Groundspeed Violation/Improbable Access

Oftentimes we are required to determine impossible or improbably access events. Typically, this is a relatively simple thing to do in a modern SIEM, however Splunk, without ESS, does not have a “great” way to handle this type of temporal correlation aside from appends or joins back to the original data. I constructed the following […]

Continue Reading →

Top 25 Most Vulnerable Systems by OS – Qualys

The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most vulnerable systems. The queries are separated by Operating System or Device Type: Linux eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS=”^((?!\/).)*Linux((?!\/).)*$” |dedup QID IP| stats count by IP | sort -count | head 25 Network (F5/Cisco/Firewall) eventtype=qualys_vm_detection_event SEVERITY > 3 | regex […]

Continue Reading →

Network Traffic Sent in Megabytes over Time

The following splunk query will show a timechart of network traffic sent over a period of time for any host specified (make sure you edit the query to specify a host, this one defaults to all). The query also converts the default value of Bytes to Megabytes.   sourcetype=”Perfmon:Network Interface” (host=”*”)  counter=”Bytes Sent/sec” | eval MB=(Value/1024/1024) […]

Continue Reading →

Network Traffic Received in Megabytes over Time

The following splunk query will show a timechart of network traffic received over a period of time for any host specified (make sure you edit the query to specify a host, this one defaults to all). The query also converts the default value of Bytes to Megabytes.   sourcetype=”Perfmon:Network Interface” (host=”*”)  counter=”Bytes Received/sec”| eval MB=(Value/1024/1024)| […]

Continue Reading →