Overall CVSS score (tenable)

Tenable uses the CVSS scoring method for detected vulnerabilities. To have an overall CVSS, use the following query:

Continue Reading →

Current Vulnerability Summary by Severity (tenable)

Having Tenable Security Center connected via the splunk plugin, this search gives an overview of all vulnerabilties, summarized by severity.

Add the following to your dashboard source to add consistent colors to the pie chart: <option name=”charting.fieldColors”>{“Critical”:0x800000,”High”:0xFF0000,”Medium”:0xFFA500,”Low”:0x008000,”Info”:0x0000FF}</option>  

Continue Reading →

List IPs that had Successful and Failed SSH Attempts

The following query was discovered on stackoverflow. It performs the necessary regex field extractions to get a list of IPs associated with SSH login attempts.

Continue Reading →

Monitor File Shares being Accessed in Windows

This splunk search will show file shares being accessed within windows environments.

Continue Reading →

Malware Detection

I’m reposting this query I stumbled upon in a blog here. The description states that it can be used to detect malware reporting out to the web. Check out the article it’s a decent read.

Continue Reading →

Count of Attackers on Juniper Devices

The following is a Splunk search query that indicates potential “attacks” by source IP.  Further investigation will be needed to determine accuracy of attacks.

Credit given to bbosearch.

Continue Reading →

Qualys Hosts not Scanned in 30 days+

The following Splunk Search (query) is for Qualys and will show hosts that have not been scanned in 30 days or more. This query assumes that your index is defined as qualys.

* DISCLOSURE* – I did not create this query. That credit goes to Jeff Leggett.

Continue Reading →

Qualys 30 Day trending of Re-Opened Vulnerabilities

The following Splunk Search (query) is for Qualys and will show a trending over 30 days for re-opened vulnerabilities. This query assumes that your index is defined as qualys.

* DISCLOSURE* – I did not create this query. That credit goes to Jeff Leggett.

Continue Reading →

Qualys Top 10 Vulnerabilities by Severity

The following Splunk Search (query) is for Qualys and will show the top 10 vulnerabilities by severity as well as a Count of Devices.

* DISCLOSURE* – I did not create this query. That credit goes to Jeff Leggett.

Continue Reading →

Qualys Active OS Vuln Count

The following Splunk Search (query) is for Qualys and will show vulnerability count for Windows Hosts. This query assumes that your index is defined as qualys.

* DISCLOSURE* – I did not create this query. That credit goes to Jeff Leggett.

Continue Reading →

Successful Linux Logons by Username

As stated in the title, this Splunk search query will return a list of all successful logons by user name on linux hosts. The regex is provided in the event the field is not extracted:

Continue Reading →