{"id":30447,"date":"2022-06-27T12:14:43","date_gmt":"2022-06-27T12:14:43","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=30447"},"modified":"2022-12-23T05:52:34","modified_gmt":"2022-12-23T05:52:34","slug":"splunk-tutorials-windows-query","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/splunk-tutorials-windows-query\/","title":{"rendered":"Splunk Tutorials: Windows Query"},"content":{"rendered":"<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">source=wineventlog:application\r\nsource=wineventlog:security\r\nsource=wineventlog:system\r\n\r\n------Windows Query <span class=\"hljs-number\">1<\/span>----------------\r\nEvent Logs | System Logs | Warnings <span class=\"hljs-keyword\">and<\/span> Errors\r\nThis will hit all of the host <span class=\"hljs-keyword\">and<\/span> pull back the eventlogs <span class=\"hljs-keyword\">and<\/span> group them by Message. You can change the source to what ever windows eventlogs you need\r\n\r\nhost=<span class=\"hljs-string\">\"*\"<\/span> source=wineventlog:system NOT Type=Information | stats count by Message | sort -count | table count, Message\r\n\r\n------Windows Query <span class=\"hljs-number\">2<\/span>----------------\r\nThis Splunk Query will <span class=\"hljs-keyword\">return<\/span> results <span class=\"hljs-keyword\">for<\/span> any Windows Service that has started.\r\nCond - Ensure the Splunk App <span class=\"hljs-keyword\">for<\/span> Windows is installed grab it here: https:<span class=\"hljs-comment\">\/\/apps.splunk.com\/app\/742\/<\/span>\r\n\r\nsourcetype=WinEventLog:Application EventCode=<span class=\"hljs-number\">105<\/span> | <span class=\"hljs-keyword\">eval<\/span> Date=strftime(_time, <span class=\"hljs-string\">\"%Y\/%m\/%d\"<\/span>) | stats count by Date, SourceName, host | sort - Date | fields - count\r\n\r\n------Windows Query <span class=\"hljs-number\">3<\/span>----------------\r\nThis splunk query will <span class=\"hljs-keyword\">return<\/span> results <span class=\"hljs-keyword\">for<\/span> any Windows Service that has been stopped.\r\nEnsure the Splunk App <span class=\"hljs-keyword\">for<\/span> Windows is installed grab it here: https:<span class=\"hljs-comment\">\/\/apps.splunk.com\/app\/742\/<\/span>\r\n\r\nsourcetype=WinEventLog:Application EventCode=<span class=\"hljs-number\">108<\/span> | <span class=\"hljs-keyword\">eval<\/span> Date=strftime(_time, <span class=\"hljs-string\">\"%Y\/%m\/%d\"<\/span>) | stats count by Date, SourceName, host | sort - Date | fields - count\r\n\r\n------Windows Query <span class=\"hljs-number\">4<\/span>----------------\r\nThe following is a Splunk query that will display a timechart <span class=\"hljs-keyword\">for<\/span> all successful logons to windows:\r\nsource=<span class=\"hljs-string\">\"WinEventLog:security\"<\/span> EventCode=<span class=\"hljs-number\">4624<\/span> Logon_Type IN (<span class=\"hljs-number\">2<\/span>,<span class=\"hljs-number\">7<\/span>,<span class=\"hljs-number\">10<\/span>,<span class=\"hljs-number\">11<\/span>) NOT user IN (<span class=\"hljs-string\">\"DWM-*\"<\/span>, <span class=\"hljs-string\">\"UMFD-*\"<\/span>)\r\n| timechart span=<span class=\"hljs-number\">1<\/span>h count by host\r\n\r\n------Windows Query <span class=\"hljs-number\">5<\/span>----------------\r\nThe following Splunk query will show a timechart of failed logon attempts per host:\r\nsource=<span class=\"hljs-string\">\"WinEventLog:security\"<\/span> EventCode=<span class=\"hljs-number\">4625<\/span> \r\n| timechart span=<span class=\"hljs-number\">1<\/span>h count by host\r\n\r\n------Windows Query <span class=\"hljs-number\">6<\/span>----------------\r\nThis query will show a timechart of the status of an Locked Out Account\r\n\r\nsourcetype=<span class=\"hljs-string\">\"WinEventLog:Security\"<\/span> EventCode=<span class=\"hljs-number\">4625<\/span> <span class=\"hljs-keyword\">AND<\/span> Status=<span class=\"hljs-number\">0xC0000234<\/span> | timechart count by user | sort -count\r\n\r\n------Windows Query <span class=\"hljs-number\">7<\/span>----------------\r\nThe below will detect a form of brute force which most will miss. Whereas other scripts detect multiple logins against a single account, they fail to detect <span class=\"hljs-number\">4<\/span> failed logins against <span class=\"hljs-number\">40<\/span> accounts.\r\n\r\nThis first checks <span class=\"hljs-keyword\">for<\/span> all accounts having an account login failure of <span class=\"hljs-number\">4<\/span> <span class=\"hljs-keyword\">or<\/span> more, it then checks <span class=\"hljs-keyword\">for<\/span> the quantity of accounts that have failed by <span class=\"hljs-number\">4<\/span> <span class=\"hljs-keyword\">or<\/span> more (<span class=\"hljs-number\">5<\/span> in the below example). So <span class=\"hljs-keyword\">if<\/span> someone attempts to login with <span class=\"hljs-number\">4<\/span> <span class=\"hljs-keyword\">or<\/span> more different passwords unsuccessfully on <span class=\"hljs-number\">5<\/span> <span class=\"hljs-keyword\">or<\/span> more accounts, the alarm will trip.\r\n\r\nsourcetype=windows EventCode=<span class=\"hljs-number\">4625<\/span> <span class=\"hljs-keyword\">OR<\/span> EventCode=<span class=\"hljs-number\">4624<\/span> \r\n | bin _time span=<span class=\"hljs-number\">5<\/span>m <span class=\"hljs-keyword\">as<\/span> minute \r\n | rex <span class=\"hljs-string\">\"Security ID:\\s*\\w*\\s*\\w*\\s*Account Name:\\s*(?&lt;username&gt;.*)\\s*Account Domain:\"<\/span> \r\n | stats count(Keywords) <span class=\"hljs-keyword\">as<\/span> Attempts,\r\n count(<span class=\"hljs-keyword\">eval<\/span>(match(Keywords,<span class=\"hljs-string\">\"Audit Failure\"<\/span>))) <span class=\"hljs-keyword\">as<\/span> Failed,\r\n count(<span class=\"hljs-keyword\">eval<\/span>(match(Keywords,<span class=\"hljs-string\">\"Audit Success\"<\/span>))) <span class=\"hljs-keyword\">as<\/span> Success by minute username\r\n | where Failed&gt;=<span class=\"hljs-number\">4<\/span>\r\n | stats dc(username) <span class=\"hljs-keyword\">as<\/span> Total by minute \r\n | where Total&gt;<span class=\"hljs-number\">5<\/span>\r\n\r\n------Windows Query <span class=\"hljs-number\">9<\/span>----------------\r\nThis <span class=\"hljs-keyword\">eval<\/span> <span class=\"hljs-keyword\">for<\/span> password can be easily used <span class=\"hljs-keyword\">for<\/span> any field where a user can accidentally type in a password <span class=\"hljs-keyword\">or<\/span> even worse both username\/password during login which generates a failed event.   Below example is <span class=\"hljs-keyword\">for<\/span> Windows failed login.  The <span class=\"hljs-keyword\">eval<\/span> will match <span class=\"hljs-number\">10<\/span> <span class=\"hljs-keyword\">or<\/span> more characters with <span class=\"hljs-number\">1<\/span> uppercase, <span class=\"hljs-number\">1<\/span> lower <span class=\"hljs-keyword\">case<\/span>, <span class=\"hljs-number\">1<\/span> digit <span class=\"hljs-keyword\">and<\/span> <span class=\"hljs-number\">1<\/span> special character.  This search also assumes you have the \u201cUser_Name\u201d field being extracted from windows event logs.  Adjust <span class=\"hljs-keyword\">as<\/span> needed.\r\n\r\nsource=WinEventLog:Security TaskCategory=Logon Keywords=<span class=\"hljs-string\">\"Audit Failure\"<\/span> | <span class=\"hljs-keyword\">eval<\/span> password=<span class=\"hljs-keyword\">if<\/span>(match(User_Name, <span class=\"hljs-string\">\"^(?=.*&#91;a-z])(?=.*&#91;A-Z])(?=.*&#91;0-9])(?=.*&#91;\\W])(?=.{10,})\"<\/span>), <span class=\"hljs-string\">\"Yes\"<\/span>, <span class=\"hljs-string\">\"No\"<\/span>) | stats count by password User_Name | search password=Yes\r\n\r\n------Windows Query <span class=\"hljs-number\">10<\/span>----------------\r\nThis Splunk Search Query will indicate any user who attempted to login to a disabled account.\r\n(Tested only on Windows <span class=\"hljs-number\">7<\/span> \/ Server <span class=\"hljs-number\">2008<\/span> <span class=\"hljs-keyword\">and<\/span> newer Windows logs).\r\n\r\nsource=<span class=\"hljs-string\">\"WinEventLog:security\"<\/span> EventCode=<span class=\"hljs-number\">4625<\/span> (Sub_Status=<span class=\"hljs-string\">\"0xc0000072\"<\/span> <span class=\"hljs-keyword\">OR<\/span> Sub_Status=<span class=\"hljs-string\">\"0xC0000072\"<\/span>) Security_ID!=<span class=\"hljs-string\">\"NULL SID\"<\/span> Account_Name!=<span class=\"hljs-string\">\"*$\"<\/span> | <span class=\"hljs-keyword\">eval<\/span> Date=strftime(_time, <span class=\"hljs-string\">\"%Y\/%m\/%d\"<\/span>)| rex <span class=\"hljs-string\">\"Which\\sLogon\\sFailed:\\s+\\S+\\s\\S+\\s+\\S+\\s+Account\\sName:\\s+(?&lt;facct&gt;\\S+)\"<\/span> | <span class=\"hljs-keyword\">eval<\/span> Date=strftime(_time, <span class=\"hljs-string\">\"%Y\/%m\/%d\"<\/span>) | stats count by Date, facct, host, Keywords | rename facct <span class=\"hljs-keyword\">as<\/span> <span class=\"hljs-string\">\"Target Account\"<\/span> host <span class=\"hljs-keyword\">as<\/span> <span class=\"hljs-string\">\"Host\"<\/span> Keywords <span class=\"hljs-keyword\">as<\/span> <span class=\"hljs-string\">\"Status\"<\/span> count <span class=\"hljs-keyword\">as<\/span> <span class=\"hljs-string\">\"Count\"<\/span>\r\n\r\n\r\n------Windows Query <span class=\"hljs-number\">11<\/span>----------------\r\nUser Logon, Logoff, <span class=\"hljs-keyword\">and<\/span> Duration\r\n\r\nsource=<span class=\"hljs-string\">\"wineventlog:security\"<\/span> action=success Logon_Type=<span class=\"hljs-number\">2<\/span> (EventCode=<span class=\"hljs-number\">4624<\/span> <span class=\"hljs-keyword\">OR<\/span> EventCode=<span class=\"hljs-number\">4634<\/span> <span class=\"hljs-keyword\">OR<\/span> EventCode=<span class=\"hljs-number\">4779<\/span> <span class=\"hljs-keyword\">OR<\/span> EventCode=<span class=\"hljs-number\">4800<\/span> <span class=\"hljs-keyword\">OR<\/span> EventCode=<span class=\"hljs-number\">4801<\/span> <span class=\"hljs-keyword\">OR<\/span> EventCode=<span class=\"hljs-number\">4802<\/span> <span class=\"hljs-keyword\">OR<\/span> EventCode=<span class=\"hljs-number\">4803<\/span> <span class=\"hljs-keyword\">OR<\/span> EventCode=<span class=\"hljs-number\">4804<\/span> ) user!=<span class=\"hljs-string\">\"anonymous logon\"<\/span> user!=<span class=\"hljs-string\">\"DWM-*\"<\/span> user!=<span class=\"hljs-string\">\"UMFD-*\"<\/span> user!=SYSTEM user!=*$ (Logon_Type=<span class=\"hljs-number\">2<\/span> <span class=\"hljs-keyword\">OR<\/span> Logon_Type=<span class=\"hljs-number\">7<\/span> <span class=\"hljs-keyword\">OR<\/span> Logon_Type=<span class=\"hljs-number\">10<\/span>)\r\n| convert timeformat=<span class=\"hljs-string\">\"%a %B %d %Y\"<\/span> ctime(_time) <span class=\"hljs-keyword\">AS<\/span> Date \r\n| streamstats earliest(_time) <span class=\"hljs-keyword\">AS<\/span> login, latest(_time) <span class=\"hljs-keyword\">AS<\/span> logout by Date, host\r\n| <span class=\"hljs-keyword\">eval<\/span> session_duration=logout-login \r\n| <span class=\"hljs-keyword\">eval<\/span> h=floor(session_duration\/<span class=\"hljs-number\">3600<\/span>) \r\n| <span class=\"hljs-keyword\">eval<\/span> m=floor((session_duration-(h*<span class=\"hljs-number\">3600<\/span>))\/<span class=\"hljs-number\">60<\/span>) \r\n| <span class=\"hljs-keyword\">eval<\/span> SessionDuration=h.<span class=\"hljs-string\">\"h \"<\/span>.m.<span class=\"hljs-string\">\"m \"<\/span> \r\n| convert timeformat=<span class=\"hljs-string\">\" %m\/%d\/%y - %I:%M %P\"<\/span> ctime(login) <span class=\"hljs-keyword\">AS<\/span> login \r\n| convert timeformat=<span class=\"hljs-string\">\" %m\/%d\/%y - %I:%M %P\"<\/span> ctime(logout) <span class=\"hljs-keyword\">AS<\/span> logout \r\n| stats count <span class=\"hljs-keyword\">AS<\/span> auth_event_count, earliest(login) <span class=\"hljs-keyword\">as<\/span> login, max(SessionDuration) <span class=\"hljs-keyword\">AS<\/span> sesion_duration, latest(logout) <span class=\"hljs-keyword\">as<\/span> logout, values(Logon_Type) <span class=\"hljs-keyword\">AS<\/span> logon_types by Date, host, user\r\n\r\n------Windows Query <span class=\"hljs-number\">11<\/span>----------------\r\n\r\nThe following Splunk query will <span class=\"hljs-keyword\">return<\/span> results <span class=\"hljs-keyword\">for<\/span> concurrent logon sessions (in a Windows Environment) on any given server (<span class=\"hljs-keyword\">or<\/span> multiple servers) with slight modification.\r\n\r\nFirst you must define the time span in which you consider \u201cconcurrent\u201d this is defined in the \u201cbucket\u201d section below <span class=\"hljs-keyword\">and<\/span> the example uses a <span class=\"hljs-number\">30<\/span> minute range (widen <span class=\"hljs-keyword\">or<\/span> narrow to fit your needs).\r\nSecondly this query does NOT define a host, to define a specific host insert \u201chost=yourhostname\u201d at the beginning of the query.\r\n\r\nsourcetype=<span class=\"hljs-string\">\"WinEventLog:Security\"<\/span> EventCode=<span class=\"hljs-number\">4624<\/span> (Logon_Type=<span class=\"hljs-number\">10<\/span> <span class=\"hljs-keyword\">OR<\/span> Logon_Type=<span class=\"hljs-number\">2<\/span>) | bucket span=<span class=\"hljs-number\">30<\/span>m _time | <span class=\"hljs-keyword\">eval<\/span> Date=strftime(_time, <span class=\"hljs-string\">\"%Y\/%m\/%d %H:%M:%S\"<\/span>) | rex <span class=\"hljs-string\">\"New\\sLogon:\\s*Security\\sID:\\s+\\S*\\s+Account\\sName:\\s+(?&lt;ACCT&gt;\\S+)\"<\/span>  | stats count by ACCT, _time, host | where count&gt;<span class=\"hljs-number\">1<\/span> | sort - count\r\n\r\n------Windows Query <span class=\"hljs-number\">12<\/span>----------------\r\nThis Splunk search will show anytime the windows audit logs (event viewer logs) have been cleared <span class=\"hljs-keyword\">or<\/span> deleted.\r\n\r\nEnsure the Splunk App <span class=\"hljs-keyword\">for<\/span> Windows is installed, you can grab it here: https:<span class=\"hljs-comment\">\/\/apps.splunk.com\/app\/742\/<\/span>\r\n\r\nsource=WinEventLog:security (EventCode=<span class=\"hljs-number\">1102<\/span> <span class=\"hljs-keyword\">OR<\/span> EventCode=<span class=\"hljs-number\">517<\/span>) | <span class=\"hljs-keyword\">eval<\/span> Date=strftime(_time, <span class=\"hljs-string\">\"%Y\/%m\/%d\"<\/span>) | stats count by Client_User_Name, host, index, Date | sort - Date | rename Client_User_Name <span class=\"hljs-keyword\">as<\/span> <span class=\"hljs-string\">\"Account Name\"<\/span>\r\n\r\n------Windows Query <span class=\"hljs-number\">13<\/span>----------------\r\nThis splunk query unmodified will <span class=\"hljs-keyword\">return<\/span> results on any account regardless of duration, however it uses an \u201c<span class=\"hljs-keyword\">eval<\/span> <span class=\"hljs-keyword\">case<\/span>\u201d argument to determine what is \u201ccritical\u201d (such <span class=\"hljs-keyword\">as<\/span> accounts deleted within a day of being created) <span class=\"hljs-keyword\">or<\/span> what is simply note worthy (normal behavior).\r\n\r\nEnsure the Splunk App <span class=\"hljs-keyword\">for<\/span> Windows is installed grab it here: https:<span class=\"hljs-comment\">\/\/apps.splunk.com\/app\/742\/<\/span>\r\n\r\nWindows Server <span class=\"hljs-number\">2008<\/span> <span class=\"hljs-keyword\">and<\/span> Newer:\r\nsourcetype=WinEventLog:Security (EventCode=<span class=\"hljs-number\">4726<\/span> <span class=\"hljs-keyword\">OR<\/span> EventCode=<span class=\"hljs-number\">4720<\/span>) |<span class=\"hljs-keyword\">eval<\/span> Date=strftime(_time, <span class=\"hljs-string\">\"%Y\/%m\/%d\"<\/span>) |rex <span class=\"hljs-string\">\"Subject:\\s+\\w+\\s\\S+\\s+\\S+\\s+\\w+\\s\\w+:\\s+(?&lt;SourceAccount&gt;\\S+)\"<\/span> | rex <span class=\"hljs-string\">\"Target\\s\\w+:\\s+\\w+\\s\\w+:\\s+\\S+\\s+\\w+\\s\\w+:\\s+(?&lt;DeletedAccount&gt;\\S+)\"<\/span> | rex <span class=\"hljs-string\">\"New\\s\\w+:\\s+\\w+\\s\\w+:\\s+\\S+\\s+\\w+\\s\\w+:\\s+(?&lt;NewAccount&gt;\\S+)\"<\/span> | <span class=\"hljs-keyword\">eval<\/span> SuspectAccount=coalesce(DeletedAccount,NewAccount) | transaction SuspectAccount startswith=<span class=\"hljs-string\">\"EventCode=4720\"<\/span> endswith=<span class=\"hljs-string\">\"EventCode=4726\"<\/span> |<span class=\"hljs-keyword\">eval<\/span> duration=round(((duration\/<span class=\"hljs-number\">60<\/span>)\/<span class=\"hljs-number\">60<\/span>)\/<span class=\"hljs-number\">24<\/span>, <span class=\"hljs-number\">2<\/span>) | <span class=\"hljs-keyword\">eval<\/span> Age=<span class=\"hljs-keyword\">case<\/span>(duration&lt;=<span class=\"hljs-number\">1<\/span>, <span class=\"hljs-string\">\"Critical\"<\/span>, duration&gt;<span class=\"hljs-number\">1<\/span> <span class=\"hljs-keyword\">AND<\/span> duration&lt;=<span class=\"hljs-number\">7<\/span>, <span class=\"hljs-string\">\"Warning\"<\/span>, duration&gt;<span class=\"hljs-number\">7<\/span>, <span class=\"hljs-string\">\"Normal\"<\/span>)| table Date, index, host, SourceAccount, SuspectAccount, duration, Age | rename duration <span class=\"hljs-keyword\">as<\/span> <span class=\"hljs-string\">\"Days Account was Active\"<\/span> | sort + <span class=\"hljs-string\">\"Days Account was Active\"<\/span>\r\n\r\nWindows Server <span class=\"hljs-number\">2003<\/span> <span class=\"hljs-keyword\">and<\/span> Older:\r\nsourcetype=WinEventLog:Security (EventCode=<span class=\"hljs-number\">630<\/span> <span class=\"hljs-keyword\">OR<\/span> EventCode=<span class=\"hljs-number\">624<\/span>) |<span class=\"hljs-keyword\">eval<\/span> Date=strftime(_time, <span class=\"hljs-string\">\"%Y\/%m\/%d\"<\/span>) | transaction Target_Account_Name startswith=<span class=\"hljs-string\">\"EventCode=624\"<\/span> endswith=<span class=\"hljs-string\">\"EventCode=630\"<\/span> |<span class=\"hljs-keyword\">eval<\/span> duration=round(((duration\/<span class=\"hljs-number\">60<\/span>)\/<span class=\"hljs-number\">60<\/span>)\/<span class=\"hljs-number\">24<\/span>, <span class=\"hljs-number\">2<\/span>) | <span class=\"hljs-keyword\">eval<\/span> Age=<span class=\"hljs-keyword\">case<\/span>(duration&lt;=<span class=\"hljs-number\">1<\/span>, <span class=\"hljs-string\">\"Critical\"<\/span>, duration&gt;<span class=\"hljs-number\">1<\/span> <span class=\"hljs-keyword\">AND<\/span> duration&lt;=<span class=\"hljs-number\">7<\/span>, <span class=\"hljs-string\">\"Warning\"<\/span>, duration&gt;<span class=\"hljs-number\">7<\/span>, <span class=\"hljs-string\">\"Normal\"<\/span>)| table Date, index, host, Caller_User_Name, Target_Account_Name, duration, Age | rename duration <span class=\"hljs-keyword\">as<\/span> <span class=\"hljs-string\">\"Days Account was Active\"<\/span> | sort - Date\r\n\r\n------Windows Query <span class=\"hljs-number\">14<\/span>----------------\r\nThis splunk query will <span class=\"hljs-keyword\">return<\/span> results <span class=\"hljs-keyword\">for<\/span> failed logon attempts to accounts that <span class=\"hljs-keyword\">do<\/span> not exist. This has been tested <span class=\"hljs-keyword\">and<\/span> confirmed on Windows Server <span class=\"hljs-number\">2008<\/span> <span class=\"hljs-keyword\">and<\/span> newer machines:\r\n\r\nsource=<span class=\"hljs-string\">\"WinEventLog:security\"<\/span> sourcetype=<span class=\"hljs-string\">\"WinEventLog:Security\"<\/span> EventCode=<span class=\"hljs-number\">4625<\/span> Sub_Status=<span class=\"hljs-number\">0xC0000064<\/span> |<span class=\"hljs-keyword\">eval<\/span> Date=strftime(_time, <span class=\"hljs-string\">\"%Y\/%m\/%d\"<\/span>) |rex <span class=\"hljs-string\">\"Which\\sLogon\\sFailed:\\s+Security\\sID:\\s+\\S.*\\s+\\w+\\s\\w+\\S\\s.(?&lt;uacct&gt;\\S.*)\"<\/span> | stats count by Date, uacct, host | rename count <span class=\"hljs-keyword\">as<\/span> <span class=\"hljs-string\">\"Attempts\"<\/span> | sort - Attempts\r\n\r\n------Windows Query <span class=\"hljs-number\">15<\/span>----------------\r\nSplunk query <span class=\"hljs-keyword\">for<\/span> all failed logon attempts within a windows environment.\r\n\r\nsourcetype=<span class=\"hljs-string\">\"WinEventLog:Security\"<\/span> (<span class=\"hljs-string\">\"EventCode=4625\"<\/span>) <span class=\"hljs-keyword\">OR<\/span> (<span class=\"hljs-string\">\"EventCode=529\"<\/span> <span class=\"hljs-keyword\">OR<\/span> <span class=\"hljs-string\">\"EventCode=530\"<\/span> <span class=\"hljs-keyword\">OR<\/span> <span class=\"hljs-string\">\"EventCode=531\"<\/span> <span class=\"hljs-keyword\">OR<\/span> <span class=\"hljs-string\">\"EventCode=532\"<\/span> <span class=\"hljs-keyword\">OR<\/span> <span class=\"hljs-string\">\"EventCode=533\"<\/span> <span class=\"hljs-keyword\">OR<\/span> <span class=\"hljs-string\">\"EventCode=534\"<\/span> <span class=\"hljs-keyword\">OR<\/span> <span class=\"hljs-string\">\"EventCode=535\"<\/span> <span class=\"hljs-keyword\">OR<\/span> <span class=\"hljs-string\">\"EventCode=536\"<\/span> <span class=\"hljs-keyword\">OR<\/span> <span class=\"hljs-string\">\"EventCode=537\"<\/span> <span class=\"hljs-keyword\">OR<\/span> <span class=\"hljs-string\">\"EventCode=539\"<\/span>) \r\n\r\n------Windows Query <span class=\"hljs-number\">16<\/span>----------------\r\nThe following query will <span class=\"hljs-keyword\">return<\/span> the duration of user logon time between initial logon <span class=\"hljs-keyword\">and<\/span> logoff events. I have a duration filter set to greater than <span class=\"hljs-number\">5<\/span> seconds to weed out any scripts that may quickly log on <span class=\"hljs-keyword\">and<\/span> log off (change this <span class=\"hljs-keyword\">as<\/span> needed to fit your environment).\r\n\r\nWindows <span class=\"hljs-number\">2008<\/span> <span class=\"hljs-keyword\">and<\/span> newer:\r\nsource=WinEventLog:Security (EventCode=<span class=\"hljs-number\">4624<\/span> <span class=\"hljs-keyword\">OR<\/span> EventCode=<span class=\"hljs-number\">4634<\/span>) (Logon_Type=<span class=\"hljs-number\">2<\/span> <span class=\"hljs-keyword\">OR<\/span> Logon_Type=<span class=\"hljs-number\">10<\/span>) | <span class=\"hljs-keyword\">eval<\/span> Date=strftime(_time, <span class=\"hljs-string\">\"%Y\/%m\/%d\"<\/span>)| <span class=\"hljs-keyword\">eval<\/span> LogonType=<span class=\"hljs-keyword\">case<\/span>(Logon_Type=<span class=\"hljs-string\">\"2\"<\/span>, <span class=\"hljs-string\">\"Local Console Access\"<\/span>, Logon_Type=<span class=\"hljs-string\">\"10\"<\/span>, <span class=\"hljs-string\">\"Remote Desktop via Terminal Services\"<\/span>)| transaction host user startswith=EventCode=<span class=\"hljs-number\">4624<\/span> endswith=EventCode=<span class=\"hljs-number\">4634<\/span> | where duration &gt; <span class=\"hljs-number\">5<\/span> | <span class=\"hljs-keyword\">eval<\/span> duration = duration\/<span class=\"hljs-number\">60<\/span> | <span class=\"hljs-keyword\">eval<\/span> duration=round(duration,<span class=\"hljs-number\">2<\/span>)| table host, user, LogonType duration, Date | rename duration <span class=\"hljs-keyword\">as<\/span> <span class=\"hljs-string\">\"Session Duration in Minutes\"<\/span> | sort - date\r\n\r\nWindows <span class=\"hljs-number\">2003<\/span> <span class=\"hljs-keyword\">and<\/span> before:\r\nsource=WinEventLog:Security (EventCode=<span class=\"hljs-number\">528<\/span> <span class=\"hljs-keyword\">OR<\/span> EventCode=<span class=\"hljs-number\">538<\/span>) (Logon_Type=<span class=\"hljs-number\">2<\/span> <span class=\"hljs-keyword\">OR<\/span> Logon_Type=<span class=\"hljs-number\">10<\/span>) | <span class=\"hljs-keyword\">eval<\/span> Date=strftime(_time, <span class=\"hljs-string\">\"%Y\/%m\/%d\"<\/span>) | <span class=\"hljs-keyword\">eval<\/span> LogonType=<span class=\"hljs-keyword\">case<\/span>(Logon_Type=<span class=\"hljs-string\">\"2\"<\/span>, <span class=\"hljs-string\">\"Local Console Access\"<\/span>, Logon_Type=<span class=\"hljs-string\">\"10\"<\/span>, <span class=\"hljs-string\">\"Remote Desktop via Terminal Services\"<\/span>)| transaction host User startswith=EventCode=<span class=\"hljs-number\">528<\/span> endswith=EventCode=<span class=\"hljs-number\">538<\/span> | where duration &gt; <span class=\"hljs-number\">5<\/span> | <span class=\"hljs-keyword\">eval<\/span> duration = duration\/<span class=\"hljs-number\">60<\/span> | <span class=\"hljs-keyword\">eval<\/span> duration=round(duration,<span class=\"hljs-number\">2<\/span>)| table host, User, LogonType, duration, Date | rename duration <span class=\"hljs-keyword\">as<\/span> <span class=\"hljs-string\">\"Session Duration in Minutes\"<\/span> | sort - date\r\n\r\n------Windows Query <span class=\"hljs-number\">17<\/span>----------------\r\nThis query searches many common EventCodes (EventID\u2019s) within a Windows environment <span class=\"hljs-keyword\">for<\/span> suspicious behavior. The query can take some time to run due to it\u2019s length. Excellent <span class=\"hljs-keyword\">for<\/span> high-level security insight.\r\n\r\n\r\nsource=<span class=\"hljs-string\">\"wineventlog:security\"<\/span> user!=<span class=\"hljs-string\">\"DWM-*\"<\/span> user!=<span class=\"hljs-string\">\"UMFD-*\"<\/span> user!=SYSTEM user!=<span class=\"hljs-string\">\"LOCAL SERVICE\"<\/span> user!=<span class=\"hljs-string\">\"NETWORK SERVICE\"<\/span> user!=<span class=\"hljs-string\">\"*$\"<\/span> user!=<span class=\"hljs-string\">\"ANONYMOUS LOGON\"<\/span> user!=<span class=\"hljs-string\">\"IUSR\"<\/span>\r\n| <span class=\"hljs-keyword\">eval<\/span> Trigger=<span class=\"hljs-keyword\">case<\/span>(EventCode=<span class=\"hljs-number\">516<\/span>, <span class=\"hljs-string\">\"Audit Logs Modified\"<\/span>,EventCode=<span class=\"hljs-number\">517<\/span>, <span class=\"hljs-string\">\"Audit Logs Modified\"<\/span>,EventCode=<span class=\"hljs-number\">612<\/span>, <span class=\"hljs-string\">\"Audit Logs Modified\"<\/span>,EventCode=<span class=\"hljs-number\">623<\/span>, <span class=\"hljs-string\">\"Audit Logs Modified\"<\/span>,EventCode=<span class=\"hljs-number\">806<\/span>, <span class=\"hljs-string\">\"Audit Logs Modified\"<\/span>,EventCode=<span class=\"hljs-number\">807<\/span>, <span class=\"hljs-string\">\"Audit Logs Modified\"<\/span>,EventCode=<span class=\"hljs-number\">1101<\/span>, <span class=\"hljs-string\">\"Audit Logs Modified\"<\/span>,EventCode=<span class=\"hljs-number\">1102<\/span>, <span class=\"hljs-string\">\"Audit Logs Modified\"<\/span>,EventCode=<span class=\"hljs-number\">4612<\/span>, <span class=\"hljs-string\">\"Audit Logs Modified\"<\/span>,EventCode=<span class=\"hljs-number\">4621<\/span>, <span class=\"hljs-string\">\"Audit Logs Modified\"<\/span>,EventCode=<span class=\"hljs-number\">4694<\/span>, <span class=\"hljs-string\">\"Audit Logs Modified\"<\/span>,EventCode=<span class=\"hljs-number\">4695<\/span>, <span class=\"hljs-string\">\"Audit Logs Modified\"<\/span>,EventCode=<span class=\"hljs-number\">4715<\/span>, <span class=\"hljs-string\">\"Audit Logs Modified\"<\/span>,EventCode=<span class=\"hljs-number\">4719<\/span>, <span class=\"hljs-string\">\"Audit Logs Modified\"<\/span>,EventCode=<span class=\"hljs-number\">4817<\/span>, <span class=\"hljs-string\">\"Audit Logs Modified\"<\/span>,EventCode=<span class=\"hljs-number\">4885<\/span>, <span class=\"hljs-string\">\"Audit Logs Modified\"<\/span>,EventCode=<span class=\"hljs-number\">4902<\/span>, <span class=\"hljs-string\">\"Audit Logs Modified\"<\/span>,EventCode=<span class=\"hljs-number\">4906<\/span>, <span class=\"hljs-string\">\"Audit Logs Modified\"<\/span>,EventCode=<span class=\"hljs-number\">4907<\/span>, <span class=\"hljs-string\">\"Audit Logs Modified\"<\/span>,EventCode=<span class=\"hljs-number\">4912<\/span>, <span class=\"hljs-string\">\"Audit Logs Modified\"<\/span>, EventCode=<span class=\"hljs-number\">642<\/span>, <span class=\"hljs-string\">\"Account Modification\"<\/span>,EventCode=<span class=\"hljs-number\">646<\/span>, <span class=\"hljs-string\">\"Account Modification\"<\/span>,EventCode=<span class=\"hljs-number\">685<\/span>, <span class=\"hljs-string\">\"Account Modification\"<\/span>,EventCode=<span class=\"hljs-number\">4738<\/span>, <span class=\"hljs-string\">\"Account Modification\"<\/span>,EventCode=<span class=\"hljs-number\">4742<\/span>, <span class=\"hljs-string\">\"Account Modification\"<\/span>,EventCode=<span class=\"hljs-number\">4781<\/span>, <span class=\"hljs-string\">\"Account Modification\"<\/span>, EventCode=<span class=\"hljs-number\">1102<\/span>, <span class=\"hljs-string\">\"Audit Logs Cleared\/Deleted\"<\/span>,EventCode=<span class=\"hljs-number\">517<\/span>, <span class=\"hljs-string\">\"Audit Logs Cleared\/Deleted\"<\/span>, EventCode=<span class=\"hljs-number\">628<\/span>, <span class=\"hljs-string\">\"Passwords Changed\"<\/span>,EventCode=<span class=\"hljs-number\">627<\/span>, <span class=\"hljs-string\">\"Passwords Changed\"<\/span>,EventCode=<span class=\"hljs-number\">4723<\/span>, <span class=\"hljs-string\">\"Passwords Changed\"<\/span>,EventCode=<span class=\"hljs-number\">4724<\/span>, <span class=\"hljs-string\">\"Passwords Changed\"<\/span>, EventCode=<span class=\"hljs-number\">528<\/span>, <span class=\"hljs-string\">\"Successful Logons\"<\/span>,EventCode=<span class=\"hljs-number\">540<\/span>, <span class=\"hljs-string\">\"Successful Logons\"<\/span>,EventCode=<span class=\"hljs-number\">4624<\/span>, <span class=\"hljs-string\">\"Successful Logons\"<\/span>, EventCode=<span class=\"hljs-number\">4625<\/span>, <span class=\"hljs-string\">\"Failed Logons\"<\/span>,EventCode=<span class=\"hljs-number\">529<\/span>, <span class=\"hljs-string\">\"Failed Logons\"<\/span>,EventCode=<span class=\"hljs-number\">530<\/span>, <span class=\"hljs-string\">\"Failed Logons\"<\/span>,EventCode=<span class=\"hljs-number\">531<\/span>, <span class=\"hljs-string\">\"Failed Logons\"<\/span>,EventCode=<span class=\"hljs-number\">532<\/span>, <span class=\"hljs-string\">\"Failed Logons\"<\/span>,EventCode=<span class=\"hljs-number\">533<\/span>, <span class=\"hljs-string\">\"Failed Logons\"<\/span>,EventCode=<span class=\"hljs-number\">534<\/span>, <span class=\"hljs-string\">\"Failed Logons\"<\/span>,EventCode=<span class=\"hljs-number\">535<\/span>, <span class=\"hljs-string\">\"Failed Logons\"<\/span>,EventCode=<span class=\"hljs-number\">536<\/span>, <span class=\"hljs-string\">\"Failed Logons\"<\/span>,EventCode=<span class=\"hljs-number\">537<\/span>, <span class=\"hljs-string\">\"Failed Logons\"<\/span>,EventCode=<span class=\"hljs-number\">539<\/span>, <span class=\"hljs-string\">\"Failed Logons\"<\/span>, EventCode=<span class=\"hljs-number\">576<\/span>, <span class=\"hljs-string\">\"Escalation of Privileges\"<\/span>,EventCode=<span class=\"hljs-number\">4672<\/span>, <span class=\"hljs-string\">\"Escalation of Privileges\"<\/span>,EventCode=<span class=\"hljs-number\">577<\/span>, <span class=\"hljs-string\">\"Escalation of Privileges\"<\/span>,EventCode=<span class=\"hljs-number\">4673<\/span>, <span class=\"hljs-string\">\"Escalation of Privileges\"<\/span>,EventCode=<span class=\"hljs-number\">578<\/span>, <span class=\"hljs-string\">\"Escalation of Privileges\"<\/span>,EventCode=<span class=\"hljs-number\">4674<\/span>, <span class=\"hljs-string\">\"Escalation of Privileges\"<\/span>) \r\n| stats earliest(_time) <span class=\"hljs-keyword\">as<\/span> Initial_Occurrence latest(_time) <span class=\"hljs-keyword\">as<\/span> Latest_Occurrence values(user) <span class=\"hljs-keyword\">as<\/span> Users values(host) <span class=\"hljs-keyword\">as<\/span> Hosts count sparkline by Trigger\r\n| sort - count\r\n| convert ctime(Initial_Occurrence) ctime(Latest_Occurrence)\r\n\r\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","_joinchat":[],"footnotes":""},"categories":[2],"tags":[],"class_list":["post-30447","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/30447","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=30447"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/30447\/revisions"}],"predecessor-version":[{"id":30448,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/30447\/revisions\/30448"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=30447"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=30447"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=30447"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}