The following splunk query will return results of all new services installed on windows machines (this works on any windows OS tested thus far). Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ sourcetype=WinEventLog:Security (EventCode=4697 OR EventCode=601) | eval Date=strftime(_time, “%Y/%m/%d”) | eval Status=coalesce(Keywords,Type) |stats count by Date, Service_Name, Service_File_Name, Service_Account, host, Status
Changes to Windows User Groups by Account
This splunk query will return changes to any group in a windows environment. You MUST have the Splunk App for Windows Infrastructure app installed located here: https://apps.splunk.com/app/1680/ Windows Server 2003 and older: sourcetype=WinEventLog:Security (EventCode=636 OR EventCode=632 OR EventCode=650 OR EventCode=655 OR EventCode=660 OR EventCode=665) | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, Caller_User_Name, Target_Account_Name, host, Type […]
Accounts Deleted in a Windows Environment
These splunk queries will return deleted accounts in Associated with Windows Environments (NOTE* The 2003 query requires that the splunk for windows app be installed): 2003: sourcetype=WinEventLog:Security (EventCode=630) | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, Target_Account_Name, Caller_User_Name, Type, host | sort – Date | rename Target_Account_Name as “Deleted Account” | rename Caller_User_Name as […]
Account Modifications in a Windows Environment
The following splunk query will give you all permission changes for each user. There are four queries. 1. Windows 2008 Permission Increases: sourcetype=WinEventLog:Security (EventCode=4717) | eval Date=strftime(_time, “%Y/%m/%d”) | rex “Access\sGranted:\s+Access\sRight:\s+(?<RightGranted>\w+)” | rex “Account\sModified:\s+\w+\s\S+\s+.*\\\(?<AccountModified>.*)” | stats count by Date, AccountModified, RightGranted, host | sort – Date 2. Windows 2008 Permission Decreases: sourcetype=WinEventLog:Security (EventCode=4718) | eval […]
Failed Authentication to Non-existing Accounts
This splunk query will return results for failed logon attempts to accounts that do not exist. This has been tested and confirmed on Windows Server 2008 and newer machines: source=”WinEventLog:security” sourcetype=”WinEventLog:Security” EventCode=4625 Sub_Status=0xC0000064 |eval Date=strftime(_time, “%Y/%m/%d”) |rex “Which\sLogon\sFailed:\s+Security\sID:\s+\S.*\s+\w+\s\w+\S\s.(?<uacct>\S.*)” | stats count by Date, uacct, host | rename count as “Attempts” | sort – Attempts
Time between Account Creation and Account Deletion
Below is the query indicating time (duration) between account creation and account deletion. I have added a range to indicate severity, remove and modify as needed. Windows 2008 and newer: sourcetype=WinEventLog:Security (EventCode=4726 OR EventCode=4720) |eval Date=strftime(_time, “%Y/%m/%d”) |rex “Subject:\s+\w+\s\S+\s+\S+\s+\w+\s\w+:\s+(?<SourceAccount>\S+)” | rex “Target\s\w+:\s+\w+\s\w+:\s+\S+\s+\w+\s\w+:\s+(?<DeletedAccount>\S+)” | rex “New\s\w+:\s+\w+\s\w+:\s+\S+\s+\w+\s\w+:\s+(?<NewAccount>\S+)” | eval SuspectAccount=coalesce(DeletedAccount,NewAccount) | transaction SuspectAccount startswith=”EventCode=4720″ endswith=”EventCode=4726″ |eval duration=round(duration/60, […]
Failed Logins Windows
Splunk query for all failed logon attempts within a windows environment. sourcetype=”WinEventLog:Security” (“EventCode=4625”) OR (“EventCode=529” OR “EventCode=530” OR “EventCode=531” OR “EventCode=532” OR “EventCode=533” OR “EventCode=534” OR “EventCode=535” OR “EventCode=536” OR “EventCode=537” OR “EventCode=539”)
Weekend User Activity
Run the following (modify user field as needed) to show weekend activity: sourcetype=”WinEventLog:Security” (date_wday=saturday OR date_wday=sunday) | stats count by Account_Name, date_wday
System Time Modifications in Windows
The following queries will return modifications to time in a windows environment. It ignores system and service accounts. Windows 2008 and newer: source=”WinEventLog:Security” EventCode=4616 (NOT Account_Name=”*$”) (NOT Account_Name=”LOCAL SERVICE”)| eval Date=strftime(_time, “%Y/%m/%d %H:%M:%S”)| eval oldtime = strptime(replace(Previous_Time, “\D”, “”), “%Y%m%d%H%M%S%9N”) | eval t=_time | rename t as “eventtime” |eval diff=round(((eventtime-oldtime)/60)/60,2) | where diff!=0| stats count […]
List of Source Names and Frequency of Events
The following splunk query will output a list of all SourceNames in a windows environment and include a sparkline to indicate frequency: eventtype=”windows_events” sourcetype=”*EventLog:*” (host=”*” OR ComputerName=”*”) TaskCategory=”*” SourceName=”*” EventCode=”*” Type=”*” | stats sparkline as Activity, count by host | sort -count
USB and Removable Media Detection
This splunk query will show information about USB mass storage device uses. You must be monitoring the registry using the Windows Technology Add-on (TA). sourcetype=WinRegistry key_path=”HKLM\\system\\controlset*\\enum\\usbstor\\*” registry_type=CreateKey | eval Date=strftime(_time, “%Y/%m/%d %H:%M:%S”) | rex “key_path.*usbstor\S(?<DeviceType>.*)&ven\S(?<Vendor>.*)&prod\S(?<Product>\S*)&rev\S” | stats count by Date, host, Vendor, Product, DeviceType | fields – count | sort – Date
Failed Login to OSX
The following splunk query will return results on users who made unsuccessful attempts to login to an OSX machine: sourcetype=osx_secure | rex “authinternal\sfailed\sto\sauthenticate\suser\s(?\S+)” |eval Date=strftime(_time, “%Y/%m/%d”) | stats count by USER, host, Date | sort – count
Successful Login to OSX
The following splunk query (with regex) will return a result of users who have successfully authenticated to an OSX machine: *NOTE* Thanks Bob for pointing this out. The regular expression has now been fixed! sourcetype=osx_secure | rex “authinternal\sauthenticated\suser\s(?<USER>\S+)” |eval Date=strftime(_time, “%Y/%m/%d”) | stats count by USER, host, Date | sort – count
Real Time IIS Web Site Connections
Assuming JSESSIONID is auto-extracted, run the following REAL-TIME search (choose your window, I typically go with 5 minutes): sourcetype=”iis” | stats dc(JSESSIONID)
Network Usage by KB per minute on a Windows Box
The following query will return average network usage per minute by Kilobyte: sourcetype=”Perfmon:Network Interface” | bucket _time span=1m | eval KB=(Value/1024) | stats avg(KB) by _time
Available Disk Space on a Windows Box
This splunk query will return available disk space in Gigabytes. sourcetype=”Perfmon:Free Disk Space” | bucket _time span=1d | eval gigabytes=(Value/1024) | stats avg(gigabytes) by _time
Available Memory in a Windows box
This query will return results based on amount of available memory. I output it to a gauge, you’ll want to modify your gauge to show up red as it approaches zero. sourcetype=”Perfmon:Available Memory” | bucket _time span=1m | eval gigabytes=(((Value/1024)/1024)/1024) | eval GB=round(gigabytes, 2) | gauge GB Alternatively try this. Thanks to kharris! source=”Perfmon:Memory” counter=”Available […]
Average CPU Usage on a Windows box
This query will return the average CPU usage by minute. sourcetype=”Perfmon:CPU Load” | bucket _time span=1m | stats avg(Value) by _time
Microsoft Antimalware Virus Remediation Details
This query will return detailed results on malware/virus remediation. sourcetype=”WinEventLog:System” SourceName=”Microsoft Antimalware” EventCode=1117 |eval Date=strftime(_time, “%Y/%m/%d”)| stats count by host, Category, Name, Severity, Date, Action_Status
Microsoft Antimalware Malware Detection Details
This query will return results if malware is detected, and return detailed information on the Malware detected. sourcetype=”WinEventLog:System” SourceName=”Microsoft Antimalware” EventCode=1116 |eval Date=strftime(_time, “%Y/%m/%d”)| stats count by host, Category, Name, Path, Severity, Date
