This query will list the total number of hosts reporting to the indexer for any specified time range. This only works for universal forwarders. If you have hosts reporting in over syslog (typically port 514) they will not be listed. index=_internal sourcetype=splunkd | stats dc(hostname) as “Number of Hosts”
Detailed list of Universal Forwarders Reporting to Indexer
The following query will list in detail information on the universal forwarders checking into the indexer. I’ve renamed some of the fields to be more user-friendly. index=_internal sourcetype=splunkd destPort!=”-“| stats sparkline count by hostname, sourceHost, host, destPort, version | rename destPort as “Destination Port” | rename host as “Indexer” | rename sourceHost as “Universal Forwarder […]
Accounts Disabled
This query will return results for accounts disabled on a windows 2008 or newer operating system for a given time range: sourcetype=WinEventLog:Security (EventCode=4725) | stats count by index, user, host, name
Accounts Enabled
This query will return results on all accounts enabled for a given time range. It is using EventCodes for windows 2008 and newer operating systems: sourcetype=WinEventLog:Security (EventCode=4722) | stats count by index, user, host, name
Windows Time Change
This query will list all users who initiated a time change. System accounts change time automatically, as such I’ve ignored system accounts from the query output. Windows 2008 and newer: sourcetype=WinEventLog:Security EventCode=4616 Account_Name!=”*$” Account_Name!=”LOCAL SERVICE”| stats count by Account_Name Windows 2003 and before: sourcetype=WinEventLog:Security user!=”*$” user!=”LOCAL SERVICE” EventCode=520 | stats count by user
Time between rights granted and rights revoked
This query outputs a table that indicates the time difference between Rights granted and Rights revoked. Modify the maxspan time within the transaction function to meet your environments needs. Regex is used here, and is part of the query. Windows 2008 and newer: sourcetype=WinEventLog:Security (EventCode=4717 OR EventCode=4718) | rex “Access\sGranted:\s+Access\sRight:\s+(?\w+)”| rex “Access\sRemoved:\s+Access\sRight:\s+(?\w+)”| eval Rights=coalesce(RightGranted,RightRemoved) | […]
Windows Power Off Duration
This query will indicate the time it took between a computer shutdown and a computer powering back on. Typically found in restarts and shutdowns. This would not occur during a hard-reset or loss of power. sourcetype=WinEventLog:System (EventCode=6005 OR EventCode=6006) | transaction host startswith=”EventCode=6006″ endswith=”EventCode=6005″ | eval restart_duration=tostring(duration,”duration”) | eval Date=strftime(_time, “%Y/%m/%d”)| where duration > 480 […]
Splunk User Search Activity
This will return a table of users who conducted searches, the total time it took for searches to complete, a count of said searches, and the last time a search was conducted. *NOTE* You will need to modify “splunk_server=local” specifically the “local” section to represent your Splunk server. index=_audit splunk_server=local action=search (id=* OR search_id=*) | […]
List of Login Attempts to Splunk
This will return a list of users who attempted to login to the splunk searchhead. It will list both successful attempts and failed attempts. index=_audit tag=authentication | stats count by user, info | sort – info
Internal Splunk User Modifications
This query will search the internal audit sourcetype of splunk and report on any user modification attempts, both success and fail. index=_audit sourcetype=audittrail action=edit_user | eval Date=strftime(_time, “%Y/%m/%d”) |where user!=object| stats count by user, info, object, Date | rename user as “Authenticated User” | rename info as “Success Status” | rename object as “Modified Account” […]
Console Lock Duration
The following code works only in windows 2008 and newer operating systems: sourcetype=WinEventLog:Security (EventCode=4800 OR EventCode=4801) | eval Date=strftime(_time, “%Y/%m/%d”) | transaction host Account_Name startswith=EventCode=4800 endswith=EventCode=4801 | eval duration = duration/60 | eval duration=round(duration,2)| table host, Account_Name, duration, Date |rename duration as “Console Lock Duration in Minutes” | sort – date
User Logon / Session Duration
The following query will return the duration of user logon time between initial logon and logoff events. I have a duration filter set to greater than 5 seconds to weed out any scripts that may quickly log on and log off (change this as needed to fit your environment). Windows 2008 and newer: source=WinEventLog:Security (EventCode=4624 […]
System Security Access Removed from Account
The following queries will list security access that was removed from an account in a Windows environment. Queries look different depending on which version of Windows you are running as the syntax and the EventID’s changed after 2003. Windows Server 2008 and newer: sourcetype=”WinEventLog:Security” EventCode=4718 | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by src_user, user, […]
Security Access granted to an Account
Like most windows security logs there are two formats depending on which version of windows you are running. The query for a Windows 7 / Server 2008 and newer looks like this: sourcetype=”WinEventLog:Security” EventCode=4717 | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by src_user, user, Access_Right, Date, Keywords |rename src_user as “Source Account” | rename user […]
Average Duration of a Session within an IIS Web Environment
This query will report back the average duration of a session within an IIS web environment. The time format will be HH:MM:SS sourcetype=”iis” | stats range(_time) as duration by JSESSIONID | stats avg(duration) as AVG | fieldformat AVG=tostring(AVG,”duration”) | eval AVG=round(AVG, 0)
Median Duration of a Session within an IIS Web Environment
This query will report back the median duration of a session within an IIS web environment. The time format will be HH:MM:SS sourcetype=”iis” | stats range(_time) as duration by JSESSIONID | stats median(duration) as AVD | fieldformat AVD=tostring(AVD,”duration”) | eval AVD=round(AVD, 0)
Accounts Deleted via EventID’s that Correspond with Post XP/2003 Operating Systems
This query will search for accounts deleted via EventID’s that correspond with post XP/2003 operating systems. It will output the admin account, account deleted, details about the action, and the machine that the account deletion took place on. sourcetype=WinEventLog:Security (EventCode=630) |eval Date=strftime(_time, “%Y/%m/%d”)| stats count by User, Target_Account_Name, name, host, index Date | rename User […]
Password changes in a Windows environment by user account
Password changes in a Windows environment by user account. sourcetype=”WinEventLog:Security” (EventCode=628 OR EventCode=627 OR EventCode=4723 OR EventCode=4724) | chart count by user
File Accesses in a Windows Environment by user
File Accesses in a Windows Environment by user sourcetype=”WinEventLog:Security” user=* (EventCode=560 OR EventCode=4656) | chart count by Type
Escalation of Privileges in a Windows Environment by User
Escalation of Privileges in a Windows Environment by user. sourcetype=”WinEventLog:Security” (EventCode=576 OR EventCode=4672 OR EventCode=577 OR EventCode=4673 OR EventCode=578 OR EventCode=4674) | stats count by user