Failed Windows Remote Desktop Connection Attempt

The following splunk query example will return results on any Windows remote desktop connection attempts. This could be a result of a bad password, invalid user name, or any number of other reasons. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/   Windows Server 2008 and Newer:

Windows Server 2003 and […]

Continue Reading →

File Deletion Attempts In Windows

The following splunk queries will return results based on any user account who attempts to delete a file. This will return both successful and failed attempts. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and older:

Windows 2008 and newer:

 

Continue Reading →

Windows File Access Attempts

The following splunk queries will display any file access attempts (successful or failed) by user account. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and older:

Windows 2008 and newer:

Continue Reading →

New Service Installation on Windows

The following splunk query will return results of all new services installed on windows machines (this works on any windows OS tested thus far). Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/

Continue Reading →

Accounts Deleted in a Windows Environment

These splunk queries will return deleted accounts in Associated with Windows Environments (NOTE* The 2003 query requires that the splunk for windows app be installed): 2003:

2008:

Continue Reading →

Failed Logon Attempts Per Day Per Host

The following splunk query will return the number of failed logon attempts per user per host for each day. You will need to have the following apps installed: Splunk Add-on for Microsoft Windows You can adjust the warning (case) threshold to fit your needs. (This query is for Windows 2008 and newer operating systems)

[…]

Continue Reading →

Accounts Disabled

This query will return results for accounts disabled on a windows 2008 or newer operating system for a given time range:

Continue Reading →

Accounts Enabled

This query will return results on all accounts enabled for a given time range. It is using EventCodes for windows 2008 and newer operating systems:

Continue Reading →

Time between rights granted and rights revoked

This query outputs a table that indicates the time difference between Rights granted and Rights revoked. Modify the maxspan time within the transaction function to meet your environments needs. Regex is used here, and is part of the query. Windows 2008 and newer:

Windows 2003 and before:

Continue Reading →

Console Lock Duration

The following code works only in windows 2008 and newer operating systems:

Continue Reading →

User Logon / Session Duration

The following query will return the duration of user logon time between initial logon and logoff events. I have a duration filter set to greater than 5 seconds to weed out any scripts that may quickly log on and log off (change this as needed to fit your environment). Windows 2008 and newer:

Windows […]

Continue Reading →

Security Access granted to an Account

Like most windows security logs there are two formats depending on which version of windows you are running. The query for a Windows 7 / Server 2008 and newer looks like this:

The query for a system running Server 2003 or older looks like this:

Continue Reading →

System Security Access Removed from Account

The following queries will list security access that was removed from an account in a Windows environment. Queries look different depending on which version of Windows you are running as the syntax and the EventID’s changed after 2003. Windows Server 2008 and newer:

Windows Server 2003 and older:

Continue Reading →