⚠️ Pracivo Security Lab — Blue team skills: log analysis, incident response, SIEM, firewall rules, IDS, threat hunting.
SIEM Detection Queries
SPLUNK SPL
ELASTIC KQL
# SPLUNK SPL QUERIES
# Detect brute force login attacks:
index=web sourcetype=access_combined status=401
| stats count by src_ip
| where count > 10
| sort -count
# Detect successful login after many failures:
index=web (status=401 OR status=200) action=login
| transaction src_ip maxspan=5m
| where eventcount > 5 AND status=200
# Detect SQL injection in URL:
index=web uri="*union*select*" OR uri="*OR+1=1*" OR uri="*%27*"
| table _time, src_ip, uri, status
# Detect webshell execution:
index=web uri="*.php*cmd=*" OR uri="*.php*exec=*" OR uri="*.php*system=*"
| table _time, src_ip, uri
# Detect data exfiltration (large responses):
index=web status=200
| where bytes_out > 1000000
| stats sum(bytes_out) as total_bytes by src_ip
| sort -total_bytes
# Windows Event Log — detect privilege escalation:
index=windows EventCode=4672 "SeDebugPrivilege"
| table _time, Account_Name, Logon_ID
# ELASTIC KQL QUERIES
# Brute force detection:
http.response.status_code: 401 AND event.count > 10
# SQLi detection:
url.original: (*union* AND *select*) OR (*OR* AND *1=1*)
# Suspicious PowerShell:
process.name: powershell.exe AND (process.args: *-enc* OR process.args: *bypass*)
# SIGMA RULES (universal format):
# Convert Sigma to Splunk/ELK with: sigmatools