Created
March 26, 2021 14:36
-
-
Save faststeak/c8a0483ca0a25c6c92bab43579596c16 to your computer and use it in GitHub Desktop.
Splunk search looking for writable shares with Tenable Nessus data
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index=<your tenable index here> sourcetype=tenable:sc:vuln (pluginID=10396 OR pluginID=10395 OR pluginID=23973 OR pluginID=24271 OR pluginID=42411 OR pluginID=60119) TERM(<your testuser here>) | |
| | table ip dnsName pluginID pluginName pluginText | |
| | rex field=pluginText max_match=0 (?<allInfo>((?<=\n-\s)((?<=\n-\s)(.+\n)*)*)) | |
| | mvexpand allInfo | |
| | rex field=allInfo (?<shareContents>((?<=:\n)(.+\n)*(.)*)) | |
| | rex field=allInfo (?<sharePermissions>(((?<=\s{2}-\s\()(.)*)(?=\)))) | |
| | rex field=allInfo (?<shareName>((.)*(?=\s{2}-))) | |
| | search sharePermissions=*writable* | |
| | table dnsName shareName |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment