Total Number of Hosts reporting in.

This query will list the total number of hosts reporting to the indexer for any specified time range. This only works for universal forwarders. If you have hosts reporting in over syslog (typically port 514) they will not be listed. index=_internal sourcetype=splunkd | stats dc(hostname) as “Number of Hosts”

Continue Reading →

Detailed list of Universal Forwarders Reporting to Indexer

The following query will list in detail information on the universal forwarders checking into the indexer. I’ve renamed some of the fields to be more user-friendly. index=_internal sourcetype=splunkd destPort!=”-“| stats sparkline count by hostname, sourceHost, host, destPort, version | rename destPort as “Destination Port” | rename host as “Indexer” | rename sourceHost as “Universal Forwarder […]

Continue Reading →

Windows Time Change

This query will list all users who initiated a time change. System accounts change time automatically, as such I’ve ignored system accounts from the query output. Windows 2008 and newer: sourcetype=WinEventLog:Security EventCode=4616 Account_Name!=”*$” Account_Name!=”LOCAL SERVICE”| stats count by Account_Name Windows 2003 and before: sourcetype=WinEventLog:Security user!=”*$” user!=”LOCAL SERVICE” EventCode=520 | stats count by user

Continue Reading →

Time between rights granted and rights revoked

This query outputs a table that indicates the time difference between Rights granted and Rights revoked. Modify the maxspan time within the transaction function to meet your environments needs. Regex is used here, and is part of the query. Windows 2008 and newer: sourcetype=WinEventLog:Security (EventCode=4717 OR EventCode=4718) | rex “Access\sGranted:\s+Access\sRight:\s+(?\w+)”| rex “Access\sRemoved:\s+Access\sRight:\s+(?\w+)”| eval Rights=coalesce(RightGranted,RightRemoved) | […]

Continue Reading →

Windows Power Off Duration

This query will indicate the time it took between a computer shutdown and a computer powering back on. Typically found in restarts and shutdowns. This would not occur during a hard-reset or loss of power. sourcetype=WinEventLog:System (EventCode=6005 OR EventCode=6006) | transaction host startswith=”EventCode=6006″ endswith=”EventCode=6005″ | eval restart_duration=tostring(duration,”duration”) | eval Date=strftime(_time, “%Y/%m/%d”)| where duration > 480 […]

Continue Reading →

Splunk User Search Activity

This will return a table of users who conducted searches, the total time it took for searches to complete, a count of said searches, and the last time a search was conducted. *NOTE* You will need to modify “splunk_server=local” specifically the “local” section to represent your Splunk server. index=_audit splunk_server=local action=search (id=* OR search_id=*) | […]

Continue Reading →

Internal Splunk User Modifications

This query will search the internal audit sourcetype of splunk and report on any user modification attempts, both success and fail. index=_audit sourcetype=audittrail action=edit_user | eval Date=strftime(_time, “%Y/%m/%d”) |where user!=object| stats count by user, info, object, Date | rename user as “Authenticated User” | rename info as “Success Status” | rename object as “Modified Account” […]

Continue Reading →

Console Lock Duration

The following code works only in windows 2008 and newer operating systems: sourcetype=WinEventLog:Security (EventCode=4800 OR EventCode=4801) | eval Date=strftime(_time, “%Y/%m/%d”) | transaction host Account_Name startswith=EventCode=4800 endswith=EventCode=4801 | eval duration = duration/60 | eval duration=round(duration,2)| table host, Account_Name, duration, Date |rename duration as “Console Lock Duration in Minutes” | sort – date

Continue Reading →

User Logon / Session Duration

The following query will return the duration of user logon time between initial logon and logoff events. I have a duration filter set to greater than 5 seconds to weed out any scripts that may quickly log on and log off (change this as needed to fit your environment). Windows 2008 and newer: source=WinEventLog:Security (EventCode=4624 […]

Continue Reading →

System Security Access Removed from Account

The following queries will list security access that was removed from an account in a Windows environment. Queries look different depending on which version of Windows you are running as the syntax and the EventID’s changed after 2003. Windows Server 2008 and newer: sourcetype=”WinEventLog:Security” EventCode=4718 | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by src_user, user, […]

Continue Reading →

Security Access granted to an Account

Like most windows security logs there are two formats depending on which version of windows you are running. The query for a Windows 7 / Server 2008 and newer looks like this: sourcetype=”WinEventLog:Security” EventCode=4717 | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by src_user, user, Access_Right, Date, Keywords |rename src_user as “Source Account” | rename user […]

Continue Reading →