1 2 3 4 5 6 7 8 9 |
| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = "/etc/ssl/certs/*" Filesystem.file_path IN ("*.pem", "*.crt") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)` |rename process_guid as proc_guid |join proc_guid, _time [ | tstats `summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name != unknown by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_path Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | fields _time dest user parent_process_name parent_process process_name process_path process proc_guid registry_path registry_value_name registry_value_data registry_key_name action] | table process_name process proc_guid file_name file_path action _time parent_process_name parent_process process_path dest user |
Software inventory
I’ve been looking a while for something like this, and decided to make it myself. This relies on the tinv_software _inventory add-on found on Splunkbase, but you can do it without, if you feel like it.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |
<form> <label>Software Inventory</label> <fieldset submitButton="false" autoRun="false"> <input type="dropdown" token="software_picker" searchWhenChanged="true"> <label>Software</label> <choice value=""falcon-sensor" "Crowdstrike Windows Sensor"">Crowdstrike</choice> <choice value=""*qualys*"">Qualys</choice> <choice value=""*SecureConnector*"">Forescout</choice> <prefix>tinv_software_name IN (</prefix> <suffix>)</suffix> <default>"falcon-sensor" "Crowdstrike Windows Sensor"</default> </input> <input type="dropdown" token="environment_picker" searchWhenChanged="true"> <label>Environment</label> <choice value="On-Prem">On-Prem</choice> <choice value="AWS">AWS</choice> <choice value="env2">env2</choice> <choice value="env3">env3</choice> <choice value="env4">env4</choice> <prefix>Environment IN (</prefix> <suffix>)</suffix> <default>On-Prem</default> </input> <input type="dropdown" token="os_picker" searchWhenChanged="true"> <label>Operating System</label> <choice value="windows">Windows</choice> <choice value="unix">Linux</choice> <default>windows</default> </input> </fieldset> <row> <panel> <table> <search> <query>| tstats count where index IN ($os_picker$) host!=*.txt by host | eval host=lower(host) | eval Environment=case(host LIKE "%desktop%" OR host LIKE "%z1-%" OR host LIKE "ec2%" OR host LIKE "%z2-%" OR host LIKE "%z-%" OR host LIKE "%z3-%" OR host LIKE "i-%", "AWS", host LIKE "cc%", "Communicorp",host LIKE "%win%" OR host LIKE "%awn%", "Argus", host LIKE "%empoweredbenefits.com", "Empowered Benefits",1=1,"On-Prem") | search $environment_picker$ | join host type=outer [| search index=$os_picker$ tag=software tag=inventory $software_picker$ | eval host=lower(host) | fields host tinv_software_name tinv_software_version ] | fillnull value="-" tinv_software_name | rename tinv_software_name AS "Software Name" tinv_software_version AS "Version" | fields host "Software Name" "Version" Environment | sort -tinv_software_name</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">50</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">true</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form> |
Hope this helps. Let me know if you have any suggestions.
Track Remediation Progress by OS – Qualys
The following Splunk Search Queries within the Qualys Sourcetype track the remediation progress for a variety of operating systems. The queries are separated by Operating System or Device Type: OS & Device Agnostic
1 |
eventtype="qualys_vm_detection_event" STATUS ="FIXED" earliest=-30d@d | dedup HOST_ID, QID | stats count by QID |
Linux
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25 |
Network (F5/Cisco/Firewall)
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25 |
Windows Desktop
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25 |
Windows Server
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25 |
I take no credit for this. These queries were discovered […]
Top 25 Most Vulnerable Systems by OS – Qualys
The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most vulnerable systems. The queries are separated by Operating System or Device Type: Linux
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25 |
Network (F5/Cisco/Firewall)
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25 |
Windows Desktop
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25 |
Windows Server
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25 |
I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
Top 25 Most Prevailing Vulnerabilities with Patches Available (Multiple OSs)- Qualys
The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most prevailing vulnerabilities that have patches available. The queries are separated by Operating System or Device Type: Linux
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^((?!\/).)*Linux((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count |
Network (F5/Cisco/Firewall)
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count |
Windows Desktop
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count |
Windows Server
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows .*Server((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count |
I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
Linux Free Disk Space
The following Splunk query shows a percentage of free disk space over a period of time using timechart:
1 |
index=os sourcetype=df PercentFreeSpace=* mount="/" | timechart latest(PercentFreeSpace) by host |
Linux Memory Usage
The following Splunk Search will show memory usage on a linux machine over a period of time using timechart:
1 |
index=os sourcetype=top pctMEM=*| transaction host _time | streamstats window=1 global=f sum(pctMEM) as MEM | timechart latest(MEM) by host |
Linux CPU Usage
The following query will output CPU usage per host over a period of time using timechart:
1 |
index=os sourcetype=top pctCPU=* | transaction host _time | streamstats window=1 global=f sum(pctCPU) as CPU | timechart latest(CPU) by host |
Number of mails sent over time (Postfix)
1 |
sourcetype=postfix_syslog host=insertHostnameHere status=sent | timechart span=1d count |
Total number of sent emails per day. Using it for Linux servers that use the Postfix mta.
Timechart of Linux Logons
The following splunk search will return a timechart of all successful logons for a given linux environment (regex provided):
1 |
sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication success" | timechart count(username) |
The following splunk search will return a timechart of all failed logons for a given linux environment(regex provided):
1 |
sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication failure" | timechart count(username) |
Successful Linux Logons by Username
As stated in the title, this Splunk search query will return a list of all successful logons by user name on linux hosts. The regex is provided in the event the field is not extracted:
1 |
sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication success" | stats count by username |
List of Failed Login Attempts in Linux
This Splunk search will show a count of all user accounts and a number of times they have attempted to logon. The REGEX is written into the query, remove it if you are already extracting those field names:
1 |
sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication failure" | stats count by username | sort - count |
Count of Unique Users in a Linux Environment
This splunk query will return the total number of unique users in a given time range.
1 |
sourcetype=linux_secure | rex "\suser[^'](?<User>\S+\w+)" | stats dc(User) |