Potential Suspicious Activity in Windows

The following Splunk search should be ran over a long period of time (at least it worked best that way in my environment). This query will show potentially suspicious activity based on processes within a Windows environment. It could also indicate a sanctioned security scan (so don’t run out there and start pointing fingers based off this one query!)

Share This:


  1. Drdosia

    I get a similar error with version 6.5.1:
    Error in ‘eval’ command: The expression is malformed. An unexpected character is reached at ‘0)’.

    Appears to be in: (eval Short_Message=mvindex(Message,0)

  2. john117

    Try it without the Evals. Sorry haven’t touched this in a while (and clearly haven’t commented on this!). I’m no longer working in an environment that uses this query.

  3. Rafal Stanilewicz

    In my environment, where I get the logs only from 10 DCs, I get thousands of such events per day. Such a query requires a lot of tweaking, to be useful (and good knowledge of the processes that are running on your servers).

Leave A Comment?