Windows security daily domain activities

sourcetype=WinEventLog:Security src_nt_domain!=”NT AUTHORITY” EventCode=4720 OR EventCode=4726 OR EventCode=4738 OR EventCode=4767 OR EventCode=4781 OR EventCode=4727 OR EventCode=4730 OR EventCode=4731 OR EventCode=4734 OR EventCode=4735 OR EventCode=4737 OR EventCode=4744 OR EventCode=4745 OR EventCode=4748 OR EventCode=4749 OR EventCode=4750 OR EventCode=4753 OR EventCode=4754 OR EventCode=4755 OR EventCode=4758 OR EventCode=4759 OR EventCode=4760 OR EventCode=4763 OR EventCode=4764 OR EventCode=4728 OR EventCode=4729 OR […]

Continue Reading →

Failed Windows Remote Desktop Connection Attempt

The following splunk query example will return results on any Windows remote desktop connection attempts. This could be a result of a bad password, invalid user name, or any number of other reasons. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/   Windows Server 2008 and Newer: source=WinEventLog:Security sourcetype=WinEventLog:security Logon_Type=10 EventCode=4625 | […]

Continue Reading →

File Deletion Attempts In Windows

The following splunk queries will return results based on any user account who attempts to delete a file. This will return both successful and failed attempts. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and older: sourcetype=”WinEventLog:Security” EventCode=564 |eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, Image_File_Name, Type, host | […]

Continue Reading →

Windows File Access Attempts

The following splunk queries will display any file access attempts (successful or failed) by user account. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and older: sourcetype=”WinEventLog:Security” EventCode=560 Object_Type=File | eval Date=strftime(_time, “%Y/%m/%d”) |eval UserName=coalesce(Primary_User_Name, Client_User_Name)| search UserName!=”*$” AND UserName!=”NETWORK SERVICE”| stats count by Date, Image_File_Name, UserName, Type, host | […]

Continue Reading →

New Service Installation on Windows

The following splunk query will return results of all new services installed on windows machines (this works on any windows OS tested thus far). Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/  sourcetype=WinEventLog:Security (EventCode=4697 OR EventCode=601) | eval Date=strftime(_time, “%Y/%m/%d”) | eval Status=coalesce(Keywords,Type) |stats count by Date, Service_Name, Service_File_Name, Service_Account, host, Status

Continue Reading →

Accounts Deleted in a Windows Environment

These splunk queries will return deleted accounts in Associated with Windows Environments (NOTE* The 2003 query requires that the splunk for windows app be installed): 2003: sourcetype=WinEventLog:Security (EventCode=630) | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, Target_Account_Name, Caller_User_Name, Type, host | sort – Date | rename Target_Account_Name as “Deleted Account” | rename Caller_User_Name as […]

Continue Reading →

Time between rights granted and rights revoked

This query outputs a table that indicates the time difference between Rights granted and Rights revoked. Modify the maxspan time within the transaction function to meet your environments needs. Regex is used here, and is part of the query. Windows 2008 and newer: sourcetype=WinEventLog:Security (EventCode=4717 OR EventCode=4718) | rex “Access\sGranted:\s+Access\sRight:\s+(?\w+)”| rex “Access\sRemoved:\s+Access\sRight:\s+(?\w+)”| eval Rights=coalesce(RightGranted,RightRemoved) | […]

Continue Reading →

Console Lock Duration

The following code works only in windows 2008 and newer operating systems: sourcetype=WinEventLog:Security (EventCode=4800 OR EventCode=4801) | eval Date=strftime(_time, “%Y/%m/%d”) | transaction host Account_Name startswith=EventCode=4800 endswith=EventCode=4801 | eval duration = duration/60 | eval duration=round(duration,2)| table host, Account_Name, duration, Date |rename duration as “Console Lock Duration in Minutes” | sort – date

Continue Reading →

User Logon / Session Duration

The following query will return the duration of user logon time between initial logon and logoff events. I have a duration filter set to greater than 5 seconds to weed out any scripts that may quickly log on and log off (change this as needed to fit your environment). Windows 2008 and newer: source=WinEventLog:Security (EventCode=4624 […]

Continue Reading →

Security Access granted to an Account

Like most windows security logs there are two formats depending on which version of windows you are running. The query for a Windows 7 / Server 2008 and newer looks like this: sourcetype=”WinEventLog:Security” EventCode=4717 | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by src_user, user, Access_Right, Date, Keywords |rename src_user as “Source Account” | rename user […]

Continue Reading →

System Security Access Removed from Account

The following queries will list security access that was removed from an account in a Windows environment. Queries look different depending on which version of Windows you are running as the syntax and the EventID’s changed after 2003. Windows Server 2008 and newer: sourcetype=”WinEventLog:Security” EventCode=4718 | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by src_user, user, […]

Continue Reading →