The following Splunk query will list the number of errors associated with each host over a given time range: index=_internal sourcetype=”splunkd” log_level=”ERROR” host!=splunk_server | stats count by host | sort – count
Memory Usage and Information on Splunk Server
This Splunk Search Query will perform a rest call to indicate current memory consumption on the Splunk server(s) itself/themselves: *NOTE* The following has been modified from the “Distributed Management Console” to be more generic for a copy, paste, and search example. | rest splunk_server=* /services/server/status/resource-usage/hostwide | stats first(normalized_load_avg_1min) as load_average first(cpu_system_pct) as system, first(cpu_user_pct) as […]
Count of Attackers on Juniper Devices
The following is a Splunk search query that indicates potential “attacks” by source IP. Further investigation will be needed to determine accuracy of attacks. sourcetype = “juniper:idp” attack* | stats count by src_ip Credit given to bbosearch.
Queries Executed in DBConnect
This Splunk query will show the DBX or DBConnect queries executed. I have limited information to work with so check back for updates. Disclaimer – I’m using rex to replace HTML markup that is outputted and ingested by splunk. You may need to add to or remove this depending on your output (see query […]
Splunk Server Restart Duration
As titled, the following Splunk search query will show the restart duration (using the transaction command) of the Splunk service itself. index=_audit (action=”splunkShuttingDown” OR action=”splunkStarting”) | eval Date=strftime(_time, “%Y/%m/%d”) | transaction splunk_server startswith=action=”splunkShuttingDown” endswith=action=”splunkStarting” | eval duration=round(duration/60, 2) |table Date splunk_server duration| rename duration as “Splunk Restart Duration” splunk_server as “Splunk Server”
Timechart of Linux Logons
The following splunk search will return a timechart of all successful logons for a given linux environment (regex provided): sourcetype=linux_secure |rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s”| search session=gdm-password | rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)” | search authstatus=”authentication success” | timechart count(username) The following splunk search will return a timechart of all failed logons for a given linux environment(regex provided): sourcetype=linux_secure |rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s”| […]
Successful Linux Logons by Username
As stated in the title, this Splunk search query will return a list of all successful logons by user name on linux hosts. The regex is provided in the event the field is not extracted: sourcetype=linux_secure |rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s”| search session=gdm-password | rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)” | search authstatus=”authentication success” | stats count by username
List of Failed Login Attempts in Linux
This Splunk search will show a count of all user accounts and a number of times they have attempted to logon. The REGEX is written into the query, remove it if you are already extracting those field names: sourcetype=linux_secure | rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?gdm-\w+)\S:\s” | search session=gdm-password | rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?\S+)\s.+\Sgdm-password:auth\S:\s(?\w+\s\w+);\s.+user=(?\S+)” | search authstatus=”authentication failure” | stats count […]
List Ports Forwarders are Using
Use the following Splunk Search Query to list what ports your Universal Forwarders are using to communicate to the Indexer: index=”_internal” source=”*metrics.lo*” group=tcpin_connections NOT eventType=* | dedup sourceHost |stats count by destPort
Simple GeoIP Information for Web Traffic
This simple query will show if IIS traffic came to a given site from three geographical possibilities: “United States” “International” or “Unknown” sources. This relies entirely on geoip lookup. You can change the country of “United States” to anything you desire for you own data set (just make the change in the eval section below!). […]
List of Indexes
This simple Splunk query will return results for indexes that the current user (typically you) have access to: *NOTE* depending on settings this may or may not return internal indexes. host=* | dedup index |table index
List of Legitimate Account Names in Windows
This splunk query will list all successful logins by account name for a given time range. This query will work on a variety of Windows Operating systems to include XP, 2003, Vista, 2008, 7, 8, and server 2012. I’ve tested in some capacity in Windows 10 for some of my queries, so far they appear […]
Unintended Windows Shutdowns
This splunk query will show any unintended Windows system Shutdowns. Ensure the Splunk App for Windows is installed, you can grab it here: https://apps.splunk.com/app/742/ sourcetype=”WinEventLog:system” EventCode=6008 | eval Date=strftime(_time, “%Y/%m/%d”) | table Date host, index, Message | sort – Date
Clearing of Windows Audit Logs
This Splunk search will show anytime the windows audit logs (event viewer logs) have been cleared or deleted. Ensure the Splunk App for Windows is installed, you can grab it here: https://apps.splunk.com/app/742/ source=WinEventLog:security (EventCode=1102 OR EventCode=517) | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Client_User_Name, host, index, Date | sort – Date | rename Client_User_Name as […]
Successful Windows Logons with Average Overlay
The following Splunk query will display successful windows logins and overlay an average on visualizations. source=”WinEventLog:Security” (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624) | timechart count(EventCode) as count | eventstats avg(count) as Average | eval average=round(average,0) | rename count as “Successful Logons”
Windows Failed Logons with Average Overlay
This Splunk search will show any failed login attempt and graphically overlay an average value. sourcetype=”WinEventLog:Security” (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | timechart count(EventCode) as count | eventstats avg(count) as Average | eval […]
Accounts Deleted in a Windows Environment
These splunk queries will return deleted accounts in Associated with Windows Environments (NOTE* The 2003 query requires that the splunk for windows app be installed): 2003: sourcetype=WinEventLog:Security (EventCode=630) | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, Target_Account_Name, Caller_User_Name, Type, host | sort – Date | rename Target_Account_Name as “Deleted Account” | rename Caller_User_Name as […]
Account Modifications in a Windows Environment
The following splunk query will give you all permission changes for each user. There are four queries. 1. Windows 2008 Permission Increases: sourcetype=WinEventLog:Security (EventCode=4717) | eval Date=strftime(_time, “%Y/%m/%d”) | rex “Access\sGranted:\s+Access\sRight:\s+(?<RightGranted>\w+)” | rex “Account\sModified:\s+\w+\s\S+\s+.*\\\(?<AccountModified>.*)” | stats count by Date, AccountModified, RightGranted, host | sort – Date 2. Windows 2008 Permission Decreases: sourcetype=WinEventLog:Security (EventCode=4718) | eval […]
Failed Login to OSX
The following splunk query will return results on users who made unsuccessful attempts to login to an OSX machine: sourcetype=osx_secure | rex “authinternal\sfailed\sto\sauthenticate\suser\s(?\S+)” |eval Date=strftime(_time, “%Y/%m/%d”) | stats count by USER, host, Date | sort – count
Successful Login to OSX
The following splunk query (with regex) will return a result of users who have successfully authenticated to an OSX machine: *NOTE* Thanks Bob for pointing this out. The regular expression has now been fixed! sourcetype=osx_secure | rex “authinternal\sauthenticated\suser\s(?<USER>\S+)” |eval Date=strftime(_time, “%Y/%m/%d”) | stats count by USER, host, Date | sort – count
