• Search
  • Dashboards
  • Browse

    • Sourcetype

      • _audit
      • _internal
      • access_combined
      • apache
      • audittrail
      • citrix:netscaler:syslog
      • Cron
      • crowdstrike
      • Dashboards
      • datamodels
      • DBConnect
      • Enterprise Security
      • eval
      • F5
      • Fun Stuff & Helpful Hints
      • Hack
      • Hygiene
      • IIS
      • Juniper
      • Linux Performance
      • linux_secure
      • Malware
      • Monitoring
      • Networking
      • opensense
      • opsec
      • osx_secure
      • Perfmon:Available Memory
      • Perfmon:CPU Load
      • Perfmon:Free Disk Space
      • Perfmon:Network Interface
      • postfix_syslog
      • Qualys
      • REST
      • RFQ – Request For Query
      • splunkd
      • Tenable
      • Uncategorized
      • Unix:Uptime
      • WinEventLog:Application
      • WinEventLog:Security
      • WinEventLog:System
      • WinRegistry
      • WMI:Uptime

    • Tags

      6.1.2 admin apache audit audittrail authentication Cisco Dashboard Diagnostics failed logon Firewall IIS internal license License usage Linux linux audit Login Logon malware Nessus Network Perfmon Performance qualys REST Security sourcetype splunk splunkd splunk on splunk Tenable Tenable Security Center troubleshooting tstats Universal Forwarder users Vulnerabilities web Web Traffic Windows Windows Audit Windows Security _audit _internal
  • Post New Query
  • Our Blog
  • Search
  • Dashboards
  • Browse

    • Sourcetype

      • _audit
      • _internal
      • access_combined
      • apache
      • audittrail
      • citrix:netscaler:syslog
      • Cron
      • crowdstrike
      • Dashboards
      • datamodels
      • DBConnect
      • Enterprise Security
      • eval
      • F5
      • Fun Stuff & Helpful Hints
      • Hack
      • Hygiene
      • IIS
      • Juniper
      • Linux Performance
      • linux_secure
      • Malware
      • Monitoring
      • Networking
      • opensense
      • opsec
      • osx_secure
      • Perfmon:Available Memory
      • Perfmon:CPU Load
      • Perfmon:Free Disk Space
      • Perfmon:Network Interface
      • postfix_syslog
      • Qualys
      • REST
      • RFQ – Request For Query
      • splunkd
      • Tenable
      • Uncategorized
      • Unix:Uptime
      • WinEventLog:Application
      • WinEventLog:Security
      • WinEventLog:System
      • WinRegistry
      • WMI:Uptime

    • Tags

      6.1.2 admin apache audit audittrail authentication Cisco Dashboard Diagnostics failed logon Firewall IIS internal license License usage Linux linux audit Login Logon malware Nessus Network Perfmon Performance qualys REST Security sourcetype splunk splunkd splunk on splunk Tenable Tenable Security Center troubleshooting tstats Universal Forwarder users Vulnerabilities web Web Traffic Windows Windows Audit Windows Security _audit _internal
  • Post New Query
  • Our Blog

Tag: Login

Successful Logons – Windows

  • WinEventLog:Security
  • SplunkNinja
  • 2 0

The following is a Splunk query that will display a timechart for all successful logons to windows:

1
2
source="WinEventLog:security" EventCode=4624 Logon_Type IN (2,7,10,11) NOT user IN ("DWM-*", "UMFD-*")
| timechart span=1h count by host

Here’s a detailed table showing similar information with greater detail:

1
2
3
4
5
6
7
8
9
source="WinEventLog:security" EventCode=4624 Logon_Type IN (2,7,10,11) NOT user IN ("DWM-*", "UMFD-*")
| eval Workstation_Name=lower(Workstation_Name)
| eval host=lower(host)
| eval hammer=_time
| bucket span=12h hammer
| stats values(Logon_Type) as "Logon Type" count sparkline by user host, hammer, Workstation_Name
| rename hammer as "12 hour blocks" host as "Target Host" Workstation_Name as "Source Host"
| convert ctime("12 hour blocks")
| sort - "12 hour blocks"

Continue Reading →

Failed Attempt to Login to a Disabled Account

  • WinEventLog:Security
  • SplunkNinja
  • 1 Comment
  • 11 2

This Splunk Search Query will indicate any user who attempted to login to a disabled account. (Tested only on Windows 7 / Server 2008 and newer Windows logs).

1
source="WinEventLog:security" EventCode=4625 (Sub_Status="0xc0000072" OR Sub_Status="0xC0000072") Security_ID!="NULL SID" Account_Name!="*$" | eval Date=strftime(_time, "%Y/%m/%d")| rex "Which\sLogon\sFailed:\s+\S+\s\S+\s+\S+\s+Account\sName:\s+(?<facct>\S+)" | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, facct, host, Keywords | rename facct as "Target Account" host as "Host" Keywords as "Status" count as "Count"

Continue Reading →

Timechart of Linux Logons

  • linux_secure
  • ItsJohnLocke
  • 3 0

The following splunk search will return a timechart of all successful logons for a given linux environment (regex provided):

1
sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication success" | timechart count(username)

  The following splunk search will return a timechart of all failed logons for a given linux environment(regex provided):

1
sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication failure" | timechart count(username)

Continue Reading →

Failed Versus Successful Logon Attempts

  • WinEventLog:Security
  • SplunkNinja
  • 1 Comment
  • 5 5

This Splunk search query example will return results indicating failed vs successful login attempts in a Windows environment:

1
source="WinEventLog:security" (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon", EventCode=4625, "Failed Logon", EventCode=529, "Failed Logon", EventCode=530, "Failed Logon", EventCode=531, "Failed Logon", EventCode=532, "Failed Logon", EventCode=533, "Failed Logon", EventCode=534, "Failed Logon", EventCode=535, "Failed Logon", EventCode=536, "Failed Logon", EventCode=537, "Failed Logon", EventCode=539, "Failed Logon") | stats count by status | sort - count

Continue Reading →

Windows Failed Logons with Average Overlay

  • WinEventLog:Security
  • ItsJohnLocke
  • 7 0

This Splunk search will show any failed login attempt and graphically overlay an average value.  

1
sourcetype="WinEventLog:Security" (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | timechart count(EventCode) as count | eventstats avg(count) as Average | eval average=round(average,0) | rename count as "Failed Logons"

Continue Reading →

Join the live chat on Discord

Members

Newest | Active
  • Profile picture of riparino
    riparino
    active 9 hours, 6 minutes ago
  • Profile picture of Петр
    Петр
    active 15 hours, 40 minutes ago
  • Profile picture of Ефим
    Ефим
    active 19 hours, 40 minutes ago
  • Profile picture of kobi3290
    kobi3290
    active 21 hours, 5 minutes ago
  • Profile picture of Анфим
    Анфим
    active 2 days, 17 hours ago
  • Home
  • Log In
  • Register
  • About GoSplunk
  • GoSplunk FAQs
  • Contact the GoSplunk Team
  • Splunk Website
  • Splunk Documentation
  • Splunk Answers

GoSplunk is not affiliated with Splunk Inc. in any way.

© 2019 GoSplunk
  • Privacy Policy
  • Terms and Conditions
  • Forgot Password?
sponsored