Software inventory

• Dashboards
• manderso
• 1 0

I’ve been looking a while for something like this, and decided to make it myself. This relies on the tinv_software _inventory add-on found on Splunkbase, but you can do it without, if you feel like it.

<form> <label>Software Inventory</label> <fieldset submitButton="false" autoRun="false"> <input type="dropdown" token="software_picker" searchWhenChanged="true"> <label>Software</label> <choice value="&quot;falcon-sensor&quot; &quot;Crowdstrike Windows Sensor&quot;">Crowdstrike</choice> <choice value="&quot;*qualys*&quot;">Qualys</choice> <choice value="&quot;*SecureConnector*&quot;">Forescout</choice> <prefix>tinv_software_name IN (</prefix> <suffix>)</suffix> <default>"falcon-sensor" "Crowdstrike Windows Sensor"</default> </input> <input type="dropdown" token="environment_picker" searchWhenChanged="true"> <label>Environment</label> <choice value="On-Prem">On-Prem</choice> <choice value="AWS">AWS</choice> <choice value="env2">env2</choice> <choice value="env3">env3</choice> <choice value="env4">env4</choice> <prefix>Environment IN (</prefix> <suffix>)</suffix> <default>On-Prem</default> </input> <input type="dropdown" token="os_picker" searchWhenChanged="true"> <label>Operating System</label> <choice value="windows">Windows</choice> <choice value="unix">Linux</choice> <default>windows</default> </input> </fieldset> <row> <panel> <table> <search> <query>| tstats count where index IN ($os_picker$) host!=*.txt by host | eval host=lower(host) | eval Environment=case(host LIKE "%desktop%" OR host LIKE "%z1-%" OR host LIKE "ec2%" OR host LIKE "%z2-%" OR host LIKE "%z-%" OR host LIKE "%z3-%" OR host LIKE "i-%", "AWS", host LIKE "cc%", "Communicorp",host LIKE "%win%" OR host LIKE "%awn%", "Argus", host LIKE "%empoweredbenefits.com", "Empowered Benefits",1=1,"On-Prem") | search $environment_picker$ | join host type=outer [| search index=$os_picker$ tag=software tag=inventory $software_picker$ | eval host=lower(host) | fields host tinv_software_name tinv_software_version ] | fillnull value="-" tinv_software_name | rename tinv_software_name AS "Software Name" tinv_software_version AS "Version" | fields host "Software Name" "Version" Environment | sort -tinv_software_name</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">50</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">true</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63

<form>   <label>Software Inventory</label>   <fieldset submitButton="false" autoRun="false">     <input type="dropdown" token="software_picker" searchWhenChanged="true">       <label>Software</label>       <choice value="&quot;falcon-sensor&quot; &quot;Crowdstrike Windows Sensor&quot;">Crowdstrike</choice>       <choice value="&quot;*qualys*&quot;">Qualys</choice>       <choice value="&quot;*SecureConnector*&quot;">Forescout</choice>       <prefix>tinv_software_name IN (</prefix>       <suffix>)</suffix>       <default>"falcon-sensor" "Crowdstrike Windows Sensor"</default>     </input>     <input type="dropdown" token="environment_picker" searchWhenChanged="true">       <label>Environment</label>       <choice value="On-Prem">On-Prem</choice>       <choice value="AWS">AWS</choice>       <choice value="env2">env2</choice>       <choice value="env3">env3</choice>       <choice value="env4">env4</choice>       <prefix>Environment IN (</prefix>       <suffix>)</suffix>       <default>On-Prem</default>     </input>     <input type="dropdown" token="os_picker" searchWhenChanged="true">       <label>Operating System</label>       <choice value="windows">Windows</choice>       <choice value="unix">Linux</choice>       <default>windows</default>     </input>   </fieldset>   <row>     <panel>       <table>         <search>           <query>| tstats count where index IN ($os_picker$) host!=*.txt by host | eval host=lower(host) | eval Environment=case(host LIKE "%desktop%" OR host LIKE "%z1-%" OR host LIKE "ec2%" OR host LIKE "%z2-%" OR host LIKE "%z-%" OR host LIKE "%z3-%" OR host LIKE "i-%", "AWS", host LIKE "cc%", "Communicorp",host LIKE "%win%" OR host LIKE "%awn%", "Argus", host LIKE "%empoweredbenefits.com", "Empowered Benefits",1=1,"On-Prem") | search $environment_picker$ | join host type=outer     [| search index=$os_picker$ tag=software tag=inventory $software_picker$     | eval host=lower(host)     | fields host  tinv_software_name tinv_software_version         ] | fillnull value="-" tinv_software_name | rename tinv_software_name AS "Software Name" tinv_software_version AS "Version" | fields host  "Software Name" "Version" Environment | sort -tinv_software_name</query>           <earliest>-24h@h</earliest>           <latest>now</latest>           <sampleRatio>1</sampleRatio>         </search>         <option name="count">50</option>         <option name="dataOverlayMode">none</option>         <option name="drilldown">none</option>         <option name="percentagesRow">false</option>         <option name="refresh.display">progressbar</option>         <option name="rowNumbers">true</option>         <option name="totalsRow">false</option>         <option name="wrap">true</option>       </table>     </panel>   </row> </form>

Hope this helps. Let me know if you have any suggestions.

Continue Reading →

Track Remediation Progress by OS – Qualys

• Qualys
• SplunkNinja
• 1 3

The following Splunk Search Queries within the Qualys Sourcetype track the remediation progress for a variety of operating systems. The queries are separated by Operating System or Device Type: OS & Device Agnostic

eventtype="qualys_vm_detection_event" STATUS ="FIXED" earliest=-30d@d | dedup HOST_ID, QID | stats count by QID

1	eventtype="qualys_vm_detection_event" STATUS ="FIXED" earliest=-30d@d | dedup HOST_ID, QID | stats count by QID

Linux

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

Network (F5/Cisco/Firewall)

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25

Windows Desktop

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

Windows Server

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

I take no credit for this. These queries were discovered […]

Continue Reading →

Top 25 Most Vulnerable Systems by OS – Qualys

• Qualys
• SplunkNinja
• 1 0

The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most vulnerable systems. The queries are separated by Operating System or Device Type: Linux

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

Network (F5/Cisco/Firewall)

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25

Windows Desktop

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

Windows Server

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

I take no credit for this. These queries were discovered on Tarun Kumar’s blog.

Continue Reading →

Top 25 Most Prevailing Vulnerabilities with Patches Available (Multiple OSs)- Qualys

• Qualys
• SplunkNinja
• 0 0

The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most prevailing vulnerabilities that have patches available. The queries are separated by Operating System or Device Type: Linux

eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^((?!\/).)*Linux((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

1	eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^((?!\/).)*Linux((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

Network (F5/Cisco/Firewall)

eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

1	eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

Windows Desktop

eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

1	eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

Windows Server

eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows .*Server((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

1	eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows .*Server((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

I take no credit for this. These queries were discovered on Tarun Kumar’s blog.

Continue Reading →

Linux Free Disk Space

• SplunkNinja
• 3 0

The following Splunk query shows a percentage of free disk space over a period of time using timechart:

index=os sourcetype=df PercentFreeSpace=* mount="/" | timechart latest(PercentFreeSpace) by host

1	index=os sourcetype=df PercentFreeSpace=* mount="/" | timechart latest(PercentFreeSpace) by host

Continue Reading →

Linux Memory Usage

• SplunkNinja
• 1 Comment
• 1 6

The following Splunk Search will show memory usage on a linux machine over a period of time using timechart:

index=os sourcetype=top pctMEM=*| transaction host _time | streamstats window=1 global=f sum(pctMEM) as MEM | timechart latest(MEM) by host

1	index=os sourcetype=top pctMEM=*| transaction host _time | streamstats window=1 global=f sum(pctMEM) as MEM | timechart latest(MEM) by host

Continue Reading →

Linux CPU Usage

• SplunkNinja
• 7 2

The following query will output CPU usage per host over a period of time using timechart:

index=os sourcetype=top pctCPU=* | transaction host _time | streamstats window=1 global=f sum(pctCPU) as CPU | timechart latest(CPU) by host

1	index=os sourcetype=top pctCPU=* | transaction host _time | streamstats window=1 global=f sum(pctCPU) as CPU | timechart latest(CPU) by host

Continue Reading →

Number of mails sent over time (Postfix)

• postfix_syslog
• m1ll3n1umf4lc0n
• 2 0

sourcetype=postfix_syslog host=insertHostnameHere status=sent | timechart span=1d count

1	sourcetype=postfix_syslog host=insertHostnameHere status=sent | timechart span=1d count

Total number of sent emails per day. Using it for Linux servers that use the Postfix mta.

Continue Reading →

Timechart of Linux Logons

• linux_secure
• ItsJohnLocke
• 4 1

The following splunk search will return a timechart of all successful logons for a given linux environment (regex provided):

sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication success" | timechart count(username)

1

sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication success" | timechart count(username)

  The following splunk search will return a timechart of all failed logons for a given linux environment(regex provided):

sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication failure" | timechart count(username)

1

sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication failure" | timechart count(username)

Continue Reading →

Successful Linux Logons by Username

• linux_secure
• ItsJohnLocke
• 5 1

As stated in the title, this Splunk search query will return a list of all successful logons by user name on linux hosts. The regex is provided in the event the field is not extracted:

sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication success" | stats count by username

1

sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication success" | stats count by username

Continue Reading →

List of Failed Login Attempts in Linux

• linux_secure
• ItsJohnLocke
• 3 Comments
• 1 1

This Splunk search will show a count of all user accounts and a number of times they have attempted to logon. The REGEX is written into the query, remove it if you are already extracting those field names:  

sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication failure" | stats count by username | sort - count

1

sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication failure" | stats count by username | sort - count

Continue Reading →

Count of Unique Users in a Linux Environment

• linux_secure
• SplunkNinja
• 1 0

This splunk query will return the total number of unique users in a given time range.  

sourcetype=linux_secure | rex "\suser[^'](?<User>\S+\w+)" | stats dc(User)

1	sourcetype=linux_secure | rex "\suser[^'](?<User>\S+\w+)" | stats dc(User)

Continue Reading →