Splunk Universal Forwarder Audit - Windows
| 1 Votes |
Versioning - This is the latest version.
| 1 | Splunk Universal Forwarder Audit - Windows | 7/22/2016 1:40:59 PM |
| 2 | Splunk Universal Forwarder Audit - Windows | 7/22/2016 3:17:26 PM |
| 3 | Splunk Universal Forwarder Audit - Windows | 7/22/2016 3:39:32 PM |
Description
This is based upon @JasonWalker's analysis: https://bigfix.me/analysis/details/2994522
Property Details
| 2998317 | |
| Alpha - Code that was just developed | |
| Splunk Universal Forwarder Audit - Windows | |
| BESC | |
| jgstew on 7/22/2016 3:39:32 PM | |
| jgstew on 7/22/2016 3:39:32 PM | |
| 5455 Views / 70 Downloads | |
* Average over 0 ratings.
** Log In or Register to add your rating.
|
Properties
SPLUNK_HOME path
Period
6 hours
| * Results in a true/false |
unique values of pathnames of (folder it) of (it as string as trimmed string) of values "InstallLocation" of keys whose(exists values "DisplayName" whose(it as string contains "UniversalForwarder") of it AND exists values whose(it as string as lowercase contains "splunk") of it) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries; x32 registries)
Splunk Version
Period
6 hours
| * Results in a "string"/number |
unique values of (it as string as trimmed string) of values "DisplayVersion" of keys whose(exists values "DisplayName" whose(it as string contains "UniversalForwarder") of it AND exists values whose(it as string as lowercase contains "splunk") of it) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries; x32 registries)
Splunk Service State
Period
1 hour
| * Results in a "string"/number |
unique values of states of services "SplunkForwarder"
Splunk Connection Status
Period
1 hour
| * Results in a "string"/number |
exists sockets whose(remote port of it = 9997 AND established of tcp state of it) of networks
Splunk Active Server IP Address
Period
1 hour
| * Results in a "string"/number |
unique values of remote addresses of sockets whose(remote port of it = 9997 AND established of tcp state of it) of networks
Splunk Server URI
Period
6 hours
| * Results in a "string"/number |
unique values of (preceding text of last ":" of it | it) of (following text of last ".server=" of it | following text of last ".targeturi=" of it) of (it as lowercase) of variables whose(it as lowercase contains ".server=" OR it as lowercase contains ".targeturi=") of files whose(name of it as lowercase ends with ".conf") of folders "etc\system\local" of (folder it) of (it as string as trimmed string) of values "InstallLocation" of keys whose(exists values "DisplayName" whose(it as string contains "UniversalForwarder") of it AND exists values whose(it as string as lowercase contains "splunk") of it) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries; x32 registries)
Splunk defaultGroup
Period
6 hours
| * Results in a "string"/number |
unique values of following texts of firsts "[tcpout].defaultGroup=" of variables whose(it starts with "[tcpout].defaultGroup=") of files "outputs.conf" of folders "etc\system\local" of (folder it) of (it as string as trimmed string) of values "InstallLocation" of keys whose(exists values "DisplayName" whose(it as string contains "UniversalForwarder") of it AND exists values whose(it as string as lowercase contains "splunk") of it) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries; x32 registries)
Splunk ssl variables of tcpout defaultGroup
Period
Every Report
| * Results in a true/false |
following texts of firsts "]." of items 0 whose(it as lowercase contains "].ssl") of ( variables whose(it starts with "[tcpout:") of it, unique values of following texts of firsts "[tcpout].defaultGroup=" of variables whose(it starts with "[tcpout].defaultGroup=") of it ) whose(item 0 of it starts with ("[tcpout:" & item 1 of it & "]")) of files "outputs.conf" of folders "etc\system\local" of (folder it) of (it as string as trimmed string) of values "InstallLocation" of keys whose(exists values "DisplayName" whose(it as string contains "UniversalForwarder") of it AND exists values whose(it as string as lowercase contains "splunk") of it) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries; x32 registries)
Splunk variables of tcpout defaultGroup
Period
12 hours
| * Results in a true/false |
following texts of firsts "]." of items 0 of ( variables whose(it starts with "[tcpout:") of it, unique values of following texts of firsts "[tcpout].defaultGroup=" of variables whose(it starts with "[tcpout].defaultGroup=") of it ) whose(item 0 of it starts with ("[tcpout:" & item 1 of it & "]")) of files "outputs.conf" of folders "etc\system\local" of (folder it) of (it as string as trimmed string) of values "InstallLocation" of keys whose(exists values "DisplayName" whose(it as string contains "UniversalForwarder") of it AND exists values whose(it as string as lowercase contains "splunk") of it) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries; x32 registries)
Relevance
isWindows (Relevance 1172)
windows of operating system
( exists (folder it) of (it as string as trimmed string) of values "InstallLocation" of keys whose(exists values "DisplayName" whose(it as string contains "UniversalForwarder") of it AND exists values whose(it as string as lowercase contains "splunk") of it) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries; x32 registries) ) OR ( exists services "SplunkForwarder" )
Sharing
| Social Media: |
