Search for disabled AD accounts that have been re-enabled

This is a search you can use as an alert or whatever you desire to look for AD accounts that have been disabled in the past 90 days then re-enabled in the past 24h. You can tweak as needed.

Continue Reading →

Query for when PowerShell execution policy is set to Bypass

Continue Reading →

Reports Owned by Admin Users and Writable by Others

 

I got a little fancy there with 

. The link is for clicking from the inline table of the alert email. You can easily skip that.

Continue Reading →

Remove mulitple values from a multivalue field

This Splunk search is an example on how to remove unwanted values from multivalue fields using mvfilter.

Continue Reading →

List all your existing indexes or check if index exists

With this spl you can check what indexes exist or if you want to search for a specific index. List all indexes:

Or check if a specific index exist use:

Continue Reading →

Deployed application status

Created this dashboard to see when or if an application was deployed successfully. Close to splunkninja’s query, this will also show if the host in question also restarted to apply the new app.  

Continue Reading →

Splunk Apps added to an instance

Continue Reading →

emoji bonanza

Have you ever wanted to truly express your emotions related to your search results but wasn’t sure how? Why not use an emoji?  But how, you ask?  Well, problem solved. Welcome to the emoji bonanza!

 

Continue Reading →

Identifying Hosts not sending data for more than 6 hours

Continue Reading →

Get unexpected shutdown date with downtime duration

Mainly saving you the headache of handling hidden characters which made field extraction harder than it needed to be.

Continue Reading →

Zerologon Detection (CVE-2020-1472)

Primary Search for Local Domain Controller Exploitation by Zerologon

You can also modify this search to only look at your Active Directory DCs. If you have common naming schemas, you can use that as well. Please see the report linked to get more info about the CVE itself.

Continue Reading →

Splunk dashboard that displays User searches

Built this dashboard to give a high level overview of user search activity.  The search powering the dashboard is looking that the _audit index and you will need to ensure that you have proper access to the internal Splunk indexes. The dashboard includes a TimeRange picker, radio button to include or exclude Splunk’s system user, […]

Continue Reading →

Windows Software Matrix

Description: This query will generate a software matrix or viewing the versions and names of all software installed on windows hosts reporting to Splunk.  It requires the Stanza [script://.\bin\win_installed_apps.bat] enabled in the Splunk_TA_Windows Add-on.  We run this once a day and have a dashboard for viewing the data that’s hard set for the past 24 […]

Continue Reading →

ProofPoint TAP Dashboard

Continue Reading →

Bucket Status Dashboard

Shows status of buckets per indexer host, when they rolled from warm to cold, and cold to frozen. Gives a timechart and table of each, as well as detailed bucket names per index & host.

Continue Reading →

Detect Dying Sourcetypes

This alert is used for looking at a prior dataset of indexes and sourcetypes reporting over time, and then involves pairing to a closer, temporal dataset. Appending the results allows you to view sourcetypes that have stopped reporting, but existed in the prior period.  

Continue Reading →

Alerts in a Panel with Drilldown

A quick dashboard panel you can plop anywhere and get a view of alerts that have recently fired, including a drilldown based on the SID of the fired alert.

Continue Reading →

Triggered Alert Analytics

Primary Dashboards Contains alert analytics for both triggered alerts and saved searches. Please replace $name$ with the saved search naming convention you utilize (ie. 0001 – AlertName). You will need an outputlookup to generate the bottom two tables; it will be based on the query that generates the second table in the dashboard.

Report […]

Continue Reading →

F5 SL ASM iRule Parser for Hosted Deployments

Continue Reading →