sourcetype=WinEventLog:Security src_nt_domain!=”NT AUTHORITY” EventCode=4720 OR EventCode=4726 OR EventCode=4738 OR EventCode=4767 OR EventCode=4781 OR EventCode=4727 OR EventCode=4730 OR EventCode=4731 OR EventCode=4734 OR EventCode=4735 OR EventCode=4737 OR EventCode=4744 OR EventCode=4745 OR EventCode=4748 OR EventCode=4749 OR EventCode=4750 OR EventCode=4753 OR EventCode=4754 OR EventCode=4755 OR EventCode=4758 OR EventCode=4759 OR EventCode=4760 OR EventCode=4763 OR EventCode=4764 OR EventCode=4728 OR EventCode=4729 OR […]
List of Legitimate Account Names in Windows
This splunk query will list all successful logins by account name for a given time range. This query will work on a variety of Windows Operating systems to include XP, 2003, Vista, 2008, 7, 8, and server 2012. I’ve tested in some capacity in Windows 10 for some of my queries, so far they appear […]
Failed Windows Remote Desktop Connection Attempt
The following splunk query example will return results on any Windows remote desktop connection attempts. This could be a result of a bad password, invalid user name, or any number of other reasons. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows Server 2008 and Newer: source=WinEventLog:Security sourcetype=WinEventLog:security Logon_Type=10 EventCode=4625 | […]
Accounts Deleted within 24 Hours of Creation
This splunk query unmodified will return results on any account regardless of duration, however it uses an “eval case” argument to determine what is “critical” (such as accounts deleted within a day of being created) or what is simply note worthy (normal behavior). Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ […]
File Deletion Attempts In Windows
The following splunk queries will return results based on any user account who attempts to delete a file. This will return both successful and failed attempts. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and older: sourcetype=”WinEventLog:Security” EventCode=564 |eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, Image_File_Name, Type, host | […]
Windows File Access Attempts
The following splunk queries will display any file access attempts (successful or failed) by user account. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and older: sourcetype=”WinEventLog:Security” EventCode=560 Object_Type=File | eval Date=strftime(_time, “%Y/%m/%d”) |eval UserName=coalesce(Primary_User_Name, Client_User_Name)| search UserName!=”*$” AND UserName!=”NETWORK SERVICE”| stats count by Date, Image_File_Name, UserName, Type, host | […]
New Service Installation on Windows
The following splunk query will return results of all new services installed on windows machines (this works on any windows OS tested thus far). Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ sourcetype=WinEventLog:Security (EventCode=4697 OR EventCode=601) | eval Date=strftime(_time, “%Y/%m/%d”) | eval Status=coalesce(Keywords,Type) |stats count by Date, Service_Name, Service_File_Name, Service_Account, host, Status
Accounts Deleted in a Windows Environment
These splunk queries will return deleted accounts in Associated with Windows Environments (NOTE* The 2003 query requires that the splunk for windows app be installed): 2003: sourcetype=WinEventLog:Security (EventCode=630) | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, Target_Account_Name, Caller_User_Name, Type, host | sort – Date | rename Target_Account_Name as “Deleted Account” | rename Caller_User_Name as […]
Account Modifications in a Windows Environment
The following splunk query will give you all permission changes for each user. There are four queries. 1. Windows 2008 Permission Increases: sourcetype=WinEventLog:Security (EventCode=4717) | eval Date=strftime(_time, “%Y/%m/%d”) | rex “Access\sGranted:\s+Access\sRight:\s+(?<RightGranted>\w+)” | rex “Account\sModified:\s+\w+\s\S+\s+.*\\\(?<AccountModified>.*)” | stats count by Date, AccountModified, RightGranted, host | sort – Date 2. Windows 2008 Permission Decreases: sourcetype=WinEventLog:Security (EventCode=4718) | eval […]
Failed Authentication to Non-existing Accounts
This splunk query will return results for failed logon attempts to accounts that do not exist. This has been tested and confirmed on Windows Server 2008 and newer machines: source=”WinEventLog:security” sourcetype=”WinEventLog:Security” EventCode=4625 Sub_Status=0xC0000064 |eval Date=strftime(_time, “%Y/%m/%d”) |rex “Which\sLogon\sFailed:\s+Security\sID:\s+\S.*\s+\w+\s\w+\S\s.(?<uacct>\S.*)” | stats count by Date, uacct, host | rename count as “Attempts” | sort – Attempts
Time between Account Creation and Account Deletion
Below is the query indicating time (duration) between account creation and account deletion. I have added a range to indicate severity, remove and modify as needed. Windows 2008 and newer: sourcetype=WinEventLog:Security (EventCode=4726 OR EventCode=4720) |eval Date=strftime(_time, “%Y/%m/%d”) |rex “Subject:\s+\w+\s\S+\s+\S+\s+\w+\s\w+:\s+(?<SourceAccount>\S+)” | rex “Target\s\w+:\s+\w+\s\w+:\s+\S+\s+\w+\s\w+:\s+(?<DeletedAccount>\S+)” | rex “New\s\w+:\s+\w+\s\w+:\s+\S+\s+\w+\s\w+:\s+(?<NewAccount>\S+)” | eval SuspectAccount=coalesce(DeletedAccount,NewAccount) | transaction SuspectAccount startswith=”EventCode=4720″ endswith=”EventCode=4726″ |eval duration=round(duration/60, […]
Accounts Disabled
This query will return results for accounts disabled on a windows 2008 or newer operating system for a given time range: sourcetype=WinEventLog:Security (EventCode=4725) | stats count by index, user, host, name
Accounts Enabled
This query will return results on all accounts enabled for a given time range. It is using EventCodes for windows 2008 and newer operating systems: sourcetype=WinEventLog:Security (EventCode=4722) | stats count by index, user, host, name
Time between rights granted and rights revoked
This query outputs a table that indicates the time difference between Rights granted and Rights revoked. Modify the maxspan time within the transaction function to meet your environments needs. Regex is used here, and is part of the query. Windows 2008 and newer: sourcetype=WinEventLog:Security (EventCode=4717 OR EventCode=4718) | rex “Access\sGranted:\s+Access\sRight:\s+(?\w+)”| rex “Access\sRemoved:\s+Access\sRight:\s+(?\w+)”| eval Rights=coalesce(RightGranted,RightRemoved) | […]
Console Lock Duration
The following code works only in windows 2008 and newer operating systems: sourcetype=WinEventLog:Security (EventCode=4800 OR EventCode=4801) | eval Date=strftime(_time, “%Y/%m/%d”) | transaction host Account_Name startswith=EventCode=4800 endswith=EventCode=4801 | eval duration = duration/60 | eval duration=round(duration,2)| table host, Account_Name, duration, Date |rename duration as “Console Lock Duration in Minutes” | sort – date
User Logon / Session Duration
The following query will return the duration of user logon time between initial logon and logoff events. I have a duration filter set to greater than 5 seconds to weed out any scripts that may quickly log on and log off (change this as needed to fit your environment). Windows 2008 and newer: source=WinEventLog:Security (EventCode=4624 […]
Security Access granted to an Account
Like most windows security logs there are two formats depending on which version of windows you are running. The query for a Windows 7 / Server 2008 and newer looks like this: sourcetype=”WinEventLog:Security” EventCode=4717 | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by src_user, user, Access_Right, Date, Keywords |rename src_user as “Source Account” | rename user […]
System Security Access Removed from Account
The following queries will list security access that was removed from an account in a Windows environment. Queries look different depending on which version of Windows you are running as the syntax and the EventID’s changed after 2003. Windows Server 2008 and newer: sourcetype=”WinEventLog:Security” EventCode=4718 | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by src_user, user, […]
Accounts Deleted via EventID’s that Correspond with Post XP/2003 Operating Systems
This query will search for accounts deleted via EventID’s that correspond with post XP/2003 operating systems. It will output the admin account, account deleted, details about the action, and the machine that the account deletion took place on. sourcetype=WinEventLog:Security (EventCode=630) |eval Date=strftime(_time, “%Y/%m/%d”)| stats count by User, Target_Account_Name, name, host, index Date | rename User […]
Password changes in a Windows environment by user account
Password changes in a Windows environment by user account. sourcetype=”WinEventLog:Security” (EventCode=628 OR EventCode=627 OR EventCode=4723 OR EventCode=4724) | chart count by user
