Groundspeed Violation/Improbable Access

Oftentimes we are required to determine impossible or improbably access events. Typically, this is a relatively simple thing to do in a modern SIEM, however Splunk, without ESS, does not have a “great” way to handle this type of temporal correlation aside from appends or joins back to the original data. I constructed the following […]

Continue Reading →

Search All Traffic by src / action – Creates Table

This is a magical query for tracking down all internal resources connecting to or from external IPs and Countries

Continue Reading →

Top 25 Most Vulnerable Systems by OS – Qualys

The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most vulnerable systems. The queries are separated by Operating System or Device Type: Linux

Network (F5/Cisco/Firewall)

Windows Desktop

Windows Server

I take no credit for this. These queries were discovered on Tarun Kumar’s blog.

Continue Reading →

Network Traffic Sent in Megabytes over Time

The following splunk query will show a timechart of network traffic sent over a period of time for any host specified (make sure you edit the query to specify a host, this one defaults to all). The query also converts the default value of Bytes to Megabytes.  

 

Continue Reading →

Network Traffic Received in Megabytes over Time

The following splunk query will show a timechart of network traffic received over a period of time for any host specified (make sure you edit the query to specify a host, this one defaults to all). The query also converts the default value of Bytes to Megabytes.  

Continue Reading →