Useful search to show a bit of detail on roles and user permissions. | rest /servicesNS/-/-/admin/directory count=0 splunk_server=local | fields eai:acl.app, eai:acl.owner, eai:acl.perms.*, eai:acl.sharing, eai:location, title | eval perms=mvappend(‘eai:acl.perms.read’,’eai:acl.perms.write’) | fields – eai:acl.perms.* | mvexpand perms | where perms!=”*” AND NOT [ | rest /servicesNS/-/-/authorization/roles count=0 splunk_server=local | fields title | rename title as perms […]
IIS Response Time
host=”*” sourcetype=iis (insertIISurl) | eval time_taken = time_taken/1000 | stats max(time_taken) AS “Highest Response Time” host=”*” sourcetype=iis (insertIISurl) | eval time_taken = time_taken/1000 | stats avg(time_taken) AS “Average Response Time” host=”*” sourcetype=iis (insertIISurl) | eval time_taken = time_taken/1000 | stats fastest(time_taken) AS “Fastest Response Time” Above is 3 panels , Fastest, Average, and Longest response time. […]
REST Call for Splunk Server Role Status
This REST Splunk search returns the status of roles on each Splunk server in your environment. | rest /services/server/introspection | table title splunk_server status updated
REST Call for a list of Lookup Files
Use this splunk search to get a list of all lookup files: | rest /services/data/transforms/lookups | table eai:acl.app eai:appName filename title fields_list updated id
REST Call for Memory & CPU usage on Splunk Servers
This Splunk search will show you use and available CPU and Memory statistics. Depending on your environment you may see multiple Splunk servers: | rest /services/server/status/resource-usage/hostwide | eval cpu_count = if(isnull(cpu_count), “N/A”, cpu_count) | eval cpu_usage = cpu_system_pct + cpu_user_pct | eval mem_used_pct = round(mem_used / mem * 100 , 2) | eval mem_used = […]
Show all currently logged in users
Use this Splunk rest query to list all currently logged in users (to your Splunk server). | rest /services/authentication/current-context | search NOT username=”splunk-system-user” | table username roles updated
List of Props.conf Extractions
Useful Splunk Query to show extractions from Props.conf: | rest /services/data/props/extractions | table title type value attribute
High Severity Vulnerabilities – Qualys
The following Splunk query will show the percentage of high severity vulnerabilities within the Qualys Sourcetype: eventtype=”qualys_vm_detection_event” |eval Success= if(SEVERITY >3,1,0)|stats count as total sum(Success) as success|eval Per_high=(success/total)*100 I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
List of Extractions in Transforms.conf
Useful Splunk Query to show REGEX extractions in Transforms.conf | rest /services/data/transforms/extractions | table title eai:appName REGEX FORMAT updated
List of Alerts via REST
The following Splunk search (query) will show a list of alerts within Splunk via the | rest call: | rest /services/alerts/fired_alerts splunk_server=local| table eai:acl.owner eai:acl.app id title triggered_alert_count
Monitor File Shares being Accessed in Windows
This splunk search will show file shares being accessed within windows environments. sourcetype=”WinEventLog:Security” EventCode=5140 (Share_Name=”*\\C$” OR Share_Name=”*D$” OR Share_Name=”*E$” OR Share_Name=”*F$” OR Share_Name=”*U$”) NOT Source_Address=”::1″ | eval Destination_Sys1=trim(host,”1″) | eval Destination_Sys2=trim(host,”2″) | eval Dest_Sys1=lower(Destination_Sys1) | eval Dest_Sys2=lower(Destination_Sys2) | rename host AS Destination | rename Account_Domain AS Domain | where Account_Name!=Dest_Sys1 | where Account_Name!=Dest_Sys2 | stats […]
Monitor for Service Changes in Windows
The following splunk search looks for changes in services within Windows. sourcetype=”WinEventLog:System” EventCode=7045 NOT (Service_Name=mgmt_service) | eval Message=split(Message,”.”) | eval Short_Message=mvindex(Message,0) | table _time host Service_Name, Service_Type, Service_Start_Type, Service_Account, Short_Message
Potential Suspicious Activity in Windows
The following Splunk search should be ran over a long period of time (at least it worked best that way in my environment). This query will show potentially suspicious activity based on processes within a Windows environment. It could also indicate a sanctioned security scan (so don’t run out there and start pointing fingers based […]
Events Sent to Null Que – Internal Logs
This will show events that have been sent to the null que within the splunk internal logs. index=_internal component=metrics processor=nullqueue group=pipeline sourcetype=splunkd | table _time log_level name processor cpu_seconds executes, cumulative_hits
Qualys – Number of Hosts Scanned
The following Splunk query will show the number of hosts scanned within the Qualys Sourcetype: eventtype=”qualys_vm_detection_event” |eval Success= if(SEVERITY >3,1,0)|stats count as total sum(Success) as success|eval Per_high=(success/total)*100 | I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
Number of Vulnerabilities Detected – Qualys
The following Splunk query will show the number of vulnerabilities detected all severities and all types within the Qualys Sourcetype: eventtype=”qualys_vm_detection_event” STATUS=”NEW” | dedup QID |stats count by SEVERITY I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
Hosts Taking a Long Time to Scan – Qualys
The following Splunk query will show the hosts taking an abnormally lengthy time to scan (helps find that needle in a haystack) within the Qualys Sourcetype: sourcetype=”qualys:hostDetection” eventtype=qualys_host_summary_event SCAN_DURATION> 1800 | sort -SCAN_DURATION | table IP, DNS, OS, SCAN_DURATION I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
New Vulnerabilities Detected Since Last Scan – Qualys
As the title suggests this Splunk Search will dedup results so you can better see changes in Vulnerability detection scan to scan within the Qualys Sourcetype: eventtype=”qualys_vm_detection_event” | dedup QID |stats count by SEVERITY I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
Splunk Query to report on users logging on to the Splunk Web Console
index=_audit tag=authentication info=succeeded |dedup user | table user timestamp
License Usage by Index per Day
The following Splunk search query will output license usage for each index for each day for the week to date. It will also output an average for each index over the course of the given time period. index=_internal source=*license_usage.log type=”Usage” splunk_server=* earliest=-1w@d | eval Date=strftime(_time, “%Y/%m/%d”) | eventstats sum(b) as volume by idx, Date […]