This query will show a timechart of the status of an Locked Out Account
|
1 |
sourcetype="WinEventLog:Security" EventCode=4625 AND Status=0xC0000234 | timechart count by user | sort -count |
Detect Username Guessing Brute Force Attacks
The below will detect a form of brute force which most will miss. Whereas other scripts detect multiple logins against a single account, they fail to detect 4 failed logins against 40 accounts. This first checks for all accounts having an account login failure of 4 or more, it then checks for the quantity of […]
Track Remediation Progress by OS – Qualys
The following Splunk Search Queries within the Qualys Sourcetype track the remediation progress for a variety of operating systems. The queries are separated by Operating System or Device Type: OS & Device Agnostic
|
1 |
eventtype="qualys_vm_detection_event" STATUS ="FIXED" earliest=-30d@d | dedup HOST_ID, QID | stats count by QID |
Linux
|
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25 |
Network (F5/Cisco/Firewall)
|
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25 |
Windows Desktop
|
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25 |
Windows Server
|
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25 |
I take no credit for this. These queries were discovered […]
Top 25 Most Vulnerable Systems by OS – Qualys
The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most vulnerable systems. The queries are separated by Operating System or Device Type: Linux
|
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^((?!\/).)*Linux((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25 |
Network (F5/Cisco/Firewall)
|
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" |dedup QID IP| stats count by IP | sort -count | head 25 |
Windows Desktop
|
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25 |
Windows Server
|
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 | regex OS="^Windows .*Server((?!\/).)*$" |dedup QID IP| stats count by IP | sort -count | head 25 |
I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
Top 25 Most Prevailing Vulnerabilities with Patches Available (Multiple OSs)- Qualys
The following Splunk Search Queries within the Qualys Sourcetype list the top 25 most prevailing vulnerabilities that have patches available. The queries are separated by Operating System or Device Type: Linux
|
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^((?!\/).)*Linux((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count |
Network (F5/Cisco/Firewall)
|
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="(F5 Networks Big-IP)|(^Cisco((?!\/).)*$)|(Firewall)" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count |
Windows Desktop
|
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows (2000$|XP|7|8)((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count |
Windows Server
|
1 |
eventtype=qualys_vm_detection_event SEVERITY > 3 STATUS="ACTIVE" | regex OS="^Windows .*Server((?!\/).)*$" | dedup HOST_ID QID | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY VENDOR_REFERENCE | stats count by QID, TITLE, SEVERITY | sort 25 –count |
I take no credit for this. These queries were discovered on Tarun Kumar’s blog.
Monitor for Service Changes in Windows
The following splunk search looks for changes in services within Windows.
|
1 |
sourcetype="WinEventLog:System" EventCode=7045 NOT (Service_Name=mgmt_service) | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) | table _time host Service_Name, Service_Type, Service_Start_Type, Service_Account, Short_Message |
Monitor File Shares being Accessed in Windows
This splunk search will show file shares being accessed within windows environments.
|
1 |
sourcetype="WinEventLog:Security" EventCode=5140 (Share_Name="*\\C$" OR Share_Name="*D$" OR Share_Name="*E$" OR Share_Name="*F$" OR Share_Name="*U$") NOT Source_Address="::1" | eval Destination_Sys1=trim(host,"1") | eval Destination_Sys2=trim(host,"2") | eval Dest_Sys1=lower(Destination_Sys1) | eval Dest_Sys2=lower(Destination_Sys2) | rename host AS Destination | rename Account_Domain AS Domain | where Account_Name!=Dest_Sys1 | where Account_Name!=Dest_Sys2 | stats count values(Domain) AS Domain, values(Source_Address) AS Source_IP, values(Destination) AS Destination, dc(Destination) AS Dest_Count, values(Share_Name) AS Share_Name, values(Share_Path) AS Share_Path by Account_Name |
Pass the Hash Detection
|
1 |
index="wineventlog" ( EventCode=4624 Logon_Type=3 ) OR ( EventCode=4625 Logon_Type=3 ) Authentication_Package="NTLM" NOT Account_Domain=YOURDOMAINÂ NOT Account_Name="ANONYMOUS LOGON" |
Failed Attempt to Login to a Disabled Account
This Splunk Search Query will indicate any user who attempted to login to a disabled account. (Tested only on Windows 7 / Server 2008 and newer Windows logs).
|
1 |
sourcetype="WinEventLog:security" EventCode=4625 (Sub_Status="0xc0000072" OR Sub_Status="0xC0000072") Security_ID!="NULL SID" Account_Name!="*$" | eval Date=strftime(_time, "%Y/%m/%d")| rex "Which\sLogon\sFailed:\s+\S+\s\S+\s+\S+\s+Account\sName:\s+(?<facct>\S+)" | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, facct, host, Keywords | rename facct as "Target Account" host as Host Keywords as Status count as Count |
Qualys Active OS Vuln Count
The following Splunk Search (query) is for Qualys and will show vulnerability count for Windows Hosts. This query assumes that your index is defined as qualys.
|
1 |
index=qualys HOSTVULN SEVERITY=3 OR 4 OR 5 TYPE="CONFIRMED" earliest=-30d@d | dedup HOST_ID, QID | search STATUS!="FIXED" |join QID [search index=qualys QID_INFO PATCHABLE=1] | join HOST_ID [search index=qualys HOSTSUMMARY: OS="Windows*" NOT "Windows Server*" | where cidrmatch("10.128.0.0/9", IP) ] | stats count(QID) as #_Vulns by OS | sort -#_Vulns | addcoltotals #_Vulns |
* DISCLOSURE* – I did not create this query. That credit goes to Jeff Leggett.
Failed Versus Successful Logon Attempts
This Splunk search query example will return results indicating failed vs successful login attempts in a Windows environment:
|
1 |
source="WinEventLog:security" (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon", EventCode=4625, "Failed Logon", EventCode=529, "Failed Logon", EventCode=530, "Failed Logon", EventCode=531, "Failed Logon", EventCode=532, "Failed Logon", EventCode=533, "Failed Logon", EventCode=534, "Failed Logon", EventCode=535, "Failed Logon", EventCode=536, "Failed Logon", EventCode=537, "Failed Logon", EventCode=539, "Failed Logon") | stats count by status | sort - count |
Get list of concurrent users on a specific server
The following Splunk query will return results for concurrent logon sessions (in a Windows Environment) on any given server (or multiple servers) with slight modification. First you must define the time span in which you consider “concurrent” this is defined in the “bucket” section below and the example uses a 30 minute range (widen […]
Account Enabled in Windows
The following Splunk queries will show any accounts that have been enabled from a previously disabled state. Ensure the Splunk App for Windows is installed grab it here:Â https://apps.splunk.com/app/742/ Windows Server 2008 and Newer:
|
1 |
sourcetype=WinEventLog:Security (EventCode=4722) | eval Date=strftime(_time, "%Y/%m/%d") |rex "ID:\s+\w+\\\(?<sourceaccount>\S+)\s+" | rex "Account:\s+Security\sID:\s+\w+\\\(?<targetaccount>\S+)\s+" | stats count by Date, sourceaccount, targetaccount, Keywords, host | rename sourceaccount as "Source Account" | rename targetaccount as "Target Account" | sort - Date |
Windows Server 2003 and Older:
|
1 |
sourcetype=WinEventLog:Security (EventCode=626) | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, Caller_User_Name, Target_Account_Name, Type, host | sort - Date |
Password Non Compliance Windows
The following splunk queries will return results for failed attempts to change passwords. This is likely a result of users not meeting password requirements. Be sure to have the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and Older:
|
1 |
sourcetype="WinEventLog:Security" EventCode=627 Type="Failure Audit"| eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, Target_Account_Name, host | sort - Date |
Windows 2008 and Newer:
|
1 |
sourcetype="WinEventLog:Security" EventCode=4723 Â Keywords="Audit Failure" | eval Date=strftime(_time, "%Y/%m/%d") | rex "Target\sAccount:\s+Security\sID:.*\\\(?<account>\S+)" | stats count by Date, account, host | sort - Date |
Successful Logins Windows
Splunk query for all successful logons to windows:
|
1 |
source="WinEventLog:security" (EventCode=528 OR EventCode=540 OR EventCode=4624) |
Failed Logins Windows
Splunk query for all failed logon attempts within a windows environment.
|
1 |
sourcetype="WinEventLog:Security" ("EventCode=4625") OR ("EventCode=529" OR "EventCode=530" OR "EventCode=531" OR "EventCode=532" OR "EventCode=533" OR "EventCode=534" OR "EventCode=535" OR "EventCode=536" OR "EventCode=537" OR "EventCode=539") |
List of Source Names and Frequency of Events
The following splunk query will output a list of all SourceNames in a windows environment and include a sparkline to indicate frequency:
|
1 |
eventtype="windows_events" sourcetype="*EventLog:*" (host="*" OR ComputerName="*") TaskCategory="*" SourceName="*" EventCode="*" Type="*" | stats sparkline as Activity, count by host | sort -count |
Accounts Deleted via EventID’s that Correspond with Post XP/2003 Operating Systems
This query will search for accounts deleted via EventID’s that correspond with post XP/2003 operating systems. It will output the admin account, account deleted, details about the action, and the machine that the account deletion took place on.
|
1 |
sourcetype=WinEventLog:Security (EventCode=630) |eval Date=strftime(_time, "%Y/%m/%d")| stats count by User, Target_Account_Name, name, host, index Date | rename User as "Administrator Account" | rename Target_Account_Name as "Account Name Deleted" | rename name as "Detailed Information" |rename host as "Computer the Account was Created on" | rename index as "Index of origin"| sort - Date |
The easiest method for field extractions is to Install the app “Splunk app for Windows Infrastructure” […]
Password changes in a Windows environment by user account
Password changes in a Windows environment by user account.
|
1 |
sourcetype="WinEventLog:Security" (EventCode=628 OR EventCode=627 OR EventCode=4723 OR EventCode=4724) | chart count by user |
File Accesses in a Windows Environment by user
File Accesses in a Windows Environment by user
|
1 |
sourcetype="WinEventLog:Security" user=* (EventCode=560 OR EventCode=4656) | chart count by Type |
