investigate_web_posts_from_src.yml

name: Investigate Web POSTs From src
id: f5c39fac-205c-4e07-9004-8fd61ea3431a
version: 1
date: '2018-12-06'
author: Jose Hernandez, Splunk
type: Investigation
datamodel:
- Web
description: 'This investigative search retrieves POST requests from a specified source
  IP or hostname. Identifying the POST requests, as well as their associated destination
  URLs and user agent(s), may help you scope and characterize the suspicious traffic. '
search: '| tstats `security_content_summariesonly` values(Web.url) as url from datamodel=Web
  by Web.src,Web.http_user_agent,Web.http_method | `drop_dm_object_name("Web")`| search
  http_method, "POST" | search src=$src$'
how_to_implement: To successfully implement this search, you must be ingesting your
  web-traffic logs and populating the web data model.
known_false_positives: ''
references: []
tags:
  analytic_story:
  - Apache Struts Vulnerability
  product:
  - Splunk Phantom
  required_fields:
  - _time
  - Web.url
  - Web.src
  - Web.http_user_agent
  - Web.http_method
  security_domain: network