The following is a Splunk query that will display a timechart for all successful logons to windows: source=”WinEventLog:security” EventCode=4624 Logon_Type IN (2,7,10,11) NOT user IN (“DWM-*”, “UMFD-*”) | timechart span=1h count by host Here’s a detailed table showing similar information with greater detail: source=”WinEventLog:security” EventCode=4624 Logon_Type IN (2,7,10,11) NOT user IN (“DWM-*”, “UMFD-*”) | eval […]
Failed Attempt to Login to a Disabled Account
This Splunk Search Query will indicate any user who attempted to login to a disabled account. (Tested only on Windows 7 / Server 2008 and newer Windows logs). source=”WinEventLog:security” EventCode=4625 (Sub_Status=”0xc0000072″ OR Sub_Status=”0xC0000072″) Security_ID!=”NULL SID” Account_Name!=”*$” | eval Date=strftime(_time, “%Y/%m/%d”)| rex “Which\sLogon\sFailed:\s+\S+\s\S+\s+\S+\s+Account\sName:\s+(?<facct>\S+)” | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, facct, host, Keywords | […]
Timechart of Linux Logons
The following splunk search will return a timechart of all successful logons for a given linux environment (regex provided): sourcetype=linux_secure |rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s”| search session=gdm-password | rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)” | search authstatus=”authentication success” | timechart count(username) The following splunk search will return a timechart of all failed logons for a given linux environment(regex provided): sourcetype=linux_secure |rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s”| […]
Failed Versus Successful Logon Attempts
This Splunk search query example will return results indicating failed vs successful login attempts in a Windows environment: source=”WinEventLog:security” (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | eval status=case(EventCode=528, “Successful […]
Windows Failed Logons with Average Overlay
This Splunk search will show any failed login attempt and graphically overlay an average value. sourcetype=”WinEventLog:Security” (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | timechart count(EventCode) as count | eventstats avg(count) as Average | eval […]