New Service Installation on Windows

The following splunk query will return results of all new services installed on windows machines (this works on any windows OS tested thus far). Ensure the Splunk App for Windows is installed grab it here:  sourcetype=WinEventLog:Security (EventCode=4697 OR EventCode=601) | eval Date=strftime(_time, “%Y/%m/%d”) | eval Status=coalesce(Keywords,Type) |stats count by Date, Service_Name, Service_File_Name, Service_Account, host, Status

Continue Reading →