• Search
  • Browse

    • Sourcetype

      • _internal
      • access_combined
      • apache
      • audittrail
      • citrix:netscaler:syslog
      • Cron
      • DBConnect
      • eval
      • Fun Stuff & Helpful Hints
      • Hack
      • Hygiene
      • IIS
      • Juniper
      • Linux Performance
      • linux_secure
      • Malware
      • Monitoring
      • osx_secure
      • Perfmon:Available Memory
      • Perfmon:CPU Load
      • Perfmon:Free Disk Space
      • Perfmon:Network Interface
      • postfix_syslog
      • Qualys
      • REST
      • RFQ – Request For Query
      • splunkd
      • Tenable
      • Uncategorized
      • Unix:Uptime
      • WinEventLog:Application
      • WinEventLog:Security
      • WinEventLog:System
      • WinRegistry
      • WMI:Uptime

    • Tags

      6.1.2 apache audit audittrail Cisco Diagnostics failed logon Firewall fun stuff Gauge IIS indexes internal License usage Linux linux audit Linux Users Login Logon malware Network network usage Password Perfmon Performance qualys REST Security splunkd splunk on splunk ssh Tenable Tenable Security Center troubleshooting Universal Forwarder Vulnerabilities Vulnerability Web Analytics Web Traffic Windows Windows Audit Windows Security WinEventLog:System _audit _internal
  • Post New Query
  • Fun Stuff - Splunk your ARK: Survival Evolved Server!
  • Search
  • Browse

    • Sourcetype

      • _internal
      • access_combined
      • apache
      • audittrail
      • citrix:netscaler:syslog
      • Cron
      • DBConnect
      • eval
      • Fun Stuff & Helpful Hints
      • Hack
      • Hygiene
      • IIS
      • Juniper
      • Linux Performance
      • linux_secure
      • Malware
      • Monitoring
      • osx_secure
      • Perfmon:Available Memory
      • Perfmon:CPU Load
      • Perfmon:Free Disk Space
      • Perfmon:Network Interface
      • postfix_syslog
      • Qualys
      • REST
      • RFQ – Request For Query
      • splunkd
      • Tenable
      • Uncategorized
      • Unix:Uptime
      • WinEventLog:Application
      • WinEventLog:Security
      • WinEventLog:System
      • WinRegistry
      • WMI:Uptime

    • Tags

      6.1.2 apache audit audittrail Cisco Diagnostics failed logon Firewall fun stuff Gauge IIS indexes internal License usage Linux linux audit Linux Users Login Logon malware Network network usage Password Perfmon Performance qualys REST Security splunkd splunk on splunk ssh Tenable Tenable Security Center troubleshooting Universal Forwarder Vulnerabilities Vulnerability Web Analytics Web Traffic Windows Windows Audit Windows Security WinEventLog:System _audit _internal
  • Post New Query
  • Fun Stuff - Splunk your ARK: Survival Evolved Server!

Tag: Login

Failed Attempt to Login to a Disabled Account

  • WinEventLog:Security
  • SplunkNinja
  • 10 1

This Splunk Search Query will indicate any user who attempted to login to a disabled account. (Tested only on Windows 7 / Server 2008 and newer Windows logs).

1
sourcetype="WinEventLog:security" EventCode=4625 (Sub_Status="0xc0000072" OR Sub_Status="0xC0000072") Security_ID!="NULL SID" Account_Name!="*$" | eval Date=strftime(_time, "%Y/%m/%d")| rex "Which\sLogon\sFailed:\s+\S+\s\S+\s+\S+\s+Account\sName:\s+(?<facct>\S+)" | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, facct, host, Keywords | rename facct as "Target Account" host as Host Keywords as Status count as Count

Continue Reading →

Timechart of Linux Logons

  • linux_secure
  • ItsJohnLocke
  • 2 0

The following splunk search will return a timechart of all successful logons for a given linux environment (regex provided):

1
sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication success" | timechart count(username)

  The following splunk search will return a timechart of all failed logons for a given linux environment(regex provided):

1
sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication failure" | timechart count(username)

Continue Reading →

Failed Versus Successful Logon Attempts

  • WinEventLog:Security
  • SplunkNinja
  • 1 Comment
  • 2 2

This Splunk search query example will return results indicating failed vs successful login attempts in a Windows environment:

1
source="WinEventLog:security" (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon", EventCode=4625, "Failed Logon", EventCode=529, "Failed Logon", EventCode=530, "Failed Logon", EventCode=531, "Failed Logon", EventCode=532, "Failed Logon", EventCode=533, "Failed Logon", EventCode=534, "Failed Logon", EventCode=535, "Failed Logon", EventCode=536, "Failed Logon", EventCode=537, "Failed Logon", EventCode=539, "Failed Logon") | stats count by status | sort - count

Continue Reading →

Windows Failed Logons with Average Overlay

  • WinEventLog:Security
  • ItsJohnLocke
  • 4 0

This Splunk search will show any failed login attempt and graphically overlay an average value.  

1
sourcetype="WinEventLog:Security" (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | timechart count(EventCode) as count | eventstats avg(count) as Average | eval average=round(average,0) | rename count as "Failed Logons"

Continue Reading →

My Account

Register

Newest Queries

  • Search for duplicate events in Splunk May 15, 2018
  • Search for all errors in splunkd May 15, 2018
  • Detect Username Guessing Brute Force Attacks April 26, 2018
  • Compare Successful Internal Vs External Connections April 26, 2018
  • Easter egg that created sample data April 26, 2018

Members

Newest | Active
  • Profile picture of pcbme
    pcbme
    active 2 hours, 20 minutes ago
  • Profile picture of taskmasterpeace
    taskmasterpeace
    active 8 hours, 49 minutes ago
  • Profile picture of piusng
    piusng
    active 12 hours, 23 minutes ago
  • Profile picture of gfurfaro
    gfurfaro
    active 13 hours ago
  • Profile picture of Clicquot
    Clicquot
    active 15 hours, 17 minutes ago
  • Home
  • Log In
  • Register
  • About GoSplunk
  • GoSplunk FAQs
  • Contact the GoSplunk Team
  • Splunk Website
  • Splunk Documentation
  • Splunk Answers
Go Splunk is not affiliated with Splunk Inc. in any way. It was created by a Splunk user who sought after a Splunk Query Repository in which the Splunk Community could use and participate in.
© 2016 Go Splunk
  • Privacy Policy
  • Terms and Conditions
sponsored