This Splunk search will show anytime the windows audit logs (event viewer logs) have been cleared or deleted. Ensure the Splunk App for Windows is installed, you can grab it here: https://apps.splunk.com/app/742/ source=WinEventLog:security (EventCode=1102 OR EventCode=517) | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Client_User_Name, host, index, Date | sort – Date | rename Client_User_Name as […]
Successful Windows Logons with Average Overlay
The following Splunk query will display successful windows logins and overlay an average on visualizations. source=”WinEventLog:Security” (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624) | timechart count(EventCode) as count | eventstats avg(count) as Average | eval average=round(average,0) | rename count as “Successful Logons”
Windows Failed Logons with Average Overlay
This Splunk search will show any failed login attempt and graphically overlay an average value. sourcetype=”WinEventLog:Security” (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | timechart count(EventCode) as count | eventstats avg(count) as Average | eval […]
Failed Windows Remote Desktop Connection Attempt
The following splunk query example will return results on any Windows remote desktop connection attempts. This could be a result of a bad password, invalid user name, or any number of other reasons. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows Server 2008 and Newer: source=WinEventLog:Security sourcetype=WinEventLog:security Logon_Type=10 EventCode=4625 | […]
Accounts Deleted within 24 Hours of Creation
This splunk query unmodified will return results on any account regardless of duration, however it uses an “eval case” argument to determine what is “critical” (such as accounts deleted within a day of being created) or what is simply note worthy (normal behavior). Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ […]
Account Enabled in Windows
The following Splunk queries will show any accounts that have been enabled from a previously disabled state. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows Server 2008 and Newer: sourcetype=WinEventLog:Security (EventCode=4722) | eval Date=strftime(_time, “%Y/%m/%d”) |rex “ID:\s+\w+\\\(?<sourceaccount>\S+)\s+” | rex “Account:\s+Security\sID:\s+\w+\\\(?<targetaccount>\S+)\s+” | stats count by Date, sourceaccount, targetaccount, Keywords, host | rename […]
Failed Attempt to Initiate Remote Desktop Session
This splunk query will return any failed attempts initiated by users to launch an RDP (remote desktop) session in a Windows environment. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows Server 2008 and Newer: source=WinEventLog:Security sourcetype=WinEventLog:security Logon_Type=10 EventCode=4625 | eval Date=strftime(_time, “%Y/%m/%d”) | rex “Failed:\s+.*\s+Account\sName:\s+(?<TargetAccount>\S+)\s” | stats count by Date, TargetAccount, […]
Password Non Compliance Windows
The following splunk queries will return results for failed attempts to change passwords. This is likely a result of users not meeting password requirements. Be sure to have the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and Older: sourcetype=”WinEventLog:Security” EventCode=627 Type=”Failure Audit”| eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, Target_Account_Name, host […]
Modification to File Permissions in Windows
The following splunk query works on Windows Sever 2008 and newer operating systems. It returns results based on modifications to individual file level permissions. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ source=”WinEventLog:Security” sourcetype=”WinEventLog:Security” EventCode=4670 (Security_ID!=”NT AUTHORITY*”) (Security_ID!=”S-*”)| eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, Account_Name, Process_Name, Keywords, host | sort […]
File Deletion Attempts In Windows
The following splunk queries will return results based on any user account who attempts to delete a file. This will return both successful and failed attempts. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and older: sourcetype=”WinEventLog:Security” EventCode=564 |eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, Image_File_Name, Type, host | […]
Windows File Access Attempts
The following splunk queries will display any file access attempts (successful or failed) by user account. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and older: sourcetype=”WinEventLog:Security” EventCode=560 Object_Type=File | eval Date=strftime(_time, “%Y/%m/%d”) |eval UserName=coalesce(Primary_User_Name, Client_User_Name)| search UserName!=”*$” AND UserName!=”NETWORK SERVICE”| stats count by Date, Image_File_Name, UserName, Type, host | […]
New Service Installation on Windows
The following splunk query will return results of all new services installed on windows machines (this works on any windows OS tested thus far). Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ sourcetype=WinEventLog:Security (EventCode=4697 OR EventCode=601) | eval Date=strftime(_time, “%Y/%m/%d”) | eval Status=coalesce(Keywords,Type) |stats count by Date, Service_Name, Service_File_Name, Service_Account, host, Status
Changes to Windows User Groups by Account
This splunk query will return changes to any group in a windows environment. You MUST have the Splunk App for Windows Infrastructure app installed located here: https://apps.splunk.com/app/1680/ Windows Server 2003 and older: sourcetype=WinEventLog:Security (EventCode=636 OR EventCode=632 OR EventCode=650 OR EventCode=655 OR EventCode=660 OR EventCode=665) | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, Caller_User_Name, Target_Account_Name, host, Type […]
Accounts Deleted in a Windows Environment
These splunk queries will return deleted accounts in Associated with Windows Environments (NOTE* The 2003 query requires that the splunk for windows app be installed): 2003: sourcetype=WinEventLog:Security (EventCode=630) | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, Target_Account_Name, Caller_User_Name, Type, host | sort – Date | rename Target_Account_Name as “Deleted Account” | rename Caller_User_Name as […]
Account Modifications in a Windows Environment
The following splunk query will give you all permission changes for each user. There are four queries. 1. Windows 2008 Permission Increases: sourcetype=WinEventLog:Security (EventCode=4717) | eval Date=strftime(_time, “%Y/%m/%d”) | rex “Access\sGranted:\s+Access\sRight:\s+(?<RightGranted>\w+)” | rex “Account\sModified:\s+\w+\s\S+\s+.*\\\(?<AccountModified>.*)” | stats count by Date, AccountModified, RightGranted, host | sort – Date 2. Windows 2008 Permission Decreases: sourcetype=WinEventLog:Security (EventCode=4718) | eval […]
Failed Authentication to Non-existing Accounts
This splunk query will return results for failed logon attempts to accounts that do not exist. This has been tested and confirmed on Windows Server 2008 and newer machines: source=”WinEventLog:security” sourcetype=”WinEventLog:Security” EventCode=4625 Sub_Status=0xC0000064 |eval Date=strftime(_time, “%Y/%m/%d”) |rex “Which\sLogon\sFailed:\s+Security\sID:\s+\S.*\s+\w+\s\w+\S\s.(?<uacct>\S.*)” | stats count by Date, uacct, host | rename count as “Attempts” | sort – Attempts
Time between Account Creation and Account Deletion
Below is the query indicating time (duration) between account creation and account deletion. I have added a range to indicate severity, remove and modify as needed. Windows 2008 and newer: sourcetype=WinEventLog:Security (EventCode=4726 OR EventCode=4720) |eval Date=strftime(_time, “%Y/%m/%d”) |rex “Subject:\s+\w+\s\S+\s+\S+\s+\w+\s\w+:\s+(?<SourceAccount>\S+)” | rex “Target\s\w+:\s+\w+\s\w+:\s+\S+\s+\w+\s\w+:\s+(?<DeletedAccount>\S+)” | rex “New\s\w+:\s+\w+\s\w+:\s+\S+\s+\w+\s\w+:\s+(?<NewAccount>\S+)” | eval SuspectAccount=coalesce(DeletedAccount,NewAccount) | transaction SuspectAccount startswith=”EventCode=4720″ endswith=”EventCode=4726″ |eval duration=round(duration/60, […]
Failed Logins Windows
Splunk query for all failed logon attempts within a windows environment. sourcetype=”WinEventLog:Security” (“EventCode=4625”) OR (“EventCode=529” OR “EventCode=530” OR “EventCode=531” OR “EventCode=532” OR “EventCode=533” OR “EventCode=534” OR “EventCode=535” OR “EventCode=536” OR “EventCode=537” OR “EventCode=539”)
Weekend User Activity
Run the following (modify user field as needed) to show weekend activity: sourcetype=”WinEventLog:Security” (date_wday=saturday OR date_wday=sunday) | stats count by Account_Name, date_wday
System Time Modifications in Windows
The following queries will return modifications to time in a windows environment. It ignores system and service accounts. Windows 2008 and newer: source=”WinEventLog:Security” EventCode=4616 (NOT Account_Name=”*$”) (NOT Account_Name=”LOCAL SERVICE”)| eval Date=strftime(_time, “%Y/%m/%d %H:%M:%S”)| eval oldtime = strptime(replace(Previous_Time, “\D”, “”), “%Y%m%d%H%M%S%9N”) | eval t=_time | rename t as “eventtime” |eval diff=round(((eventtime-oldtime)/60)/60,2) | where diff!=0| stats count […]
