Software inventory

I’ve been looking a while for something like this, and decided to make it myself. This relies on the tinv_software _inventory add-on found on Splunkbase, but you can do it without, if you feel like it. <form> <label>Software Inventory</label> <fieldset submitButton=”false” autoRun=”false”> <input type=”dropdown” token=”software_picker” searchWhenChanged=”true”> <label>Software</label> <choice value=”&quot;falcon-sensor&quot; &quot;Crowdstrike Windows Sensor&quot;”>Crowdstrike</choice> <choice value=”&quot;*qualys*&quot;”>Qualys</choice> <choice […]

Continue Reading →

Windows Software Matrix

Description: This query will generate a software matrix or viewing the versions and names of all software installed on windows hosts reporting to Splunk.  It requires the Stanza [script://.\bin\win_installed_apps.bat] enabled in the Splunk_TA_Windows Add-on.  We run this once a day and have a dashboard for viewing the data that’s hard set for the past 24 […]

Continue Reading →

High Level Windows Dashboard

Part 1 – User Logon Activity The following Splunk Dashboard provides a high level view of windows user logon activity. It should be emphasized that the focus of this dashboard is fairly high level, has a time picker (defaulting to 7 days) and shows both successful and failed user logons (table and timechart) as well […]

Continue Reading →

Failed Logon Attempts – Windows

The following Splunk query will show a timechart of failed logon attempts per host: source=”WinEventLog:security” EventCode=4625 | timechart span=1h count by host The following Splunk query will show a detailed table of failed logon attempts per host and user with 5 minute chunks/blocks of time, as well as show a sparkline (mini timechart) within the […]

Continue Reading →

Track Remediation Progress by OS – Qualys

The following Splunk Search Queries within the Qualys Sourcetype track the remediation progress for a variety of operating systems. The queries are separated by Operating System or Device Type: OS & Device Agnostic eventtype=”qualys_vm_detection_event” STATUS =”FIXED” earliest=-30d@d | dedup HOST_ID, QID | stats count by QID Linux eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS=”^((?!\/).)*Linux((?!\/).)*$” |dedup […]

Continue Reading →

Top 25 Most Vulnerable Systems by OS – Qualys

The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most vulnerable systems. The queries are separated by Operating System or Device Type: Linux eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS=”^((?!\/).)*Linux((?!\/).)*$” |dedup QID IP| stats count by IP | sort -count | head 25 Network (F5/Cisco/Firewall) eventtype=qualys_vm_detection_event SEVERITY > 3 | regex […]

Continue Reading →

Top 25 Most Prevailing Vulnerabilities with Patches Available (Multiple OSs)- Qualys

The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most prevailing vulnerabilities that have patches available. The queries are separated by Operating System or Device Type: Linux eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS=”ACTIVE” | regex OS=”^((?!\/).)*Linux((?!\/).)*$” | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by […]

Continue Reading →

Monitor for Service Changes in Windows

The following splunk search looks for changes in services within Windows.   sourcetype=”WinEventLog:System” EventCode=7045 NOT (Service_Name=mgmt_service) | eval Message=split(Message,”.”) | eval Short_Message=mvindex(Message,0) | table _time host Service_Name, Service_Type, Service_Start_Type, Service_Account, Short_Message  

Continue Reading →

Monitor File Shares being Accessed in Windows

This splunk search will show file shares being accessed within windows environments. sourcetype=”WinEventLog:Security” EventCode=5140 (Share_Name=”*\\C$” OR Share_Name=”*D$” OR Share_Name=”*E$” OR Share_Name=”*F$” OR Share_Name=”*U$”) NOT Source_Address=”::1″ | eval Destination_Sys1=trim(host,”1″) | eval Destination_Sys2=trim(host,”2″) | eval Dest_Sys1=lower(Destination_Sys1) | eval Dest_Sys2=lower(Destination_Sys2) | rename host AS Destination | rename Account_Domain AS Domain | where Account_Name!=Dest_Sys1 | where Account_Name!=Dest_Sys2 | stats […]

Continue Reading →

Qualys Active OS Vuln Count

The following Splunk Search (query) is for Qualys and will show vulnerability count for Windows Hosts. This query assumes that your index is defined as qualys. index=qualys HOSTVULN SEVERITY=3 OR 4 OR 5 TYPE=”CONFIRMED” earliest=-30d@d | dedup HOST_ID, QID | search STATUS!=”FIXED” | join QID [ search index=qualys QID_INFO PATCHABLE=1] | join HOST_ID [ search […]

Continue Reading →

Account Enabled in Windows

The following Splunk queries will show any accounts that have been enabled from a previously disabled state. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows Server 2008 and Newer: sourcetype=WinEventLog:Security (EventCode=4722) | eval Date=strftime(_time, “%Y/%m/%d”) |rex “ID:\s+\w+\\\(?<sourceaccount>\S+)\s+” | rex “Account:\s+Security\sID:\s+\w+\\\(?<targetaccount>\S+)\s+” | stats count by Date, sourceaccount, targetaccount, Keywords, host | rename […]

Continue Reading →