Qualys 30 Day trending of Re-Opened Vulnerabilities

The following Splunk Search (query) is for Qualys and will show a trending over 30 days for re-opened vulnerabilities. This query assumes that your index is defined as qualys. index=qualys HOSTVULN earliest=-30d@d STATUS=”RE-OPENED” | dedup HOST_ID, QID sortby +_time | join HOST_ID [ search index=qualys HOSTSUMMARY OS=”Windows*” NOT “Windows Server*” | where cidrmatch(“10.128.0.0/9”, IP) ] […]

Continue Reading →

Qualys Top 10 Vulnerabilities by Severity

The following Splunk Search (query) is for Qualys and will show the top 10 vulnerabilities by severity as well as a Count of Devices. sourcetype=qualys_vm_detection HOSTVULN SEVERITY=3 OR 4 OR 5 TYPE=”CONFIRMED” earliest=-30d@d| dedup HOST_ID, QID | search STATUS!=”FIXED” | join QID [ search sourcetype=qualys_knowledgebase PATCHABLE=1 ] | eval Published=strftime(strptime(PUBLISHED_DATETIME, “%Y-%m-%d”), “%m/%d/%Y”) | join HOST_ID […]

Continue Reading →

Qualys Active OS Vuln Count

The following Splunk Search (query) is for Qualys and will show vulnerability count for Windows Hosts. This query assumes that your index is defined as qualys. index=qualys HOSTVULN SEVERITY=3 OR 4 OR 5 TYPE=”CONFIRMED” earliest=-30d@d | dedup HOST_ID, QID | search STATUS!=”FIXED” | join QID [ search index=qualys QID_INFO PATCHABLE=1] | join HOST_ID [ search […]

Continue Reading →

User Activity in DBConnect

The following Splunk query is for the DBConnect app.  This will return all user activity using this particular app. I’ve provided the regex in the search.   index=_audit sourcetype=audittrail action=”db_connect*” |eval Date=strftime(_time, “%Y/%d/%m”) |rex “user=(?<user>\S+),” | stats count by Date, user, info, action

Continue Reading →

How to Check When Splunk is finished Indexing a log file

How can I tell when Splunk is finished indexing a log file? (Credit for this one goes to learnsplunk.com author who originally posted it on his website) By watching  data from splunk’s metrics log in real-time. ************************************************************ index=”_internal” source=”*metrics.log” group=”per_sourcetype_thruput” series=”your_sourcetype_here” | eval MB=kb/1024 | chart sum(MB) ************************************************************ or to watch everything happening split by […]

Continue Reading →

Search to show what apps are ready to be updated

| rest splunk_server=local /services/apps/local | search update.version=* | table title version update.version If that Splunk has internet access, it’ll have the update.* fields filled with the latest version if there is an update available for any app installed on that system. The splunk_server filter should be usable for querying search peers as well. Using that […]

Continue Reading →

Permissions for splunk users

Another view for which splunk user can do what in your splunk environment | rest /services/authentication/users | mvexpand roles | table realname, title, roles, email | join roles [ rest /services/authorization/roles | rename title as roles | search srchIndexesAllowed=* | table roles srchIndexesAllowed]

Continue Reading →

Queries Executed in DBConnect

This Splunk query will show the DBX or DBConnect queries executed. I have limited information to work with so check back for updates.   Disclaimer – I’m using rex to replace HTML markup that is outputted and ingested by splunk. You may need to add to or remove this depending on your output (see query […]

Continue Reading →

Splunk Server Restart Duration

As titled, the following Splunk search query will show the restart duration (using the transaction command) of the Splunk service itself.   index=_audit (action=”splunkShuttingDown” OR action=”splunkStarting”) | eval Date=strftime(_time, “%Y/%m/%d”) | transaction splunk_server startswith=action=”splunkShuttingDown” endswith=action=”splunkStarting” | eval duration=round(duration/60, 2) |table Date splunk_server duration| rename duration as “Splunk Restart Duration” splunk_server as “Splunk Server”

Continue Reading →

Successful Linux Logons by Username

As stated in the title, this Splunk search query will return a list of all successful logons by user name on linux hosts. The regex is provided in the event the field is not extracted: sourcetype=linux_secure |rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s”| search session=gdm-password | rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)” | search authstatus=”authentication success” | stats count by username

Continue Reading →

List Ports Forwarders are Using

Use the following Splunk Search Query to list what ports your Universal Forwarders are using to communicate to the Indexer: index=”_internal” source=”*metrics.lo*” group=tcpin_connections NOT eventType=*  | dedup sourceHost |stats count by destPort

Continue Reading →

Simple GeoIP Information for Web Traffic

This simple query will show if IIS traffic came to a given site from three geographical possibilities: “United States” “International” or “Unknown” sources. This relies entirely on geoip lookup. You can change the country of “United States” to anything you desire for you own data set (just make the change in the eval section below!). […]

Continue Reading →

Network Traffic Sent in Megabytes over Time

The following splunk query will show a timechart of network traffic sent over a period of time for any host specified (make sure you edit the query to specify a host, this one defaults to all). The query also converts the default value of Bytes to Megabytes.   sourcetype=”Perfmon:Network Interface” (host=”*”)  counter=”Bytes Sent/sec” | eval MB=(Value/1024/1024) […]

Continue Reading →