The following splunk queries will return results for failed attempts to change passwords. This is likely a result of users not meeting password requirements. Be sure to have the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and Older: sourcetype=”WinEventLog:Security” EventCode=627 Type=”Failure Audit”| eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, Target_Account_Name, host […]
Failed Logins Windows
Splunk query for all failed logon attempts within a windows environment. sourcetype=”WinEventLog:Security” (“EventCode=4625”) OR (“EventCode=529” OR “EventCode=530” OR “EventCode=531” OR “EventCode=532” OR “EventCode=533” OR “EventCode=534” OR “EventCode=535” OR “EventCode=536” OR “EventCode=537” OR “EventCode=539”)
List of Source Names and Frequency of Events
The following splunk query will output a list of all SourceNames in a windows environment and include a sparkline to indicate frequency: eventtype=”windows_events” sourcetype=”*EventLog:*” (host=”*” OR ComputerName=”*”) TaskCategory=”*” SourceName=”*” EventCode=”*” Type=”*” | stats sparkline as Activity, count by host | sort -count
Accounts Deleted via EventID’s that Correspond with Post XP/2003 Operating Systems
This query will search for accounts deleted via EventID’s that correspond with post XP/2003 operating systems. It will output the admin account, account deleted, details about the action, and the machine that the account deletion took place on. sourcetype=WinEventLog:Security (EventCode=630) |eval Date=strftime(_time, “%Y/%m/%d”)| stats count by User, Target_Account_Name, name, host, index Date | rename User […]
Password changes in a Windows environment by user account
Password changes in a Windows environment by user account. sourcetype=”WinEventLog:Security” (EventCode=628 OR EventCode=627 OR EventCode=4723 OR EventCode=4724) | chart count by user
File Accesses in a Windows Environment by user
File Accesses in a Windows Environment by user sourcetype=”WinEventLog:Security” user=* (EventCode=560 OR EventCode=4656) | chart count by Type
Escalation of Privileges in a Windows Environment by User
Escalation of Privileges in a Windows Environment by user. sourcetype=”WinEventLog:Security” (EventCode=576 OR EventCode=4672 OR EventCode=577 OR EventCode=4673 OR EventCode=578 OR EventCode=4674) | stats count by user
Gauge of Windows Failed Logons
Gauge of Windows Failed Logons. Adjust the gauge to meet your environments needs. sourcetype=”WinEventLog:Security” (“EventCode=4625”) OR (“EventCode=529” OR “EventCode=530” OR “EventCode=531” OR “EventCode=532” OR “EventCode=533” OR “EventCode=534” OR “EventCode=535” OR “EventCode=536” OR “EventCode=537” OR “EventCode=539”) (Logon_Type=*) | stats count(user) as Failed_Logon | gauge Failed_Logon 1 25 50 150
Gauge of Windows Successful Logons
Gauge of Windows Successful Logons. Adjust the gauge to meet your needs. source=”WinEventLog:security” (EventCode=528 OR EventCode=540 OR EventCode=4624) | stats count(user) as Success_Logon | gauge Success_Logon 1 1000
Number of Accounts Created in a Windows Environment
Account Creation Gauge used to indicate number of accounts created in a Windows environment. EventCodes (EventID’s) used are for server 2003/XP and newer. Modify the gauge to fit your environment’s needs. sourcetype=WinEventLog:Security (EventCode=624 OR EventCode=4720) | eval NewAccount=case(EventCode=624, “New Account Created”, EventCode=4720, “New Account Created”) | stats count(NewAccount) as creation | gauge creation 1 5 […]
Search Common EventCodes (EventID’s) for Suspicious Behavior
This query searches many common EventCodes (EventID’s) within a Windows environment for suspicious behavior. The query can take some time to run due to it’s length. Excellent for high-level security insight. source=”wineventlog:security” user!=”DWM-*” user!=”UMFD-*” user!=SYSTEM user!=”LOCAL SERVICE” user!=”NETWORK SERVICE” user!=”*$” user!=”ANONYMOUS LOGON” user!=”IUSR” | eval Trigger=case(EventCode=516, “Audit Logs Modified”,EventCode=517, “Audit Logs Modified”,EventCode=612, “Audit Logs Modified”,EventCode=623, […]
Logon Types within a Windows Environment (with logon count)
This query will identify logon types within a windows environment and list the number of logons associated with each type. source=”WinEventLog:security” | eval LogonType=case(Logon_Type=”2″, “Local Console Access”, Logon_Type=”3″, “Accessing Network Folders or Files”, Logon_Type=”4″, “Scheduled Task, Batch File, or Script”, Logon_Type=”5″, “Service Account”, Logon_Type=”7″, “Local Console Unlock”, Logon_Type=”8″, “Network User Logon”, Logon_Type=”9″, “Program launched with […]
