Category Archives: Splunk

Splunk Queries

I found a great little site (thanks the Splunk sub-Reddit) over at http://gosplunk.com.  As a mostly Windows shop running Splunk for log management, there are some real gems in there.  I restructured my Dashboard using some of the queries I found there.

Event IDs for Suspicious Behaviour

This can take a while to run if you have a large dataset, but it provides a look into a few different categories of Event IDs that I had previously overlooked.

source=WinEventLog:security User!=SYSTEM User!="LOCAL SERVICE" User!="NETWORK SERVICE" | eval Trigger=case(EventCode=516, "Audit Logs Modified",EventCode=517, "Audit Logs Modified",EventCode=612, "Audit Logs Modified",EventCode=623, "Audit Logs Modified",EventCode=806, "Audit Logs Modified",EventCode=807, "Audit Logs Modified",EventCode=1101, "Audit Logs Modified",EventCode=1102, "Audit Logs Modified",EventCode=4612, "Audit Logs Modified",EventCode=4621, "Audit Logs Modified",EventCode=4694, "Audit Logs Modified",EventCode=4695, "Audit Logs Modified",EventCode=4715, "Audit Logs Modified",EventCode=4719, "Audit Logs Modified",EventCode=4817, "Audit Logs Modified",EventCode=4885, "Audit Logs Modified",EventCode=4902, "Audit Logs Modified",EventCode=4906, "Audit Logs Modified",EventCode=4907, "Audit Logs Modified",EventCode=4912, "Audit Logs Modified", EventCode=642, "Account Modification",EventCode=646, "Account Modification",EventCode=685, "Account Modification",EventCode=4738, "Account Modification",EventCode=4742, "Account Modification",EventCode=4781, "Account Modification", EventCode=1102, "Audit Logs Cleared/Deleted",EventCode=517, "Audit Logs Cleared/Deleted", EventCode=628, "Passwords Changed",EventCode=627, "Passwords Changed",EventCode=4723, "Passwords Changed",EventCode=4724, "Passwords Changed", EventCode=528, "Successful Logons",EventCode=540, "Successful Logons",EventCode=4624, "Successful Logons", EventCode=4625, "Failed Logons",EventCode=529, "Failed Logons",EventCode=530, "Failed Logons",EventCode=531, "Failed Logons",EventCode=532, "Failed Logons",EventCode=533, "Failed Logons",EventCode=534, "Failed Logons",EventCode=535, "Failed Logons",EventCode=536, "Failed Logons",EventCode=537, "Failed Logons",EventCode=539, "Failed Logons", EventCode=576, "Escalation of Privileges",EventCode=4672, "Escalation of Privileges",EventCode=577, "Escalation of Privileges",EventCode=4673, "Escalation of Privileges",EventCode=578, "Escalation of Privileges",EventCode=4674, "Escalation of Privileges") | stats count by Trigger | sort - count

Windows Environment Logon Count is a great one that shows a stacked graph of network access to files/folders, Service Accounts, Local Console Access, Scheduled Tasks/Batch Files, Network Logins, and RDP Logins.

source="WinEventLog:security" | eval LogonType=case(Logon_Type="2", "Local Console Access", Logon_Type="3", "Accessing Network Folders or Files", Logon_Type="4", "Scheduled Task, Batch File, or Script", Logon_Type="5", "Service Account", Logon_Type="7", "Local Console Unlock", Logon_Type="8", "Network User Logon", Logon_Type="9", "Program launched with RunAs using /netonly switch", Logon_Type="10", "Remote Desktop via Terminal Services", Logon_Type="11", "Mobile Access or Network Domain Connection Resumed") | top limit=15 LogonType | eval percent = round(percent,2) . " %"

One of my favorite queries lists a table of geographical locations for IP addresses pulled from IIS access logs.  In particular, for Exchange OWA and Outlook Anywhere.

host="email.mydomain.com" sourcetype=iis NOT cs_method=POST | iplocation c_ip |stats count by City | sort count desc

I have 3 instances of this query on my dashboard, one each to show a different table for country, state, and city for our OWA users.  This pulls IIS logs form the Exchange server, filters out the “POST” entries and uses ‘iplocation’ to show what geographical location the GET requests for OWA and Outlook Anywhere are coming from.  It puts all of this in a table sorted by count, which makes it easy to see if we’re taking any hits from locations on the other side of the country or planet.

Spunk can be expensive, though a little less so since they introduced Splunk Light, however the alerting and reports that it enables is well worth it in my opinion.  Version 6.3 was recently released, it features quite a few new features!