• Search
  • Browse

    • Sourcetype

      • _audit
      • _internal
      • access_combined
      • apache
      • audittrail
      • citrix:netscaler:syslog
      • Cron
      • datamodels
      • DBConnect
      • eval
      • Fun Stuff & Helpful Hints
      • Hack
      • Hygiene
      • IIS
      • Juniper
      • Linux Performance
      • linux_secure
      • Malware
      • Monitoring
      • opsec
      • osx_secure
      • Perfmon:Available Memory
      • Perfmon:CPU Load
      • Perfmon:Free Disk Space
      • Perfmon:Network Interface
      • postfix_syslog
      • Qualys
      • REST
      • RFQ – Request For Query
      • splunkd
      • Tenable
      • Uncategorized
      • Unix:Uptime
      • WinEventLog:Application
      • WinEventLog:Security
      • WinEventLog:System
      • WinRegistry
      • WMI:Uptime

    • Tags

      6.1.2 admin apache audit audittrail Diagnostics failed logon Gauge IIS indexes internal license License usage Linux linux audit Linux Users Login Logon malware Network network usage Password Perfmon Permissions qualys REST Security splunk splunkd splunk on splunk Tenable Tenable Security Center Timechart troubleshooting UF Universal Forwarder Vulnerabilities Web Analytics Web Traffic Windows Windows Audit Windows Security WinEventLog:System _audit _internal
  • Post New Query
  • Our Blog
  • Fun Stuff
    • Splunk your ARK: Survival Evolved Server!
  • Support GoSplunk
  • Search
  • Browse

    • Sourcetype

      • _audit
      • _internal
      • access_combined
      • apache
      • audittrail
      • citrix:netscaler:syslog
      • Cron
      • datamodels
      • DBConnect
      • eval
      • Fun Stuff & Helpful Hints
      • Hack
      • Hygiene
      • IIS
      • Juniper
      • Linux Performance
      • linux_secure
      • Malware
      • Monitoring
      • opsec
      • osx_secure
      • Perfmon:Available Memory
      • Perfmon:CPU Load
      • Perfmon:Free Disk Space
      • Perfmon:Network Interface
      • postfix_syslog
      • Qualys
      • REST
      • RFQ – Request For Query
      • splunkd
      • Tenable
      • Uncategorized
      • Unix:Uptime
      • WinEventLog:Application
      • WinEventLog:Security
      • WinEventLog:System
      • WinRegistry
      • WMI:Uptime

    • Tags

      6.1.2 admin apache audit audittrail Diagnostics failed logon Gauge IIS indexes internal license License usage Linux linux audit Linux Users Login Logon malware Network network usage Password Perfmon Permissions qualys REST Security splunk splunkd splunk on splunk Tenable Tenable Security Center Timechart troubleshooting UF Universal Forwarder Vulnerabilities Web Analytics Web Traffic Windows Windows Audit Windows Security WinEventLog:System _audit _internal
  • Post New Query
  • Our Blog
  • Fun Stuff
    • Splunk your ARK: Survival Evolved Server!
  • Support GoSplunk

Tag: Login

Successful Logons – Windows

  • WinEventLog:Security
  • SplunkNinja
  • 1 0

The following is a Splunk query that will display a timechart for all successful logons to windows:

1
2
source="WinEventLog:security" EventCode=4624 Logon_Type IN (2,7,10,11) NOT user IN ("DWM-*", "UMFD-*")
| timechart span=1h count by host

Here’s a detailed table showing similar information with greater detail:

1
2
3
4
5
6
7
8
9
source="WinEventLog:security" EventCode=4624 Logon_Type IN (2,7,10,11) NOT user IN ("DWM-*", "UMFD-*")
| eval Workstation_Name=lower(Workstation_Name)
| eval host=lower(host)
| eval hammer=_time
| bucket span=12h hammer
| stats values(Logon_Type) as "Logon Type" count sparkline by user host, hammer, Workstation_Name
| rename hammer as "12 hour blocks" host as "Target Host" Workstation_Name as "Source Host"
| convert ctime("12 hour blocks")
| sort - "12 hour blocks"

Continue Reading →

Failed Attempt to Login to a Disabled Account

  • WinEventLog:Security
  • SplunkNinja
  • 1 Comment
  • 11 1

This Splunk Search Query will indicate any user who attempted to login to a disabled account. (Tested only on Windows 7 / Server 2008 and newer Windows logs).

1
sourcetype="WinEventLog:security" EventCode=4625 (Sub_Status="0xc0000072" OR Sub_Status="0xC0000072") Security_ID!="NULL SID" Account_Name!="*$" | eval Date=strftime(_time, "%Y/%m/%d")| rex "Which\sLogon\sFailed:\s+\S+\s\S+\s+\S+\s+Account\sName:\s+(?<facct>\S+)" | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, facct, host, Keywords | rename facct as "Target Account" host as Host Keywords as Status count as Count

Continue Reading →

Timechart of Linux Logons

  • linux_secure
  • ItsJohnLocke
  • 2 0

The following splunk search will return a timechart of all successful logons for a given linux environment (regex provided):

1
sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication success" | timechart count(username)

  The following splunk search will return a timechart of all failed logons for a given linux environment(regex provided):

1
sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication failure" | timechart count(username)

Continue Reading →

Failed Versus Successful Logon Attempts

  • WinEventLog:Security
  • SplunkNinja
  • 1 Comment
  • 4 3

This Splunk search query example will return results indicating failed vs successful login attempts in a Windows environment:

1
source="WinEventLog:security" (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon", EventCode=4625, "Failed Logon", EventCode=529, "Failed Logon", EventCode=530, "Failed Logon", EventCode=531, "Failed Logon", EventCode=532, "Failed Logon", EventCode=533, "Failed Logon", EventCode=534, "Failed Logon", EventCode=535, "Failed Logon", EventCode=536, "Failed Logon", EventCode=537, "Failed Logon", EventCode=539, "Failed Logon") | stats count by status | sort - count

Continue Reading →

Windows Failed Logons with Average Overlay

  • WinEventLog:Security
  • ItsJohnLocke
  • 4 0

This Splunk search will show any failed login attempt and graphically overlay an average value.  

1
sourcetype="WinEventLog:Security" (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | timechart count(EventCode) as count | eventstats avg(count) as Average | eval average=round(average,0) | rename count as "Failed Logons"

Continue Reading →

Join the live chat on Discord

Members

Newest | Active
  • Profile picture of SplunkNinja
    SplunkNinja
    active 2 hours, 3 minutes ago
  • Profile picture of wangrui
    wangrui
    active 8 hours, 16 minutes ago
  • Profile picture of mayurmpatil3
    mayurmpatil3
    active 9 hours, 37 minutes ago
  • Profile picture of CodyQ
    CodyQ
    active 1 day, 1 hour ago
  • Profile picture of speedwilson
    speedwilson
    active 1 day, 3 hours ago
  • Home
  • Log In
  • Register
  • About GoSplunk
  • GoSplunk FAQs
  • Contact the GoSplunk Team
  • Splunk Website
  • Splunk Documentation
  • Splunk Answers

GoSplunk is not affiliated with Splunk Inc. in any way.

© 2018 GoSplunk
  • Privacy Policy
  • Terms and Conditions
  • Forgot Password?
sponsored