Successful Windows Logons with Average Overlay

The following Splunk query will display successful windows logins and overlay an average on visualizations.

Continue Reading →

Failed Windows Remote Desktop Connection Attempt

The following splunk query example will return results on any Windows remote desktop connection attempts. This could be a result of a bad password, invalid user name, or any number of other reasons. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/   Windows Server 2008 and Newer:

Windows Server 2003 and […]

Continue Reading →

Account Enabled in Windows

The following Splunk queries will show any accounts that have been enabled from a previously disabled state. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows Server 2008 and Newer:

Windows Server 2003 and Older:

 

Continue Reading →

Failed Attempt to Initiate Remote Desktop Session

This splunk query will return any failed attempts initiated by users to launch an RDP (remote desktop) session in a Windows environment. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows Server 2008 and Newer:

Windows Server 2003 and Older:

Continue Reading →

Password Non Compliance Windows

The following splunk queries will return results for failed attempts to change passwords. This is likely a result of users not meeting password requirements. Be sure to have the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and Older:

Windows 2008 and Newer:

Continue Reading →

Modification to File Permissions in Windows

The following splunk query works on Windows Sever 2008 and newer operating systems. It returns results based on modifications to individual file level permissions. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/

Continue Reading →

File Deletion Attempts In Windows

The following splunk queries will return results based on any user account who attempts to delete a file. This will return both successful and failed attempts. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and older:

Windows 2008 and newer:

 

Continue Reading →

Windows File Access Attempts

The following splunk queries will display any file access attempts (successful or failed) by user account. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and older:

Windows 2008 and newer:

Continue Reading →

New Service Installation on Windows

The following splunk query will return results of all new services installed on windows machines (this works on any windows OS tested thus far). Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/

Continue Reading →

Changes to Windows User Groups by Account

This splunk query will return changes to any group in a windows environment. You MUST have the Splunk App for Windows Infrastructure app installed located here: https://apps.splunk.com/app/1680/ Windows Server 2003 and older:

Windows Server 2008 and newer:

Continue Reading →

Accounts Deleted in a Windows Environment

These splunk queries will return deleted accounts in Associated with Windows Environments (NOTE* The 2003 query requires that the splunk for windows app be installed): 2003:

2008:

Continue Reading →

System Time Modifications in Windows

The following queries will return modifications to time in a windows environment. It ignores system and service accounts. Windows 2008 and newer:

Windows 2003 and older:

Continue Reading →

Accounts Disabled

This query will return results for accounts disabled on a windows 2008 or newer operating system for a given time range:

Continue Reading →