Password changes in a Windows environment by user account. sourcetype=”WinEventLog:Security” (EventCode=628 OR EventCode=627 OR EventCode=4723 OR EventCode=4724) | chart count by user
File Accesses in a Windows Environment by user
File Accesses in a Windows Environment by user sourcetype=”WinEventLog:Security” user=* (EventCode=560 OR EventCode=4656) | chart count by Type
Escalation of Privileges in a Windows Environment by User
Escalation of Privileges in a Windows Environment by user. sourcetype=”WinEventLog:Security” (EventCode=576 OR EventCode=4672 OR EventCode=577 OR EventCode=4673 OR EventCode=578 OR EventCode=4674) | stats count by user
Number of Accounts Created in a Windows Environment
Account Creation Gauge used to indicate number of accounts created in a Windows environment. EventCodes (EventID’s) used are for server 2003/XP and newer. Modify the gauge to fit your environment’s needs. sourcetype=WinEventLog:Security (EventCode=624 OR EventCode=4720) | eval NewAccount=case(EventCode=624, “New Account Created”, EventCode=4720, “New Account Created”) | stats count(NewAccount) as creation | gauge creation 1 5 […]
Search Common EventCodes (EventID’s) for Suspicious Behavior
This query searches many common EventCodes (EventID’s) within a Windows environment for suspicious behavior. The query can take some time to run due to it’s length. Excellent for high-level security insight. source=”wineventlog:security” user!=”DWM-*” user!=”UMFD-*” user!=SYSTEM user!=”LOCAL SERVICE” user!=”NETWORK SERVICE” user!=”*$” user!=”ANONYMOUS LOGON” user!=”IUSR” | eval Trigger=case(EventCode=516, “Audit Logs Modified”,EventCode=517, “Audit Logs Modified”,EventCode=612, “Audit Logs Modified”,EventCode=623, […]
Logon Types within a Windows Environment (with logon count)
This query will identify logon types within a windows environment and list the number of logons associated with each type. source=”WinEventLog:security” | eval LogonType=case(Logon_Type=”2″, “Local Console Access”, Logon_Type=”3″, “Accessing Network Folders or Files”, Logon_Type=”4″, “Scheduled Task, Batch File, or Script”, Logon_Type=”5″, “Service Account”, Logon_Type=”7″, “Local Console Unlock”, Logon_Type=”8″, “Network User Logon”, Logon_Type=”9″, “Program launched with […]