Potential Suspicious Activity in Windows

The following Splunk search should be ran over a long period of time (at least it worked best that way in my environment). This query will show potentially suspicious activity based on processes within a Windows environment. It could also indicate a sanctioned security scan (so don’t run out there and start pointing fingers based off this one query!)

Share This:


  1. Drdosia

    I get a similar error with version 6.5.1:
    Error in ‘eval’ command: The expression is malformed. An unexpected character is reached at ‘0)’.

    Appears to be in: (eval Short_Message=mvindex(Message,0)

Leave A Comment?