Track Remediation Progress by OS – Qualys

• Qualys
• SplunkNinja
• 0 3

The following Splunk Search Queries within the Qualys Sourcetype track the remediation progress for a variety of operating systems. The queries are separated by Operating System or Device Type: OS & Device Agnostic

eventtype="qualys_vm_detection_event" STATUS ="FIXED" earliest=-30d@d | dedup HOST_ID, QID | stats count by QID

1	eventtype="qualys_vm_detection_event" STATUS ="FIXED" earliest=-30d@d | dedup HOST_ID, QID | stats count by QID

Linux

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

Network (F5/Cisco/Firewall)

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25

Windows Desktop

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

Windows Server

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

I take no credit for this. These queries were discovered […]

Continue Reading →

Top 25 Most Vulnerable Systems by OS – Qualys

• Qualys
• SplunkNinja
• 0 0

The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most vulnerable systems. The queries are separated by Operating System or Device Type: Linux

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

Network (F5/Cisco/Firewall)

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25

Windows Desktop

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

Windows Server

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

I take no credit for this. These queries were discovered on Tarun Kumar’s blog.

Continue Reading →

Top 25 Most Prevailing Vulnerabilities with Patches Available (Multiple OSs)- Qualys

• Qualys
• SplunkNinja
• 0 0

The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most prevailing vulnerabilities that have patches available. The queries are separated by Operating System or Device Type: Linux

eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^((?!\/).)*Linux((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

1	eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^((?!\/).)*Linux((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

Network (F5/Cisco/Firewall)

eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

1	eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

Windows Desktop

eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

1	eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

Windows Server

eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows .*Server((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

1	eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows .*Server((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

I take no credit for this. These queries were discovered on Tarun Kumar’s blog.

Continue Reading →

List IPs that had Successful and Failed SSH Attempts

• linux_secure
• ItsJohnLocke
• 4 Comments
• 2 7

The following query was discovered on stackoverflow. It performs the necessary regex field extractions to get a list of IPs associated with SSH login attempts.

source="*secure" process=sshd "password for" | rex field=_raw "(?Accepted|Failed) password for (?\w+) from (?[0-9A-Fa-f:\.]+)" |eval success=if(result=="Failed",0,1) |stats count as total,sum(success) as success by ipaddr |where total!=success AND success!=0

1	source="*secure" process=sshd "password for" | rex field=_raw "(?Accepted|Failed) password for (?\w+) from (?[0-9A-Fa-f:\.]+)" |eval success=if(result=="Failed",0,1) |stats count as total,sum(success) as success by ipaddr |where total!=success AND success!=0

Continue Reading →

Linux Free Disk Space

• SplunkNinja
• 2 0

The following Splunk query shows a percentage of free disk space over a period of time using timechart:

index=os sourcetype=df PercentFreeSpace=* mount="/" | timechart latest(PercentFreeSpace) by host

1	index=os sourcetype=df PercentFreeSpace=* mount="/" | timechart latest(PercentFreeSpace) by host

Continue Reading →

Linux Memory Usage

• SplunkNinja
• 1 Comment
• 1 1

The following Splunk Search will show memory usage on a linux machine over a period of time using timechart:

index=os sourcetype=top pctMEM=*| transaction host _time | streamstats window=1 global=f sum(pctMEM) as MEM | timechart latest(MEM) by host

1	index=os sourcetype=top pctMEM=*| transaction host _time | streamstats window=1 global=f sum(pctMEM) as MEM | timechart latest(MEM) by host

Continue Reading →

Linux CPU Usage

• SplunkNinja
• 3 0

The following query will output CPU usage per host over a period of time using timechart:

index=os sourcetype=top pctCPU=* | transaction host _time | streamstats window=1 global=f sum(pctCPU) as CPU | timechart latest(CPU) by host

1	index=os sourcetype=top pctCPU=* | transaction host _time | streamstats window=1 global=f sum(pctCPU) as CPU | timechart latest(CPU) by host

Continue Reading →

Number of mails sent over time (Postfix)

• postfix_syslog
• m1ll3n1umf4lc0n
• 2 0

sourcetype=postfix_syslog host=insertHostnameHere status=sent | timechart span=1d count

1	sourcetype=postfix_syslog host=insertHostnameHere status=sent | timechart span=1d count

Total number of sent emails per day. Using it for Linux servers that use the Postfix mta.

Continue Reading →

Timechart of Linux Logons

• linux_secure
• ItsJohnLocke
• 2 0

The following splunk search will return a timechart of all successful logons for a given linux environment (regex provided):

sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication success" | timechart count(username)

1

sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication success" | timechart count(username)

  The following splunk search will return a timechart of all failed logons for a given linux environment(regex provided):

sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication failure" | timechart count(username)

1

sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication failure" | timechart count(username)

Continue Reading →

Successful Linux Logons by Username

• linux_secure
• ItsJohnLocke
• 3 1

As stated in the title, this Splunk search query will return a list of all successful logons by user name on linux hosts. The regex is provided in the event the field is not extracted:

sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication success" | stats count by username

1

sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication success" | stats count by username

Continue Reading →

List of Failed Login Attempts in Linux

• linux_secure
• ItsJohnLocke
• 2 Comments
• 0 1

This Splunk search will show a count of all user accounts and a number of times they have attempted to logon. The REGEX is written into the query, remove it if you are already extracting those field names:  

sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication failure" | stats count by username | sort - count

1

sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication failure" | stats count by username | sort - count

Continue Reading →

Count of Unique Users in a Linux Environment

• linux_secure
• SplunkNinja
• 0 0

This splunk query will return the total number of unique users in a given time range.  

sourcetype=linux_secure | rex "\suser[^'](?<User>\S+\w+)" | stats dc(User)

1	sourcetype=linux_secure | rex "\suser[^'](?<User>\S+\w+)" | stats dc(User)

Continue Reading →