File Accesses in a Windows Environment by user sourcetype=”WinEventLog:Security” user=* (EventCode=560 OR EventCode=4656) | chart count by Type
Escalation of Privileges in a Windows Environment by User
Escalation of Privileges in a Windows Environment by user. sourcetype=”WinEventLog:Security” (EventCode=576 OR EventCode=4672 OR EventCode=577 OR EventCode=4673 OR EventCode=578 OR EventCode=4674) | stats count by user
Gauge of Windows Failed Logons
Gauge of Windows Failed Logons. Adjust the gauge to meet your environments needs. sourcetype=”WinEventLog:Security” (“EventCode=4625”) OR (“EventCode=529” OR “EventCode=530” OR “EventCode=531” OR “EventCode=532” OR “EventCode=533” OR “EventCode=534” OR “EventCode=535” OR “EventCode=536” OR “EventCode=537” OR “EventCode=539”) (Logon_Type=*) | stats count(user) as Failed_Logon | gauge Failed_Logon 1 25 50 150
Gauge of Windows Successful Logons
Gauge of Windows Successful Logons. Adjust the gauge to meet your needs. source=”WinEventLog:security” (EventCode=528 OR EventCode=540 OR EventCode=4624) | stats count(user) as Success_Logon | gauge Success_Logon 1 1000
Number of Accounts Created in a Windows Environment
Account Creation Gauge used to indicate number of accounts created in a Windows environment. EventCodes (EventID’s) used are for server 2003/XP and newer. Modify the gauge to fit your environment’s needs. sourcetype=WinEventLog:Security (EventCode=624 OR EventCode=4720) | eval NewAccount=case(EventCode=624, “New Account Created”, EventCode=4720, “New Account Created”) | stats count(NewAccount) as creation | gauge creation 1 5 […]
Search Common EventCodes (EventID’s) for Suspicious Behavior
This query searches many common EventCodes (EventID’s) within a Windows environment for suspicious behavior. The query can take some time to run due to it’s length. Excellent for high-level security insight. source=”wineventlog:security” user!=”DWM-*” user!=”UMFD-*” user!=SYSTEM user!=”LOCAL SERVICE” user!=”NETWORK SERVICE” user!=”*$” user!=”ANONYMOUS LOGON” user!=”IUSR” | eval Trigger=case(EventCode=516, “Audit Logs Modified”,EventCode=517, “Audit Logs Modified”,EventCode=612, “Audit Logs Modified”,EventCode=623, […]
Logon Types within a Windows Environment (with logon count)
This query will identify logon types within a windows environment and list the number of logons associated with each type. source=”WinEventLog:security” | eval LogonType=case(Logon_Type=”2″, “Local Console Access”, Logon_Type=”3″, “Accessing Network Folders or Files”, Logon_Type=”4″, “Scheduled Task, Batch File, or Script”, Logon_Type=”5″, “Service Account”, Logon_Type=”7″, “Local Console Unlock”, Logon_Type=”8″, “Network User Logon”, Logon_Type=”9″, “Program launched with […]
