Number of Hosts Associated with a Serverclass

The following query will list the number of hosts associated with all serverclasses on your Splunk Deployment server. This query should be run on your Deployment Server.

Continue Reading →

Failed Logon Attempts – Windows

The following Splunk query will show a timechart of failed logon attempts per host:

The following Splunk query will show a detailed table of failed logon attempts per host and user with 5 minute chunks/blocks of time, as well as show a sparkline (mini timechart) within the table itself.

#Admin Notes – This […]

Continue Reading →

Show Searches with Details (Who | When | What)

The following Splunk search will show a list of searches ran on a splunk server with the following details: Who ran the search What sourcetype was used What index was used What the search string was When the search was last ran

Continue Reading →

REST API response time

This is a Splunk query to measure REST API response time from the various rest URI’s in Splunk.

Credit goes to somesoni2 on answers.splunk.com! Query found here: https://answers.splunk.com/answers/112073/splunk-query-to-measure-rest-api-response-time.html

Continue Reading →

Show Splunk User to Role mapping

The following Splunk REST query shows all roles, number of  capabilities, and landing app for each user.

Continue Reading →

Apache High Level Visitor Info

The following query gives a breakdown on traffic by clientip. I run this over all time so I can get detailed information on first visit versus latest visit as you can see below.

This will return something like the following: If you want to run this as a scheduled search, which I advise doing […]

Continue Reading →

Direct and Referred Apache Web Traffic

The following query will show all traffic to an Apache web server that is direct, meaning no referring site.

The following query will show all traffic that is NOT direct, meaning only referring sites.

The following query is the same as above, but with a timechart spanning 1 day.

The following Query […]

Continue Reading →

Concurrent Users on Apache Web

I’ve been working through this query and depending on the length of time you are looking back you can use one of the following two methods. Option 1 – Short time window (30 days or less) concurrent users for a span of 5 minutes.

Option 2 – Longer time window (Greater than 30 days, […]

Continue Reading →

Fishies! Fun Query and Easter Egg

Here is a fun query that you may have seen as an Easter egg in an app. I stumbled on this while cleaning up old saved searches. If you know the app comment below!   FYI make sure you run this in real time otherwise you won’t see the fun part :)

Continue Reading →

Track Remediation Progress by OS – Qualys

The following Splunk Search Queries within the Qualys Sourcetype track the remediation progress for a variety of operating systems. The queries are separated by Operating System or Device Type: OS & Device Agnostic

Linux

Network (F5/Cisco/Firewall)

Windows Desktop

Windows Server

I take no credit for this. These queries were discovered […]

Continue Reading →

Top 25 Most Vulnerable Systems by OS – Qualys

The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most vulnerable systems. The queries are separated by Operating System or Device Type: Linux

Network (F5/Cisco/Firewall)

Windows Desktop

Windows Server

I take no credit for this. These queries were discovered on Tarun Kumar’s blog.

Continue Reading →

Top 25 Most Prevailing Vulnerabilities with Patches Available (Multiple OSs)- Qualys

The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most prevailing vulnerabilities that have patches available. The queries are separated by Operating System or Device Type: Linux

Network (F5/Cisco/Firewall)

Windows Desktop

Windows Server

I take no credit for this. These queries were discovered on Tarun Kumar’s blog.

Continue Reading →

Remediation Tracking Trend – Qualys

The following Splunk query will help determine remediation tracking trends within the Qualys Sourcetype:

I take no credit for this. These queries were discovered on Tarun Kumar’s blog.

Continue Reading →

High Severity Vulnerabilities – Qualys

The following Splunk query will show the percentage of high severity vulnerabilities within the Qualys Sourcetype:

I take no credit for this. These queries were discovered on Tarun Kumar’s blog.

Continue Reading →

New Vulnerabilities Detected Since Last Scan – Qualys

As the title suggests this Splunk Search will dedup results so you can better see changes in Vulnerability detection scan to scan within the Qualys Sourcetype:

I take no credit for this. These queries were discovered on Tarun Kumar’s blog.

Continue Reading →

Hosts Taking a Long Time to Scan – Qualys

The following Splunk query will show the hosts taking an abnormally lengthy time to scan (helps find that needle in a haystack) within the Qualys Sourcetype:

I take no credit for this. These queries were discovered on Tarun Kumar’s blog.

Continue Reading →

Number of Vulnerabilities Detected – Qualys

The following Splunk query will show the number of vulnerabilities detected all severities and all types within the Qualys Sourcetype:

I take no credit for this. These queries were discovered on Tarun Kumar’s blog.

Continue Reading →