Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

New Service Installation on Windows

WinEventLog:Security

Description

Submitted by SplunkNinja

The following splunk query will return results of all new services installed on windows machines (this works on any windows OS tested thus far). Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/
2 0 
 sourcetype=WinEventLog:Security (EventCode=4697 OR EventCode=601) | eval Date=strftime(_time, "%Y/%m/%d") | eval Status=coalesce(Keywords,Type) |stats count by Date, Service_Name, Service_File_Name, Service_Account, host, Status

Comments

0 total

Be the first to comment on this SPL.

Leave a comment

You must log in to post a comment.

Ad slot: bottom