Here is a dashboard I built to look at Windows Logon Type 2 & 10 (remote & remote interactive) that will help identify which users access which servers and how many times. Also when you click on a user it will run a 30 day search and a 24 hour search that produces a column […]
User Agent – Browser Details & Information for IIS
This Splunk query will reference a lookup table to return user agent (browser information) within IIS logs. Specifically the output will list browser name and version, crawler, and mobile. It will give a count based on visits not hits (hence the dedup). Depending on the length of time this query can take a very long […]
User Agent – Operating System Info for web traffic
The following Splunk Query will return a list of operating systems used within IIS logs traffic. It essentially uses a lookup to check the user agent against a known list. *NOTE* The app TA-browscap_express – HTTP User Agent lookup with browscap must be installed sourcetype=iis |dedup JSESSIONID | eval http_user_agent=urldecode(cs_User_Agent) | lookup browscap_lookup_express http_user_agent OUTPUT ua_platform_description […]
License and Storage Usage Dashboard
This relies on the search posted earlier: This will display storage and license usage broken down by groups, predefined in the chargeback app customers.csv <form> <label>License and Storage Usage</label> <fieldset submitButton=”false”> <input type=”dropdown” token=”grouppicker”> <label>Group</label> <choice value=”Group1″>Group1</choice> <choice value=”Group2″>Group2</choice> <choice value=”Group3″>Group3</choice> <choice value=”Group4″>Group4</choice> <choice value=”Group5″>Group5</choice> <choice value=”Group6″>Group6</choice> <choice value=”*”>All Groups</choice> <default>*</default> </input> </fieldset> <row> <panel> […]
Splunk Admin Account Activity – Role Modifications
This Splunk query shows when the admin account performed Create or Modify Roles actions: index=”_audit” action=edit_roles operation=* | table _time user operation object*
List permissions for Users, roles, allowed indexes and indexes searched by default
Ok that one is a big one so be prepared ;) The following will (on a SH / SH Cluster): list all users and their roles list inherited roles list all indexes allowed by the shown roles list all indexes allowed for inherited roles (one level!) inherited allowed indexes will show the originator (which inherited […]
Dashboard: Splunk Insights – Users & Roles
Quick glance into who’s who in the zoo for users, capabilities, roles, and what indexes are searchable. Also calls out users with can_delete capabilities. Mileage may vary, please comment if there are any issues! <dashboard version=”1.1″> <label>Splunk Insights – Users and Roles</label> <row> <panel> <title>Number of Roles</title> <single> <title>Click to Expand</title> <search> <query>| rest splunk_server=local […]
Find passwords in User_Name field
This eval for password can be easily used for any field where a user can accidentally type in a password or even worse both username/password during login which generates a failed event. Below example is for Windows failed login. The eval will match 10 or more characters with 1 uppercase, 1 lower case, 1 […]
User Activity in DBConnect
The following Splunk query is for the DBConnect app. This will return all user activity using this particular app. I’ve provided the regex in the search. index=_audit sourcetype=audittrail action=”db_connect*” |eval Date=strftime(_time, “%Y/%d/%m”) |rex “user=(?<user>\S+),” | stats count by Date, user, info, action
Build License usage by Group
This was cobbled together from multiple searches I found. This search feeds the license and storage dashboard posted here: It relies on the Chargeback app for the customers.csv form. index=_internal source=*license_usage.log type=”Usage” earliest=-30d@d latest=@d | eval indexname = if(len(idx)=0 OR isnull(idx),”(UNKNOWN)”,idx) | eval sourcetypename = st | bin _time span=1d | stats values(poolsz) as poolsz […]
date_zone=local is bad
Impact: since there is no timezone, the logs will have the same timezone as the local user. Therefore in another timezone, the logs won’t have the same order. If no TZ is specified, perhaps we could hard code one. |tstats count where index=* date_zone=local by index, sourcetype
Changes to Windows User Groups by Account
This splunk query will return changes to any group in a windows environment. You MUST have the Splunk App for Windows Infrastructure app installed located here: https://apps.splunk.com/app/1680/ Windows Server 2003 and older: sourcetype=WinEventLog:Security (EventCode=636 OR EventCode=632 OR EventCode=650 OR EventCode=655 OR EventCode=660 OR EventCode=665) | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, Caller_User_Name, Target_Account_Name, host, Type […]
Dashboard and App views by user
This Splunk query / search shows historical access to dashboards and apps on a local splunk server. index=_internal sourcetype=splunk_web_access host=* user=* | rex field=uri_path “.*/(?<title>[^/]*)$” | join title [| rest /servicesNS/-/-/data/ui/views splunk_server=* | search isDashboard=1 isVisible=1 | rename eai:acl.app as app | fields title app ] | rename title as dashboard | stats count by […]
Internal Splunk User Stats
This simple Splunk query will show us unique Splunk user logged into Splunk per day, as well as total count of log-ons. index=_audit info=succeeded | timechart span=1d dc(user) as unique_users count(user) as logons_all_users
User Info Dashboard – Using REST
I found this very useful user statistics/information splunk dashboard on www.function1.com/2016/06/rest-easy-with-the-splunk-rest-api. They have additional Splunk REST queries and examples worth checking out! <dashboard> <label>REST API: access control</label> <row> <panel> <single> <title>You are</title> <searchString>| rest /services/authentication/current-context | where NOT username=”splunk-system-user” | fields username</searchString> <earliestTime>0</earliestTime> <latestTime/> <option name=”drilldown”>none</option> […]
Time between rights granted and rights revoked
This query outputs a table that indicates the time difference between Rights granted and Rights revoked. Modify the maxspan time within the transaction function to meet your environments needs. Regex is used here, and is part of the query. Windows 2008 and newer: sourcetype=WinEventLog:Security (EventCode=4717 OR EventCode=4718) | rex “Access\sGranted:\s+Access\sRight:\s+(?\w+)”| rex “Access\sRemoved:\s+Access\sRight:\s+(?\w+)”| eval Rights=coalesce(RightGranted,RightRemoved) | […]
Show all successful splunk configuration changes by user
index=_audit action=edit* info=granted operation!=list host= object=* | transaction action user operation host maxspan=30s | stats values(action) as action values(object) as modified_object by _time,operation,user,host | rename user as modified_by | table _time action modified_object modified_by
File Accesses in a Windows Environment by user
File Accesses in a Windows Environment by user sourcetype=”WinEventLog:Security” user=* (EventCode=560 OR EventCode=4656) | chart count by Type
Escalation of Privileges in a Windows Environment by User
Escalation of Privileges in a Windows Environment by user. sourcetype=”WinEventLog:Security” (EventCode=576 OR EventCode=4672 OR EventCode=577 OR EventCode=4673 OR EventCode=578 OR EventCode=4674) | stats count by user
Password changes in a Windows environment by user account
Password changes in a Windows environment by user account. sourcetype=”WinEventLog:Security” (EventCode=628 OR EventCode=627 OR EventCode=4723 OR EventCode=4724) | chart count by user