1 2 3 4 5 |
sourcetype=f5:silverline:asm irule=* vs_ip=* | rex "(?<log>.*)" | eval log_stripped = replace(log, "\\\\","") | rex field=log_stripped "data=\"(?<data_section>.*?)\", irule=" | spath input=data_section |
Search All Traffic by src / action – Creates Table
This is a magical query for tracking down all internal resources connecting to or from external IPs and Countries
1 2 3 4 5 6 |
src!=10.0.0.0/8 AND src!=192.168.0.0/12 AND src!=192.168.0.0/16 action="allowed" | iplocation src | search Country=* | table Country, src, action, bytes_out, packets_out | dedup src | sort Country |
Track Remediation Progress by OS – Qualys
The following Splunk Search Queries within the Qualys Sourcetype track the remediation progress for a variety of operating systems. The queries are separated by Operating System or Device Type: OS & Device Agnostic
1 |
eventtype="qualys_vm_detection_event" STATUS ="FIXED" earliest=-30d@d | dedup HOST_ID, QID | stats count by QID |
Linux
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25 |
Network (F5/Cisco/Firewall)
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25 |
Windows Desktop
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25 |
Windows Server
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25 |
I take no credit for this. These queries were discovered […]
Top 25 Most Vulnerable Systems by OS – Qualys
The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most vulnerable systems. The queries are separated by Operating System or Device Type: Linux
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25 |
Network (F5/Cisco/Firewall)
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25 |
Windows Desktop
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25 |
Windows Server
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25 |
I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
Top 25 Most Prevailing Vulnerabilities with Patches Available (Multiple OSs)- Qualys
The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most prevailing vulnerabilities that have patches available. The queries are separated by Operating System or Device Type: Linux
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^((?!\/).)*Linux((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count |
Network (F5/Cisco/Firewall)
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count |
Windows Desktop
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count |
Windows Server
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows .*Server((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count |
I take no credit for this. These queries were discovered on Tarun Kumar’s blog.