The query below will give an overview of all certificates about to expire (within 60 days) sourcetype=”tenable:sc:vuln” synopsis=”The SSL certificate associated with the remote service will expire soon.” | dedup ip | lookup dnslookup clientip as ip | chart count by ip,clienthost
SSL Certificates expired
The query below will give an overview of all hosts running expired certificates: sourcetype=”tenable:sc:vuln” synopsis=”The remote server’s SSL certificate has already expired.” | dedup ip | chart count by ip
Top 10 most vulnerable systems (Tenable)
Get an overview of the 10 most vulnerable systems in your network sourcetype=”tenable:sc:vuln” baseScore > 3 | dedup cve ip | stats count by ip, riskFactor | sort 10-count | lookup dnslookup clientip as ip | chart sum(count) by clienthost
Top exploitable vulnerabilities (tenable)
To see the top of exploitable vulnarabilities from the Tenable Security Center: sourcetype=”tenable:sc:vuln” exploitAvailable=”yes” | chart count over pluginName by riskFactor
Overall CVSS score (tenable)
Tenable uses the CVSS scoring method for detected vulnerabilities. To have an overall CVSS, use the following query: sourcetype=”tenable:sc:vuln” ip=* |stats mean(baseScore) as base | eval base = round(base,2)
Current Vulnerability Summary by Severity (tenable)
Having Tenable Security Center connected via the splunk plugin, this search gives an overview of all vulnerabilties, summarized by severity. sourcetype=”tenable:sc:vuln” severity.name=* | chart count over severity.name by ip Add the following to your dashboard source to add consistent colors to the pie chart: <option name=”charting.fieldColors”>{“Critical”:0x800000,”High”:0xFF0000,”Medium”:0xFFA500,”Low”:0x008000,”Info”:0x0000FF}</option>
List All Hosts Associated with All Indexes
Using the Splunk Tstats command you can quickly list all hosts associated with all indexes: |tstats values(host) where index=* by index
Track Remediation Progress by OS – Qualys
The following Splunk Search Queries within the Qualys Sourcetype track the remediation progress for a variety of operating systems. The queries are separated by Operating System or Device Type: OS & Device Agnostic eventtype=”qualys_vm_detection_event” STATUS =”FIXED” earliest=-30d@d | dedup HOST_ID, QID | stats count by QID Linux eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS=”^((?!\/).)*Linux((?!\/).)*$” |dedup […]
Top 25 Most Vulnerable Systems by OS – Qualys
The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most vulnerable systems. The queries are separated by Operating System or Device Type: Linux eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS=”^((?!\/).)*Linux((?!\/).)*$” |dedup QID IP| stats count by IP | sort -count | head 25 Network (F5/Cisco/Firewall) eventtype=qualys_vm_detection_event SEVERITY > 3 | regex […]
Top 25 Most Prevailing Vulnerabilities with Patches Available (Multiple OSs)- Qualys
The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most prevailing vulnerabilities that have patches available. The queries are separated by Operating System or Device Type: Linux eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS=”ACTIVE” | regex OS=”^((?!\/).)*Linux((?!\/).)*$” | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by […]
Remediation Tracking Trend – Qualys
The following Splunk query will help determine remediation tracking trends within the Qualys Sourcetype: eventtype=”qualys_vm_detection_event” | stats count as eachCount |eval STATUS=”Total” | table STATUS eachCount| append [|search eventtype=”qualys_vm_detection_event”| stats count as eachCount by STATUS| eventstats sum(eachCount) as total | eval fixedPerc = ((eachCount/total)*100) | search STATUS=FIXED |table STATUS eachCount ] I take no credit […]
High Severity Vulnerabilities – Qualys
The following Splunk query will show the percentage of high severity vulnerabilities within the Qualys Sourcetype: eventtype=”qualys_vm_detection_event” |eval Success= if(SEVERITY >3,1,0)|stats count as total sum(Success) as success|eval Per_high=(success/total)*100 I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
New Vulnerabilities Detected Since Last Scan – Qualys
As the title suggests this Splunk Search will dedup results so you can better see changes in Vulnerability detection scan to scan within the Qualys Sourcetype: eventtype=”qualys_vm_detection_event” | dedup QID |stats count by SEVERITY I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
Hosts Taking a Long Time to Scan – Qualys
The following Splunk query will show the hosts taking an abnormally lengthy time to scan (helps find that needle in a haystack) within the Qualys Sourcetype: sourcetype=”qualys:hostDetection” eventtype=qualys_host_summary_event SCAN_DURATION> 1800 | sort -SCAN_DURATION | table IP, DNS, OS, SCAN_DURATION I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
Number of Vulnerabilities Detected – Qualys
The following Splunk query will show the number of vulnerabilities detected all severities and all types within the Qualys Sourcetype: eventtype=”qualys_vm_detection_event” STATUS=”NEW” | dedup QID |stats count by SEVERITY I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
Qualys – Number of Hosts Scanned
The following Splunk query will show the number of hosts scanned within the Qualys Sourcetype: eventtype=”qualys_vm_detection_event” |eval Success= if(SEVERITY >3,1,0)|stats count as total sum(Success) as success|eval Per_high=(success/total)*100 | I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
Events Sent to Null Que – Internal Logs
This will show events that have been sent to the null que within the splunk internal logs. index=_internal component=metrics processor=nullqueue group=pipeline sourcetype=splunkd | table _time log_level name processor cpu_seconds executes, cumulative_hits
Potential Suspicious Activity in Windows
The following Splunk search should be ran over a long period of time (at least it worked best that way in my environment). This query will show potentially suspicious activity based on processes within a Windows environment. It could also indicate a sanctioned security scan (so don’t run out there and start pointing fingers based […]
Monitor for Service Changes in Windows
The following splunk search looks for changes in services within Windows. sourcetype=”WinEventLog:System” EventCode=7045 NOT (Service_Name=mgmt_service) | eval Message=split(Message,”.”) | eval Short_Message=mvindex(Message,0) | table _time host Service_Name, Service_Type, Service_Start_Type, Service_Account, Short_Message
Monitor File Shares being Accessed in Windows
This splunk search will show file shares being accessed within windows environments. sourcetype=”WinEventLog:Security” EventCode=5140 (Share_Name=”*\\C$” OR Share_Name=”*D$” OR Share_Name=”*E$” OR Share_Name=”*F$” OR Share_Name=”*U$”) NOT Source_Address=”::1″ | eval Destination_Sys1=trim(host,”1″) | eval Destination_Sys2=trim(host,”2″) | eval Dest_Sys1=lower(Destination_Sys1) | eval Dest_Sys2=lower(Destination_Sys2) | rename host AS Destination | rename Account_Domain AS Domain | where Account_Name!=Dest_Sys1 | where Account_Name!=Dest_Sys2 | stats […]