n", + " print(\" The notebook will continue but visualizations may not work.\")" + ] + }, + { + "cell_type": "code", + "execution_count": null, + "metadata": { + "colab": {}, + "colab_type": "code", + "id": "SPEFa-Hv6UNu" + }, + "outputs": [], + "source": [ + "import splunklib\n", + "import splunklib.client as client\n", + "import splunklib.results as results\n", + "\n", + "# Provide feedback on Splunk configuration\n", + "if SPLUNK.get('password') and SPLUNK.get('password') != 'MY_SPLUNK_PWD':\n", + " print(\"📊 Attempting to connect to Splunk...\")\n", + " print(f\" Host: {SPLUNK.get('host', 'Not configured')}\")\n", + " print(f\" Username: {SPLUNK.get('username', 'Not configured')}\")\n", + " try:\n", + " service = client.connect(**SPLUNK)\n", + " print(\"✅ Successfully connected to Splunk\")\n", + " except Exception as e:\n", + " print(f\"❌ Failed to connect to Splunk: {str(e)}\")\n", + " print(\" Please check your Splunk credentials and connection settings.\")\n", + "else:\n", + " print(\"⚠️ Splunk credentials not configured.\")\n", + " print(\" Please configure using one of the methods described above.\")\n", + " print(\" The notebook will not be able to query Splunk data.\")\n", + " service = None" ] }, { @@ -169,7 +274,24 @@ "colab_type": "text", "id": "OHsCPWOsFQVY" }, - "source": "def safe_log(v):\n try:\n v2 = float(v)\n return math.log(round(v2) + 1) if not np.isnan(v2) else 0\n except:\n return 0\n \n \n# Convert bytes to log of numbers\n# Running this twice is safe (idempotent)\n# Returns a copy (no mutation of the original)\ndef log_of_bytes(df):\n df2 = df.copy()\n for c in [c for c in df.columns if re.match('.*bytes.*', c) and not re.match(r'log\\(.*', c)]:\n df2['log(' + c + ')'] = df[c].apply(safe_log) \n return df2" + "source": [ + "def safe_log(v):\n", + " try:\n", + " v2 = float(v)\n", + " return math.log(round(v2) + 1) if not np.isnan(v2) else 0\n", + " except:\n", + " return 0\n", + " \n", + " \n", + "# Convert bytes to log of numbers\n", + "# Running this twice is safe (idempotent)\n", + "# Returns a copy (no mutation of the original)\n", + "def log_of_bytes(df):\n", + " df2 = df.copy()\n", + " for c in [c for c in df.columns if re.match('.*bytes.*', c) and not re.match(r'log\\(.*', c)]:\n", + " df2['log(' + c + ')'] = df[c].apply(safe_log) \n", + " return df2" + ] }, { "cell_type": "code", @@ -3237,4 +3359,4 @@ }, "nbformat": 4, "nbformat_minor": 4 -} \ No newline at end of file +}