How to list out unwanted software installed on use...

syed_star357 · ‎08-28-2016

Dear team,

What is the search condition to list out, which are the software installed on user workstation.

Regards,
syed

jconger · ‎08-30-2016

If your workstation OS is Windows, you can use the following PowerShell as a scripted input on your Universal Forwarder to get the installed software in a Splunk index.

Save this as GetInstalledSoftware.ps1 (or similar):

Param($Computer = $ENV:ComputerName)   
$ScriptRunTime = (get-date).ToFileTime()
$RemoteRegistry = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachine",$Computer)   
$RegKey = $RemoteRegistry.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\")
if($RegKey)
{
    foreach($key in $RegKey.GetSubKeyNames())   
    {
        $output = @()
        $SubKey = $RegKey.OpenSubKey($key)
        $DisplayName = $SubKey.GetValue("DisplayName")
        if($DisplayName)
        {
            $output += 'Name="{0}"'            -f $DisplayName
            $output += 'Version="{0}"'         -f ($SubKey.GetValue("DisplayVersion"))  
            $output += 'InstallLocation="{0}"' -f ($SubKey.GetValue("InstallLocation")) 
            $output += 'Vendor="{0}"'          -f ($SubKey.GetValue("Publisher")) 
            $output += 'ScriptRunTime="{0}"'   -f $ScriptRunTime
        }

        if($output.count -gt 0)
        {
            Write-Host ("{0:MM/dd/yyyy HH:mm:ss} GMT - {1}" -f ((get-date).ToUniversalTime()),( $output -join " " ))
        }
    }   
}

$RegKey = $RemoteRegistry.OpenSubKey("SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall")
if($RegKey)
{
    foreach($key in $RegKey.GetSubKeyNames())   
    {
        $output = @()
        $SubKey = $RegKey.OpenSubKey($key)   
        $DisplayName = $SubKey.GetValue("DisplayName")
        if($DisplayName)
        {
            $output += 'Name="{0}"'            -f $DisplayName
            $output += 'Version="{0}"'         -f ($SubKey.GetValue("DisplayVersion")) 
            $output += 'InstallLocation="{0}"' -f ($SubKey.GetValue("InstallLocation"))
            $output += 'Vendor="{0}"'          -f ($SubKey.GetValue("Publisher"))
            $output += 'ScriptRunTime="{0}"'   -f $ScriptRunTime
        }

        if($output.count -gt 0)
        {
            Write-Host ("{0:MM/dd/yyyy HH:mm:ss} GMT - {1}" -f ((get-date).ToUniversalTime()),( $output -join " " ))
        }
    }   
}

Then, you can use a search like the following to see what software is installed per workstation:

index=YOUR_INDEX sourcetype="YOUR_SOURCETYPE" |  stats values(host) AS Hosts by Name Version Vendor |  sort Name |  rename Name AS "Application Name"

woodcock · ‎08-29-2016

Splunk does not do this by default. You need to create or acquire something else that can track software and forward this periodically into Splunk. Typically this is done with a Scripted Input. You can check to see if somebody else has created one by visiting splunkbase:

http://apps.splunk.com/

I know that Tanium also does this and plays well with Splunk:

https://www.tanium.com/

sundareshr · ‎08-28-2016

You will need to provide a lot more information. What data do you have in splunk, do you have a list of "wanted" software etc. Share some events and/or query that you have tried to get the best possible answer.

How to list out unwanted software installed on user machine

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to list out unwanted software installed on user machine

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem