Successful Logons – Windows

• WinEventLog:Security
• SplunkNinja
• 1 0

The following is a Splunk query that will display a timechart for all successful logons to windows:

source="WinEventLog:security" EventCode=4624 Logon_Type IN (2,7,10,11) NOT user IN ("DWM-*", "UMFD-*") | timechart span=1h count by host

1 2	source="WinEventLog:security" EventCode=4624 Logon_Type IN (2,7,10,11) NOT user IN ("DWM-*", "UMFD-*") | timechart span=1h count by host

Here’s a detailed table showing similar information with greater detail:

source="WinEventLog:security" EventCode=4624 Logon_Type IN (2,7,10,11) NOT user IN ("DWM-*", "UMFD-*") | eval Workstation_Name=lower(Workstation_Name) | eval host=lower(host) | eval hammer=_time | bucket span=12h hammer | stats values(Logon_Type) as "Logon Type" count sparkline by user host, hammer, Workstation_Name | rename hammer as "12 hour blocks" host as "Target Host" Workstation_Name as "Source Host" | convert ctime("12 hour blocks") | sort - "12 hour blocks"

1 2 3 4 5 6 7 8 9

source="WinEventLog:security" EventCode=4624 Logon_Type IN (2,7,10,11) NOT user IN ("DWM-*", "UMFD-*") | eval Workstation_Name=lower(Workstation_Name) | eval host=lower(host) | eval hammer=_time | bucket span=12h hammer | stats values(Logon_Type) as "Logon Type" count sparkline by user host, hammer, Workstation_Name | rename hammer as "12 hour blocks" host as "Target Host" Workstation_Name as "Source Host" | convert ctime("12 hour blocks") | sort - "12 hour blocks"

Continue Reading →

Failed Logon Attempts – Windows

• WinEventLog:Security
• SplunkNinja
• 1 0

The following Splunk query will show a timechart of failed logon attempts per host:

source="WinEventLog:security" EventCode=4625 | timechart span=1h count by host

1 2	source="WinEventLog:security" EventCode=4625 | timechart span=1h count by host

The following Splunk query will show a detailed table of failed logon attempts per host and user with 5 minute chunks/blocks of time, as well as show a sparkline (mini timechart) within the table itself.

source="WinEventLog:security" EventCode=4625 | eval Workstation_Name=lower(Workstation_Name) | eval host=lower(host) | eval hammer=_time | bucket span=5m hammer | stats count sparkline by user host, hammer, Workstation_Name | rename hammer as "5 minute blocks" host as "Target Host" Workstation_Name as "Source Host" | convert ctime("5 minute blocks")

1 2 3 4 5 6 7 8

source="WinEventLog:security" EventCode=4625 | eval Workstation_Name=lower(Workstation_Name) | eval host=lower(host) | eval hammer=_time | bucket span=5m hammer | stats count sparkline by user host, hammer, Workstation_Name | rename hammer as "5 minute blocks" host as "Target Host" Workstation_Name as "Source Host" | convert ctime("5 minute blocks")

#Admin Notes – This […]

Continue Reading →

Timechart of the status of an Locked Out Account

• WinEventLog:Security
• Azeemering
• 2 0

This query will show a timechart of the status of an Locked Out Account

sourcetype="WinEventLog:Security" EventCode=4625 AND Status=0xC0000234 | timechart count by user | sort -count

1	sourcetype="WinEventLog:Security" EventCode=4625 AND Status=0xC0000234 | timechart count by user | sort -count

Continue Reading →

Detect Username Guessing Brute Force Attacks

• Monitoring/ WinEventLog:Security
• DaveyBoy
• 14 0

The below will detect a form of brute force which most will miss. Whereas other scripts detect multiple logins against a single account, they fail to detect 4 failed logins against 40 accounts. This first checks for all accounts having an account login failure of 4 or more, it then checks for the quantity of […]

Continue Reading →

Track Remediation Progress by OS – Qualys

• Qualys
• SplunkNinja
• 0 3

The following Splunk Search Queries within the Qualys Sourcetype track the remediation progress for a variety of operating systems. The queries are separated by Operating System or Device Type: OS & Device Agnostic

eventtype="qualys_vm_detection_event" STATUS ="FIXED" earliest=-30d@d | dedup HOST_ID, QID | stats count by QID

1	eventtype="qualys_vm_detection_event" STATUS ="FIXED" earliest=-30d@d | dedup HOST_ID, QID | stats count by QID

Linux

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

Network (F5/Cisco/Firewall)

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25

Windows Desktop

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

Windows Server

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

I take no credit for this. These queries were discovered […]

Continue Reading →

Top 25 Most Vulnerable Systems by OS – Qualys

• Qualys
• SplunkNinja
• 0 0

The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most vulnerable systems. The queries are separated by Operating System or Device Type: Linux

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

Network (F5/Cisco/Firewall)

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25

Windows Desktop

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

Windows Server

eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

1	eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25

I take no credit for this. These queries were discovered on Tarun Kumar’s blog.

Continue Reading →

Top 25 Most Prevailing Vulnerabilities with Patches Available (Multiple OSs)- Qualys

• Qualys
• SplunkNinja
• 0 0

The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most prevailing vulnerabilities that have patches available. The queries are separated by Operating System or Device Type: Linux

eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^((?!\/).)*Linux((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

1	eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^((?!\/).)*Linux((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

Network (F5/Cisco/Firewall)

eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

1	eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

Windows Desktop

eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

1	eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

Windows Server

eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows .*Server((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

1	eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows .*Server((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count

I take no credit for this. These queries were discovered on Tarun Kumar’s blog.

Continue Reading →

Monitor for Service Changes in Windows

• WinEventLog:System
• john117
• 6 1

The following splunk search looks for changes in services within Windows.  

sourcetype="WinEventLog:System" EventCode=7045 NOT (Service_Name=mgmt_service) | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) | table _time host Service_Name, Service_Type, Service_Start_Type, Service_Account, Short_Message

1	sourcetype="WinEventLog:System" EventCode=7045 NOT (Service_Name=mgmt_service) | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) | table _time host Service_Name, Service_Type, Service_Start_Type, Service_Account, Short_Message

 

Continue Reading →

Monitor File Shares being Accessed in Windows

• WinEventLog:Security
• john117
• 6 0

This splunk search will show file shares being accessed within windows environments.

sourcetype="WinEventLog:Security" EventCode=5140 (Share_Name="*\\C$" OR Share_Name="*D$" OR Share_Name="*E$" OR Share_Name="*F$" OR Share_Name="*U$") NOT Source_Address="::1" | eval Destination_Sys1=trim(host,"1") | eval Destination_Sys2=trim(host,"2") | eval Dest_Sys1=lower(Destination_Sys1) | eval Dest_Sys2=lower(Destination_Sys2) | rename host AS Destination | rename Account_Domain AS Domain | where Account_Name!=Dest_Sys1 | where Account_Name!=Dest_Sys2 | stats count values(Domain) AS Domain, values(Source_Address) AS Source_IP, values(Destination) AS Destination, dc(Destination) AS Dest_Count, values(Share_Name) AS Share_Name, values(Share_Path) AS Share_Path by Account_Name

1

sourcetype="WinEventLog:Security" EventCode=5140 (Share_Name="*\\C$" OR Share_Name="*D$" OR Share_Name="*E$" OR Share_Name="*F$" OR Share_Name="*U$") NOT Source_Address="::1" | eval Destination_Sys1=trim(host,"1") | eval Destination_Sys2=trim(host,"2") | eval Dest_Sys1=lower(Destination_Sys1) | eval Dest_Sys2=lower(Destination_Sys2) | rename host AS Destination | rename Account_Domain AS Domain | where Account_Name!=Dest_Sys1 | where Account_Name!=Dest_Sys2 | stats count values(Domain) AS Domain, values(Source_Address) AS Source_IP, values(Destination) AS Destination, dc(Destination) AS Dest_Count, values(Share_Name) AS Share_Name, values(Share_Path) AS Share_Path by Account_Name

Continue Reading →

Pass the Hash Detection

• WinEventLog:Security
• srilankanmonkey
• 3 Comments
• 17 16

index="wineventlog" ( EventCode=4624 Logon_Type=3 ) OR ( EventCode=4625 Logon_Type=3 ) Authentication_Package="NTLM" NOT Account_Domain=YOURDOMAIN NOT Account_Name="ANONYMOUS LOGON"

1	index="wineventlog" ( EventCode=4624 Logon_Type=3 ) OR ( EventCode=4625 Logon_Type=3 ) Authentication_Package="NTLM" NOT Account_Domain=YOURDOMAIN NOT Account_Name="ANONYMOUS LOGON"

Continue Reading →

Failed Attempt to Login to a Disabled Account

• WinEventLog:Security
• SplunkNinja
• 1 Comment
• 11 1

This Splunk Search Query will indicate any user who attempted to login to a disabled account. (Tested only on Windows 7 / Server 2008 and newer Windows logs).

sourcetype="WinEventLog:security" EventCode=4625 (Sub_Status="0xc0000072" OR Sub_Status="0xC0000072") Security_ID!="NULL SID" Account_Name!="*$" | eval Date=strftime(_time, "%Y/%m/%d")| rex "Which\sLogon\sFailed:\s+\S+\s\S+\s+\S+\s+Account\sName:\s+(?<facct>\S+)" | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, facct, host, Keywords | rename facct as "Target Account" host as Host Keywords as Status count as Count

1

sourcetype="WinEventLog:security" EventCode=4625 (Sub_Status="0xc0000072" OR Sub_Status="0xC0000072") Security_ID!="NULL SID" Account_Name!="*$" | eval Date=strftime(_time, "%Y/%m/%d")| rex "Which\sLogon\sFailed:\s+\S+\s\S+\s+\S+\s+Account\sName:\s+(?<facct>\S+)" | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, facct, host, Keywords | rename facct as "Target Account" host as Host Keywords as Status count as Count

Continue Reading →

Qualys Active OS Vuln Count

• Qualys
• CattyWampus
• 2 0

The following Splunk Search (query) is for Qualys and will show vulnerability count for Windows Hosts. This query assumes that your index is defined as qualys.

index=qualys HOSTVULN SEVERITY=3 OR 4 OR 5 TYPE="CONFIRMED" earliest=-30d@d | dedup HOST_ID, QID | search STATUS!="FIXED" |join QID [search index=qualys QID_INFO PATCHABLE=1] | join HOST_ID [search index=qualys HOSTSUMMARY: OS="Windows*" NOT "Windows Server*" | where cidrmatch("10.128.0.0/9", IP) ] | stats count(QID) as #_Vulns by OS | sort -#_Vulns | addcoltotals #_Vulns

1

index=qualys HOSTVULN SEVERITY=3 OR 4 OR 5 TYPE="CONFIRMED" earliest=-30d@d | dedup HOST_ID, QID | search STATUS!="FIXED" |join QID [search index=qualys QID_INFO PATCHABLE=1] | join HOST_ID [search index=qualys HOSTSUMMARY: OS="Windows*" NOT "Windows Server*" | where cidrmatch("10.128.0.0/9", IP) ] | stats count(QID) as #_Vulns by OS | sort -#_Vulns | addcoltotals #_Vulns

* DISCLOSURE* – I did not create this query. That credit goes to Jeff Leggett.

Continue Reading →

Failed Versus Successful Logon Attempts

• WinEventLog:Security
• SplunkNinja
• 1 Comment
• 4 3

This Splunk search query example will return results indicating failed vs successful login attempts in a Windows environment:

source="WinEventLog:security" (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon", EventCode=4625, "Failed Logon", EventCode=529, "Failed Logon", EventCode=530, "Failed Logon", EventCode=531, "Failed Logon", EventCode=532, "Failed Logon", EventCode=533, "Failed Logon", EventCode=534, "Failed Logon", EventCode=535, "Failed Logon", EventCode=536, "Failed Logon", EventCode=537, "Failed Logon", EventCode=539, "Failed Logon") | stats count by status | sort - count

1

source="WinEventLog:security" (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon", EventCode=4625, "Failed Logon", EventCode=529, "Failed Logon", EventCode=530, "Failed Logon", EventCode=531, "Failed Logon", EventCode=532, "Failed Logon", EventCode=533, "Failed Logon", EventCode=534, "Failed Logon", EventCode=535, "Failed Logon", EventCode=536, "Failed Logon", EventCode=537, "Failed Logon", EventCode=539, "Failed Logon") | stats count by status | sort - count

Continue Reading →

Get list of concurrent users on a specific server

• WinEventLog:Security
• rupya1983
• 1 Comment
• 7 0

  The following Splunk query will return results for concurrent logon sessions (in a Windows Environment) on any given server (or multiple servers) with slight modification. First you must define the time span in which you consider “concurrent” this is defined in the “bucket” section below and the example uses a 30 minute range (widen […]

Continue Reading →

Account Enabled in Windows

• WinEventLog:Security
• SplunkNinja
• 0 0

The following Splunk queries will show any accounts that have been enabled from a previously disabled state. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows Server 2008 and Newer:

sourcetype=WinEventLog:Security (EventCode=4722) | eval Date=strftime(_time, "%Y/%m/%d") |rex "ID:\s+\w+\\\(?<sourceaccount>\S+)\s+" | rex "Account:\s+Security\sID:\s+\w+\\\(?<targetaccount>\S+)\s+" | stats count by Date, sourceaccount, targetaccount, Keywords, host | rename sourceaccount as "Source Account" | rename targetaccount as "Target Account" | sort - Date

1

sourcetype=WinEventLog:Security (EventCode=4722) | eval Date=strftime(_time, "%Y/%m/%d") |rex "ID:\s+\w+\\\(?<sourceaccount>\S+)\s+" | rex "Account:\s+Security\sID:\s+\w+\\\(?<targetaccount>\S+)\s+" | stats count by Date, sourceaccount, targetaccount, Keywords, host | rename sourceaccount as "Source Account" | rename targetaccount as "Target Account" | sort - Date

Windows Server 2003 and Older:

sourcetype=WinEventLog:Security (EventCode=626) | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, Caller_User_Name, Target_Account_Name, Type, host | sort - Date

1	sourcetype=WinEventLog:Security (EventCode=626) | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, Caller_User_Name, Target_Account_Name, Type, host | sort - Date

 

Continue Reading →

Password Non Compliance Windows

• WinEventLog:Security
• SplunkNinja
• 0 1

The following splunk queries will return results for failed attempts to change passwords. This is likely a result of users not meeting password requirements. Be sure to have the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and Older:

sourcetype="WinEventLog:Security" EventCode=627 Type="Failure Audit"| eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, Target_Account_Name, host | sort - Date

1	sourcetype="WinEventLog:Security" EventCode=627 Type="Failure Audit"| eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, Target_Account_Name, host | sort - Date

Windows 2008 and Newer:

sourcetype="WinEventLog:Security" EventCode=4723  Keywords="Audit Failure" | eval Date=strftime(_time, "%Y/%m/%d") | rex "Target\sAccount:\s+Security\sID:.*\\\(?<account>\S+)" | stats count by Date, account, host | sort - Date

1	sourcetype="WinEventLog:Security" EventCode=4723  Keywords="Audit Failure" | eval Date=strftime(_time, "%Y/%m/%d") | rex "Target\sAccount:\s+Security\sID:.*\\\(?<account>\S+)" | stats count by Date, account, host | sort - Date

Continue Reading →

Failed Logins Windows

• WinEventLog:Security
• SplunkNinja
• 2 2

Splunk query for all failed logon attempts within a windows environment.

sourcetype="WinEventLog:Security" ("EventCode=4625") OR ("EventCode=529" OR "EventCode=530" OR "EventCode=531" OR "EventCode=532" OR "EventCode=533" OR "EventCode=534" OR "EventCode=535" OR "EventCode=536" OR "EventCode=537" OR "EventCode=539")

1	sourcetype="WinEventLog:Security" ("EventCode=4625") OR ("EventCode=529" OR "EventCode=530" OR "EventCode=531" OR "EventCode=532" OR "EventCode=533" OR "EventCode=534" OR "EventCode=535" OR "EventCode=536" OR "EventCode=537" OR "EventCode=539")

Continue Reading →

List of Source Names and Frequency of Events

• SplunkNinja
• 0 0

The following splunk query will output a list of all SourceNames in a windows environment and include a sparkline to indicate frequency:

eventtype="windows_events" sourcetype="*EventLog:*" (host="*" OR ComputerName="*") TaskCategory="*" SourceName="*" EventCode="*" Type="*" | stats sparkline as Activity, count by host | sort -count

1	eventtype="windows_events" sourcetype="*EventLog:*" (host="*" OR ComputerName="*") TaskCategory="*"  SourceName="*" EventCode="*" Type="*"  | stats sparkline as Activity, count by host | sort -count

Continue Reading →

Accounts Deleted via EventID’s that Correspond with Post XP/2003 Operating Systems

• WinEventLog:Security
• Go Splunk
• 1 1

This query will search for accounts deleted via EventID’s that correspond with post XP/2003 operating systems. It will output the admin account, account deleted, details about the action, and the machine that the account deletion took place on.

sourcetype=WinEventLog:Security (EventCode=630) |eval Date=strftime(_time, "%Y/%m/%d")| stats count by User, Target_Account_Name, name, host, index Date | rename User as "Administrator Account" | rename Target_Account_Name as "Account Name Deleted" | rename name as "Detailed Information" |rename host as "Computer the Account was Created on" | rename index as "Index of origin"| sort - Date

1

sourcetype=WinEventLog:Security (EventCode=630) |eval Date=strftime(_time, "%Y/%m/%d")| stats count by User, Target_Account_Name, name, host, index Date | rename User as "Administrator Account" | rename Target_Account_Name as "Account Name Deleted" | rename name as "Detailed Information" |rename host as "Computer the Account was Created on" | rename index as "Index of origin"| sort - Date

The easiest method for field extractions is to Install the app “Splunk app for Windows Infrastructure” […]

Continue Reading →

Password changes in a Windows environment by user account

• WinEventLog:Security
• Go Splunk
• 0 0

Password changes in a Windows environment by user account.

sourcetype="WinEventLog:Security" (EventCode=628 OR EventCode=627 OR EventCode=4723 OR EventCode=4724) | chart count by user

1	sourcetype="WinEventLog:Security" (EventCode=628 OR EventCode=627 OR EventCode=4723 OR EventCode=4724) | chart count by user

Continue Reading →