Gauge of Windows Failed Logons

Gauge of Windows Failed Logons. Adjust the gauge to meet your environments needs. sourcetype=”WinEventLog:Security” (“EventCode=4625”) OR (“EventCode=529” OR “EventCode=530” OR “EventCode=531” OR “EventCode=532” OR “EventCode=533” OR “EventCode=534” OR “EventCode=535” OR “EventCode=536” OR “EventCode=537” OR “EventCode=539”) (Logon_Type=*) | stats count(user) as Failed_Logon | gauge Failed_Logon 1 25 50 150

Continue Reading →

Search Common EventCodes (EventID’s) for Suspicious Behavior

This query searches many common EventCodes (EventID’s) within a Windows environment for suspicious behavior. The query can take some time to run due to it’s length. Excellent for high-level security insight. source=”wineventlog:security” user!=”DWM-*” user!=”UMFD-*” user!=SYSTEM user!=”LOCAL SERVICE” user!=”NETWORK SERVICE” user!=”*$” user!=”ANONYMOUS LOGON” user!=”IUSR” | eval Trigger=case(EventCode=516, “Audit Logs Modified”,EventCode=517, “Audit Logs Modified”,EventCode=612, “Audit Logs Modified”,EventCode=623, […]

Continue Reading →

Logon Types within a Windows Environment (with logon count)

This query will identify logon types within a windows environment and list the number of logons associated with each type. source=”WinEventLog:security” | eval LogonType=case(Logon_Type=”2″, “Local Console Access”, Logon_Type=”3″, “Accessing Network Folders or Files”, Logon_Type=”4″, “Scheduled Task, Batch File, or Script”, Logon_Type=”5″, “Service Account”, Logon_Type=”7″, “Local Console Unlock”, Logon_Type=”8″, “Network User Logon”, Logon_Type=”9″, “Program launched with […]

Continue Reading →