• Search
  • Dashboards
  • Browse
    • Sourcetype

      • _audit
      • _internal
      • access_combined
      • apache
      • audittrail
      • citrix:netscaler:syslog
      • Cron
      • crowdstrike
      • Dashboards
      • datamodels
      • DBConnect
      • Enterprise Security
      • eval
      • F5
      • Fun Stuff & Helpful Hints
      • Hack
      • Hygiene
      • IIS
      • Juniper
      • Linux Performance
      • linux_secure
      • Malware
      • Monitoring
      • Networking
      • opensense
      • opsec
      • osx_secure
      • Perfmon:Available Memory
      • Perfmon:CPU Load
      • Perfmon:Free Disk Space
      • Perfmon:Network Interface
      • postfix_syslog
      • Qualys
      • REST
      • RFQ – Request For Query
      • splunkd
      • Tenable
      • Uncategorized
      • Unix:Uptime
      • WinEventLog:Application
      • WinEventLog:Security
      • WinEventLog:System
      • WinRegistry
      • WMI:Uptime
    • Tags

      6.1.2 admin apache audit audittrail authentication Cisco Diagnostics failed logon Firewall IIS index indexes internal license License usage Linux linux audit Login Logon malware Network Perfmon Performance qualys REST Security sourcetype splunk splunkd splunk on splunk Tenable Tenable Security Center troubleshoot troubleshooting tstats Universal Forwarder users Vulnerabilities Web Traffic Windows Windows Audit Windows Security _audit _internal
  • Post New Query
  • Our Blog
  • Splunk Jobs
  • Search
  • Dashboards
  • Browse
    • Sourcetype

      • _audit
      • _internal
      • access_combined
      • apache
      • audittrail
      • citrix:netscaler:syslog
      • Cron
      • crowdstrike
      • Dashboards
      • datamodels
      • DBConnect
      • Enterprise Security
      • eval
      • F5
      • Fun Stuff & Helpful Hints
      • Hack
      • Hygiene
      • IIS
      • Juniper
      • Linux Performance
      • linux_secure
      • Malware
      • Monitoring
      • Networking
      • opensense
      • opsec
      • osx_secure
      • Perfmon:Available Memory
      • Perfmon:CPU Load
      • Perfmon:Free Disk Space
      • Perfmon:Network Interface
      • postfix_syslog
      • Qualys
      • REST
      • RFQ – Request For Query
      • splunkd
      • Tenable
      • Uncategorized
      • Unix:Uptime
      • WinEventLog:Application
      • WinEventLog:Security
      • WinEventLog:System
      • WinRegistry
      • WMI:Uptime
    • Tags

      6.1.2 admin apache audit audittrail authentication Cisco Diagnostics failed logon Firewall IIS index indexes internal license License usage Linux linux audit Login Logon malware Network Perfmon Performance qualys REST Security sourcetype splunk splunkd splunk on splunk Tenable Tenable Security Center troubleshoot troubleshooting tstats Universal Forwarder users Vulnerabilities Web Traffic Windows Windows Audit Windows Security _audit _internal
  • Post New Query
  • Our Blog
  • Splunk Jobs

Members

Profile picture of Ronald (Access42)

Ronald (Access42)

@rkingma Active 7 years, 3 months ago
  • Activity
  • Profile
  • Posts
  • Personal
  • Mentions
  • Favorites
  • Profile picture of Ronald (Access42)
    7 years, 3 months ago

    Ronald (Access42) wrote a new post

    The following shows IoC for directory traversal, RFI and LFI within IIS logging:
    index=* sourcetype=”ms:iis:default”NOT (“cookie.js” OR “script.js”) AND (referer=”-” OR referer=””) AND (uri_query=”*passwd*” OR […]

  • Profile picture of Ronald (Access42)
    7 years, 3 months ago

    Ronald (Access42) wrote a new post

    Get an overview of all 404 errors, an increase might be an IoC
    index=web_p sourcetype=”ms:iis:default” status=404 | timechart count

  • Profile picture of Ronald (Access42)
    7 years, 3 months ago

    Ronald (Access42) wrote a new post

    Get an overview of 401 and 403 errors, an increase might be an IoC.
    index=* sourcetype=”ms:iis:default” sc_status=401 OR sc_status=403 |table _time, sc_status, sc_substatus, uri_path | timechart count by sc_status

  • Profile picture of Ronald (Access42)
    7 years, 3 months ago

    Ronald (Access42) wrote a new post

    The following query show IoC for XSS and SQLi. The complete query is wrapped up since this site is not accepting it. The query should also include “OR javascript”, followed by “:alert”.
    index=* […]

    • Profile picture of ndholakiya
      ndholakiya replied 7 years ago

      Hey @rkingma

      it’s not detecting SQLi.

  • Profile picture of Ronald (Access42)
    7 years, 10 months ago

    Ronald (Access42) wrote a new post

    To extract the DNS logging from netscaler:syslog you need the following regex:

    ^s+(?P[^:]+):(?P[^ ]+)(?:[^:n]*:){3}(?P[^#]+)(?:[^/n]*/){8}d+#(?P(?#)[_a-zA-Z0-9.-]+)(./)

    You can now put it in the query […]

  • Profile picture of Ronald (Access42)
    8 years, 1 month ago

    Ronald (Access42) wrote a new post

    Overview of all medium to critical risks for Win20xxGet an overview of all medium to critical risks for Windows 2008 / 2012: Windows 2008: sourcetype=”tenable:sc:vuln” cpe:/o:microsoft:windows_server_2008 […]

  • Profile picture of Ronald (Access42)
    8 years, 2 months ago

    Ronald (Access42) wrote a new post

    This search will give an overview of all SMB shares with unprivilged access.
    sourcetype=”tenable:sc:vuln” pluginID=42411 | table ip dnsName pluginText | rename “pluginText” as “Shares enabled” | rename “dnsName” […]

  • Profile picture of Ronald (Access42)
    8 years, 2 months ago

    Ronald (Access42) wrote a new post

    The query below will give an overview of all certificates about to expire (within 60 days)
     sourcetype=”tenable:sc:vuln” synopsis=”The SSL certificate associated with the remote service will expire soon.” | […]

  • Profile picture of Ronald (Access42)
    8 years, 2 months ago

    Ronald (Access42) wrote a new post

    The query below will give an overview of all hosts running expired certificates:
    sourcetype=”tenable:sc:vuln” synopsis=”The remote server’s SSL certificate has already expired.” | dedup ip | chart count by ip

  • Profile picture of Ronald (Access42)
    8 years, 2 months ago

    Ronald (Access42) wrote a new post

    Get an overview of the 10 most vulnerable systems in your network
    sourcetype=”tenable:sc:vuln” baseScore > 3 | dedup cve ip | stats count by ip, riskFactor | sort 10-count | lookup dnslookup clientip as ip | […]

  • Profile picture of Ronald (Access42)
    8 years, 2 months ago

    Ronald (Access42) changed their profile picture

  • Profile picture of Ronald (Access42)
    8 years, 2 months ago

    Ronald (Access42) changed their profile picture

  • Profile picture of Ronald (Access42)
    8 years, 2 months ago

    Ronald (Access42)'s profile was updated

  • Profile picture of Ronald (Access42)
    8 years, 2 months ago

    Ronald (Access42) wrote a new post

    To see the top of exploitable vulnarabilities from the Tenable Security Center:
    sourcetype=”tenable:sc:vuln” exploitAvailable=”yes” | chart count over pluginName by riskFactor
     

  • Profile picture of Ronald (Access42)
    8 years, 2 months ago

    Ronald (Access42) wrote a new post

    Tenable uses the CVSS scoring method for detected vulnerabilities. To have an overall CVSS, use the following query:
    sourcetype=”tenable:sc:vuln” ip=* |stats mean(baseScore) as base | eval base = round(base,2)

  • Profile picture of Ronald (Access42)
    8 years, 2 months ago

    Ronald (Access42) wrote a new post

    Having Tenable Security Center connected via the splunk plugin, this search gives an overview of all vulnerabilties, summarized by severity.
    sourcetype=”tenable:sc:vuln” severity.name=* | chart count over […]

  • Profile picture of Ronald (Access42)
    8 years, 3 months ago

    rkingma became a registered member

  • Profile picture of Ronald (Access42)
    8 years, 3 months ago

    Ronald (Access42) became a registered member

  • Home
  • Log In
  • Register
  • About GoSplunk
  • GoSplunk FAQs
  • Contact the GoSplunk Team
  • Splunk Website
  • Splunk Documentation
  • Splunk Answers

GoSplunk is not affiliated with Splunk Inc. in any way.

© 2019 GoSplunk
  • Privacy Policy
  • Terms and Conditions
  • Forgot Password?
sponsored