Failed Logon Attempts – Windows

The following Splunk query will show a timechart of failed logon attempts per host:

The following Splunk query will show a detailed table of failed logon attempts per host and user with 5 minute chunks/blocks of time, as well as show a sparkline (mini timechart) within the table itself.

#Admin Notes – This […]

Continue Reading →

Active Directory Password change attempts

Use the following search to create a stacked barchart of AD Password change attempts:

Continue Reading →

Find success login after 10 failures with streamstats

If you have the Authentication data model configured you can use the following search to quickly find successful logins after 10 failed attempts!

Continue Reading →

Compare Successful Internal Vs External Connections

This query will display a bar chart of all successful Internal vs External SSH connections. Useful for identifying any spikes in connectivity coming from within your network remit or outside of it. Simply change the CIDR matches to match your required LANs.


Continue Reading →

IIS: Indicators of directory traversal, RFI and LFI

The following shows IoC for directory traversal, RFI and LFI within IIS logging:

Continue Reading →

IIS: 401 and 403 errors

Get an overview of 401 and 403 errors, an increase might be an IoC.

Continue Reading →

IIS: Indicators of XSS and SQLi attacks

The following query show IoC for XSS and SQLi. The complete query is wrapped up since this site is not accepting it. The query should also include “OR javascript”, followed by “:alert”.

Continue Reading →

Overall CVSS score (tenable)

Tenable uses the CVSS scoring method for detected vulnerabilities. To have an overall CVSS, use the following query:

Continue Reading →

Current Vulnerability Summary by Severity (tenable)

Having Tenable Security Center connected via the splunk plugin, this search gives an overview of all vulnerabilties, summarized by severity.

Add the following to your dashboard source to add consistent colors to the pie chart: <option name=”charting.fieldColors”>{“Critical”:0x800000,”High”:0xFF0000,”Medium”:0xFFA500,”Low”:0x008000,”Info”:0x0000FF}</option>  

Continue Reading →

Monitor File Shares being Accessed in Windows

This splunk search will show file shares being accessed within windows environments.

Continue Reading →

Malware Detection

I’m reposting this query I stumbled upon in a blog here. The description states that it can be used to detect malware reporting out to the web. Check out the article it’s a decent read.

Continue Reading →

Count of Attackers on Juniper Devices

The following is a Splunk search query that indicates potential “attacks” by source IP.  Further investigation will be needed to determine accuracy of attacks.

Credit given to bbosearch.

Continue Reading →