The following query shows uptime of all systems over a certain period of time (days_uptime). Replace my indexes w/ yours. index=os OR index=idx_appdev sourcetype=Unix:Uptime OR sourcetype=”WMI:Uptime” |dedup host |eval DaysUp=round(SystemUpTime/86400,2) |eval Years=round(DaysUp/365,2) |eval Months=round(DaysUp/30,2)|search DaysUp > $days_uptime$ | table host DaysUp Years Months SystemUpTime |sort – SystemUpTime | Looks like: hostname | DaysUP | […]
Pass the Hash Detection
index=”wineventlog” ( EventCode=4624 Logon_Type=3 ) OR ( EventCode=4625 Logon_Type=3 ) Authentication_Package=”NTLM” NOT Account_Domain=YOURDOMAIN NOT Account_Name=”ANONYMOUS LOGON”
Linux CPU Usage
The following query will output CPU usage per host over a period of time using timechart: index=os sourcetype=top pctCPU=* | transaction host _time | streamstats window=1 global=f sum(pctCPU) as CPU | timechart latest(CPU) by host
Traffic Volume by Forwarder
This Splunk search query will show you the top 10 “chattiest” forwarders on your network. I’ve used this query to determine why some forwarders were sending more data than others. The results are displayed in kilobits, you could use an eval to change it to the appropriate size for your network. index=”_internal” source=”*metrics.lo*” group=tcpin_connections NOT […]
Qualys 30 Day trending of Re-Opened Vulnerabilities
The following Splunk Search (query) is for Qualys and will show a trending over 30 days for re-opened vulnerabilities. This query assumes that your index is defined as qualys. index=qualys HOSTVULN earliest=-30d@d STATUS=”RE-OPENED” | dedup HOST_ID, QID sortby +_time | join HOST_ID [ search index=qualys HOSTSUMMARY OS=”Windows*” NOT “Windows Server*” | where cidrmatch(“10.128.0.0/9”, IP) ] […]
Linux Free Disk Space
The following Splunk query shows a percentage of free disk space over a period of time using timechart: index=os sourcetype=df PercentFreeSpace=* mount=”/” | timechart latest(PercentFreeSpace) by host
List Ports Forwarders are Using
Use the following Splunk Search Query to list what ports your Universal Forwarders are using to communicate to the Indexer: index=”_internal” source=”*metrics.lo*” group=tcpin_connections NOT eventType=* | dedup sourceHost |stats count by destPort
Apache access_logs status code reporting
index=apache sourcetype=access_combined | chart count(eval(like(status,”2%”))) AS Success, count(eval(like(status,”4%”) OR like(status,”5%”))) AS Error by status ###this query is to report on status code description##### index=apache source=”/var/log/httpd/access_log” | timechart count by status_description useother=f # Find Website Status Over time index=apache sourcetype=access_combined| timechart count by status_type limit=10 usenull=f # Reports on Webserver error 500. index=apache sourcetype=access_combined status_type=”Server Error” […]
Free Disk Space for each Drive Letter
The following Splunk query will return results for all hosts reporting in Perfmon data on available disk space per assigned drive letter (NOTE you must make the change to include free diskspace per partition in your inputs.conf file) Query: sourcetype=”Perfmon:Free Disk Space” counter=”Free Megabytes” (instance!=”HarddiskVolume*”) (instance!=_Total) |eval FreeSpace=(Value/1024)| eval GB=tostring(FreeSpace,”commas”) | table host instance GB […]
Network Traffic Received in Megabytes over Time
The following splunk query will show a timechart of network traffic received over a period of time for any host specified (make sure you edit the query to specify a host, this one defaults to all). The query also converts the default value of Bytes to Megabytes. sourcetype=”Perfmon:Network Interface” (host=”*”) counter=”Bytes Received/sec”| eval MB=(Value/1024/1024)| […]
Network Traffic Sent in Megabytes over Time
The following splunk query will show a timechart of network traffic sent over a period of time for any host specified (make sure you edit the query to specify a host, this one defaults to all). The query also converts the default value of Bytes to Megabytes. sourcetype=”Perfmon:Network Interface” (host=”*”) counter=”Bytes Sent/sec” | eval MB=(Value/1024/1024) […]
Failed Attempts to Logon to Splunk Web
The following Splunk Search Query will return all users who have failed to logon to the Splunk Web console. This query will also include an average (from eventstats). index=_audit action=”login attempt” info=failed | timechart count(user) as Failed_Attempts| eventstats avg(Failed_Attempts) as Average
Splunk Query Count by users
index=_audit search=* NOT (search_id=’scheduler* OR search_id=’Summary*) user=admin | timechart span=1d count by user usenull=f
Introspection – Memory used by SID (Search ID)
Chart memory used by each SID (search ID) using the Introspection logs index=”_introspection” “data.process”=splunkd | timechart max(data.mem_used) by data.search_props.sid usenull=f useother=f
CPU Thresholds, Warnings, and Risk Scoring
The following splunk query can be used to do as the title says. Risk scoring is done via color codes in the source information of the chart (see below for an example). The following query looks at the average CPU time for 30 minute chunks of time over a selected time range (ie: what was […]
Simple GeoIP Information for Web Traffic
This simple query will show if IIS traffic came to a given site from three geographical possibilities: “United States” “International” or “Unknown” sources. This relies entirely on geoip lookup. You can change the country of “United States” to anything you desire for you own data set (just make the change in the eval section below!). […]
List of Failed Login Attempts in Linux
This Splunk search will show a count of all user accounts and a number of times they have attempted to logon. The REGEX is written into the query, remove it if you are already extracting those field names: sourcetype=linux_secure | rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?gdm-\w+)\S:\s” | search session=gdm-password | rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?\S+)\s.+\Sgdm-password:auth\S:\s(?\w+\s\w+);\s.+user=(?\S+)” | search authstatus=”authentication failure” | stats count […]
Qualys Top 10 Vulnerabilities by Severity
The following Splunk Search (query) is for Qualys and will show the top 10 vulnerabilities by severity as well as a Count of Devices. sourcetype=qualys_vm_detection HOSTVULN SEVERITY=3 OR 4 OR 5 TYPE=”CONFIRMED” earliest=-30d@d| dedup HOST_ID, QID | search STATUS!=”FIXED” | join QID [ search sourcetype=qualys_knowledgebase PATCHABLE=1 ] | eval Published=strftime(strptime(PUBLISHED_DATETIME, “%Y-%m-%d”), “%m/%d/%Y”) | join HOST_ID […]
Successful Linux Logons by Username
As stated in the title, this Splunk search query will return a list of all successful logons by user name on linux hosts. The regex is provided in the event the field is not extracted: sourcetype=linux_secure |rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s”| search session=gdm-password | rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)” | search authstatus=”authentication success” | stats count by username
Timechart of Linux Logons
The following splunk search will return a timechart of all successful logons for a given linux environment (regex provided): sourcetype=linux_secure |rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s”| search session=gdm-password | rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)” | search authstatus=”authentication success” | timechart count(username) The following splunk search will return a timechart of all failed logons for a given linux environment(regex provided): sourcetype=linux_secure |rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s”| […]
