The following splunk query example will return the total number of hosts the Root account was detected on in a given time range *NOTE* if the host field is being autoextracted (for instance if you are using a universal forwarder) you will not need the regex command and can call upon the auto extracted fieldname […]
Top 10 Most Active Hosts in a Linux Environment
The following splunk query example will return the top 10 most active hosts in a given time range. Active in this instance is determined simply the number of log entries. *NOTE* if the host field is being autoextracted (for instance if you are using a universal forwarder) you will not need the regex command and […]
Count of Unique Hosts in Linux
The following splunk query example will return a unique count of hosts in a given time range *NOTE* if the host field is being autoextracted (for instance if you are using a universal forwarder) you will not need the regex command and can call upon the auto extracted fieldname of “host” sourcetype=linux_secure |rex “.*:\d{2}\s(?<hostname>\S+)” | […]
List of Hosts in a Linux Environment
The following splunk query example will return a list of hosts by hostname in a given time range. *NOTE* if the host field is being autoextracted (for instance if you are using a universal forwarder) you will not need the regex command and can call upon the auto extracted fieldname of “host” sourcetype=linux_secure |rex “.*:\d{2}\s(?<hostname>\S+)” […]
Top 10 most active Users in Linux
The following splunk query example will return the top 10 most active users in a given time range sourcetype=linux_secure | rex “\suser[^’](?<User>\S+\w+)” | top limit=10 User
Count of Unique Users in a Linux Environment
This splunk query will return the total number of unique users in a given time range. sourcetype=linux_secure | rex “\suser[^’](?<User>\S+\w+)” | stats dc(User)
List of Users in a Linux Environment
The following splunk query will ouput a list of user accounts appearing in linux_secure audit logs: sourcetype=linux_secure | rex “\suser[^’](?<User>\S+\w+)” | stats count by User
Removal of USB Storage Device
This query will detect if any USB storage device was removed from a Windows machine (confirmed on Windows 7). sourcetype=WinRegistry key_path=”HKLM\\system\\controlset*\\enum\\usbstor\\*” process_image=”c:\\Windows\\System32\\svchost.exe” registry_type=DeleteKey | eval Date=strftime(_time, “%Y/%m/%d %H:%M:%S”) | rex “key_path.*usbstor\S(?<DeviceType>.*)&ven\S(?<Vendor>.*)&prod\S(?<Product>\S*)&rev\S” | stats count by Date, host, Vendor, Product, DeviceType | fields – count | sort – Date
Account Enabled in Windows
The following Splunk queries will show any accounts that have been enabled from a previously disabled state. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows Server 2008 and Newer: sourcetype=WinEventLog:Security (EventCode=4722) | eval Date=strftime(_time, “%Y/%m/%d”) |rex “ID:\s+\w+\\\(?<sourceaccount>\S+)\s+” | rex “Account:\s+Security\sID:\s+\w+\\\(?<targetaccount>\S+)\s+” | stats count by Date, sourceaccount, targetaccount, Keywords, host | rename […]
Failed Attempt to Initiate Remote Desktop Session
This splunk query will return any failed attempts initiated by users to launch an RDP (remote desktop) session in a Windows environment. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows Server 2008 and Newer: source=WinEventLog:Security sourcetype=WinEventLog:security Logon_Type=10 EventCode=4625 | eval Date=strftime(_time, “%Y/%m/%d”) | rex “Failed:\s+.*\s+Account\sName:\s+(?<TargetAccount>\S+)\s” | stats count by Date, TargetAccount, […]
Start a Windows Service
This Splunk Query will return results for any Windows Service that has started. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ sourcetype=WinEventLog:Application EventCode=105 | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, SourceName, host | sort – Date | fields – count
Shutdown or Suspend a Service in Windows
This splunk query will return results for any Windows Service that has been stopped. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ sourcetype=WinEventLog:Application EventCode=108 | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, SourceName, host | sort – Date | fields – count
Verify Windows Updates have been Applied
The following splunk query will return results on any Windows Updates (Patches) that have been applied by searching for the KB value associated with the EventID. sourcetype=WinEventLog:System EventCode=19 | eval Date=strftime(_time, “%Y/%m/%d”)| rex “\WKB(?<KB>.\d+)\W” |stats count by Date, host, KB
Password Non Compliance Windows
The following splunk queries will return results for failed attempts to change passwords. This is likely a result of users not meeting password requirements. Be sure to have the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and Older: sourcetype=”WinEventLog:Security” EventCode=627 Type=”Failure Audit”| eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, Target_Account_Name, host […]
Modification to File Permissions in Windows
The following splunk query works on Windows Sever 2008 and newer operating systems. It returns results based on modifications to individual file level permissions. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ source=”WinEventLog:Security” sourcetype=”WinEventLog:Security” EventCode=4670 (Security_ID!=”NT AUTHORITY*”) (Security_ID!=”S-*”)| eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, Account_Name, Process_Name, Keywords, host | sort […]
File Deletion Attempts In Windows
The following splunk queries will return results based on any user account who attempts to delete a file. This will return both successful and failed attempts. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and older: sourcetype=”WinEventLog:Security” EventCode=564 |eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, Image_File_Name, Type, host | […]
Windows File Access Attempts
The following splunk queries will display any file access attempts (successful or failed) by user account. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and older: sourcetype=”WinEventLog:Security” EventCode=560 Object_Type=File | eval Date=strftime(_time, “%Y/%m/%d”) |eval UserName=coalesce(Primary_User_Name, Client_User_Name)| search UserName!=”*$” AND UserName!=”NETWORK SERVICE”| stats count by Date, Image_File_Name, UserName, Type, host | […]
New Service Installation on Windows
The following splunk query will return results of all new services installed on windows machines (this works on any windows OS tested thus far). Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ sourcetype=WinEventLog:Security (EventCode=4697 OR EventCode=601) | eval Date=strftime(_time, “%Y/%m/%d”) | eval Status=coalesce(Keywords,Type) |stats count by Date, Service_Name, Service_File_Name, Service_Account, host, Status
Changes to Windows User Groups by Account
This splunk query will return changes to any group in a windows environment. You MUST have the Splunk App for Windows Infrastructure app installed located here: https://apps.splunk.com/app/1680/ Windows Server 2003 and older: sourcetype=WinEventLog:Security (EventCode=636 OR EventCode=632 OR EventCode=650 OR EventCode=655 OR EventCode=660 OR EventCode=665) | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, Caller_User_Name, Target_Account_Name, host, Type […]
Failed Authentication to Non-existing Accounts
This splunk query will return results for failed logon attempts to accounts that do not exist. This has been tested and confirmed on Windows Server 2008 and newer machines: source=”WinEventLog:security” sourcetype=”WinEventLog:Security” EventCode=4625 Sub_Status=0xC0000064 |eval Date=strftime(_time, “%Y/%m/%d”) |rex “Which\sLogon\sFailed:\s+Security\sID:\s+\S.*\s+\w+\s\w+\S\s.(?<uacct>\S.*)” | stats count by Date, uacct, host | rename count as “Attempts” | sort – Attempts
