Linux
SSH Logins
index=linux "Accepted Publickey" OR "session opened" OR "Accepted password" src!="PAM_IP_ADDR" src!="" user!="" | table _time,user,src,dest,src_port,sshd_protocol,action
SSH Logins (Syslog - SC4S)
index=osnix source="program:sshd" "Accepted Publickey" OR "session opened" _raw!="*PAM_IP_ADDR*"
| table _time,host,sc4s_fromhostip,user
| dedup _time,host,user | sort -_time
Console logins for Linux Servers
index=osnix OR index=linux "Started Session 7 of"
| table _time,host,_raw
Appian
Admin Console
index=appian source="*admin_console.csv" | table _time,Property,Count
Blocked Files
index=appian source="*blocked_files.csv*" | table _time,User,"Document Name",Reason,Details,Hash
Data Store Deletions
index=appian source="*data_store_deletions*" | table _time,"Data Store",Entity,Id,"Node Display Name",User
Decryption
index=appian source="*decryption.csv*" | table _time,Username,Context,Action,Success
DevOps Infrastructure
index=appian source="*devops_infrastructure.csv" | table _time,ID,Name,URL,"Last Action Username","Last Action Type","Last Action Name","Last Action IP","Last Action Date","Remote Enabled"
Devops Infrastructure Handler
index=appian source="*devops_infrastructure_handler.csv" | table ID,Name,URL,"IP Address","Status Code","Error Occurred","Direction","Before or After Request Processed"
File Attachment Downloads
index=appian source="*file_attachment_downloads.csv*" "File name"!="*.png" "File name"!="*.ico" "File name"!="*.jpg" | table _time,User,"File name","Download Successful"
Login Audit
index=appian source="*login-audit.csv" API_USER!="API-USER" | table _time,API_USER,"Web API",Succeeded | rename API_USER as "User" , Succeeded as "Action"
Object Rolemap Audit
index=appian source="*object_rolemap_audit.csv" | table _time,Username,Name,Type,"Previous Rolemap","New Rolemap"
Records Usage
index=appian source="*records_usage.csv*" | table _time,User,View,"Record Type Name",Action
Removed Processes
index=appian source="*removed*" | table _time,Action,"Process ID","Process Name","Transaction ID",Username
Sites Usage
index=appian source="*sites_usage.csv*" | table _time,User,Site,Page,Action
Users
index=appian source="*users.csv" | table _time,"Active LDAP Users","Active SAML Users","Active System Administrators","Active Tempo Users","Active Users","Total Users"
User Management
index=appian source="*user_management.csv" | search Action!="Log Initialized" | table _time,Action,"Modified By Username",Username,"Original Value","New Value"
CrowdStrike
Logins
index=crowdstrike user!="" action!="" | table _time,user,event.ServiceName,action
CrowdStrike FW - RDP Sessions
index=crowdstrike rdp event.LocalAddress!="PAM_IP_ADDR"
| table _time,event.HostName,event.LocalAddress,event.RemoteAddress,event.PolicyName,event.RuleGroupName,event.RuleAction
Malware Detections
index="crowdstrike" "metadata.eventType"=DetectionSummaryEvent metadata.customerIDString=* event.DetectId!=""
| table _time,action,description,event.ComputerName,event.DetectName,event.FileName,event.FilePath,event.IOCType,event.IOCValue,event.LocalIP,event.MACAddress,event.Objective,event.SeverityName,event.Tactic,event.Technique,event.UserName,event.CommandLine,event.AssociatedFile
Policies
index=crowdstrike "metadata.eventType"=UserActivityAuditEvent
| search "event.OperationName"=*policy
| table _time,*OperationName,*ServiceName,*UserId,*UserIp,*policy_name,*policy_enabled
FileVantage
index="crowdstrike" source=crowdstrike_filevantage_json
| table _time,entity_type,severity,action_type,action_timestamp,command_line,entity_path,grandparent_process_image_file_name,parent_process_image_file_name,host.name,host.local_ip,host.os_version,policy.name,policy.rule_group.name
Identities
index=crowdstrike sourcetype="crowdstrike:identities" riskScoreSeverity="HIGH"
| table _time,primaryDisplayName,isHuman,isProgrammatic,emailAddresses{},accounts{}.userAccountControl,accounts{}.title,accounts{}.samAccountName,accounts{}.ou,accounts{}.enabled,accounts{}.dn,accounts{}.dataSource,accounts{}.department,accounts{}.description,type,roles{}.type,riskScoreSeverity,riskFactors{}.type,riskFactors{}.severity
Event Streams
index=crowdstrike sourcetype="CrowdStrike:Event:Streams:JSON"
| table _time,ta_*,metadata.eventType,event.UserIp,event.Source,event.SourceIp,event.OperationName,event.Attributes.scopes,event.Attributes.produces,action
F5
Alert
index=netwaf severity="Critical" OR severity="High" AND request_status="blocked"
| table _time,attack_type,severity,sig_cves,sub_violations,"blocking_exception_reason",captcha_result,device_id,f5_bigip_service,geo_location,http_class_name,ip_client,method,request_status,response,request,uri,x_forwarded_for_header_value, violations
Audit
index=netops host="*waf*" sourcetype="f5:bigip:syslog" AUDIT object | table _time,_raw
Report
index=netwaf severity="Critical" OR severity="High" OR severity="Medium" AND request_status="blocked"
| table _time,attack_type,severity,sig_cves,sub_violations,"blocking_exception_reason",captcha_result,device_id,f5_bigip_service,geo_location,http_class_name,ip_client,method,request_status,response,request,uri,x_forwarded_for_header_value, violations
Symantec
Email - AntiMalware
index=symantec_email sourcetype="symantec:email:cloud:antimalware" | table _time,malwareName,sender,orig_recipient
Email - AntiSpam
index=symantec_email sourcetype="symantec:email:cloud:antispam" | table _time,sender,senderIp,recipient,subject,action,detectionMethod,emailSize
vCenter
Logins
index=infraops source="vm*" "vim.event.UserLog*" | table time,action,user,datastore,message
VM Events
index=infraops source="vm*" action="vim.event.VmBe*" | table _time,action,user,message
Cisco
Umbrella (DNS)
index=cisco_umbrella | table _time,user,action,ReplyCode,RecordType,category,domain,granular_identity_type,identities,identity_type,s3_filename,src,src_translated_ip
Umbrella (Audit)
index=cisco_umbrella sourcetype="cisco:umbrella:audit" action!="" _raw!="*roamingdevices*" | table _time,email,user,source_val,action,ip,body
ISE (Guest Users)
index=netauth SelectedAuthenticationIdentityStores="Guest Users" AuthenticationStatus="UnknownUser" | table _time,"Framed_IP_Address",EndPointMatchedProfile,SelectedAuthorizationProfiles
Router logins
index=netops Login | table _time,host,src,user,action
FMC - Blocked File Transfer Services
index=cisco_secure_fw file action=Block | table _time,AC_RuleAction,Application,FirewallPolicy,FirewallRule,InitiatorIP,ResponderIP,URL,URL_Category
FMC - Audit Logs
index=osnix source="program:FMC.qudsbank.ps" policy | table _time,_raw
FMC Policy Changes
index=osnix source="program:FMC.qudsbank.ps" "*policy deployment*" OR "*rule_configs*" OR "*Policy Committed*" OR "*Save Policy*" | table _time,_raw | sort -_time
SNA (Stealthwatch)
|securityevents domain_id=301 smc_ip=SNA_IP_ADDR earliest=-24h@h latest=now
subject_ip= subject_host_group_id=
peer_ip= peer_host_group_id= subject_orientation=EITHER
security_event_type_id_list=all ports_list=
hit_count_low_value= hit_count_high_value=
ci_points_low_value= ci_points_high_value=
filter_by=FLOW_COLLECTOR flow_collector_list="301" max_rows=2000 | sort 0 - ci_points | eval start_time=strftime(strptime(start_time."+0000","%Y-%m-%dT%H:%M:%SZ%z"),"%Y-%m-%d %H:%M:%S %Z") | eval last_time=strftime(strptime(last_time."+0000","%Y-%m-%dT%H:%M:%SZ%z"),"%Y-%m-%d %H:%M:%S %Z") | eval ci_points = tostring(ci_points, "commas"), hit_count = tostring(hit_count, "commas") | makemv delim=";" source_host_group_names | makemv delim=";" target_host_group_names | fields "fc_name", "start_time", "last_time", "event_type_name", "ci_points", "hit_count", "source_ip", "source_host_group_names", "source_hostname", "source_username", "source_mac", "target_ip", "target_host_group_names", "target_hostname", "target_username", "target_mac", "details" | rename "fc_name" as "Appliance", "start_time" as "Start Active Time", "last_time" as "Last Active Time", "event_type_name" as "Security Event", "source_ip" as "Source IP", "source_host_group_names" as "Source Host Group(s)", "source_hostname" as "Source Hostname", "target_ip" as "Target IP", "target_host_group_names" as "Target Host Group(s)", "target_hostname" as "Target Hostname", "ci_points" as "CI Points", "hit_count" as "Hit Count", "details" as "Details", "source_username" as "Source Username", "target_username" as "Target Username", "source_mac" as "Source MAC", "target_mac" as "Target MAC"
Active Directory
AD - <Group_Name> Group Alert
index=wineventlog (EventCode=4728 OR EventCode=4729) Group_Name="Change_Me!"
| rename src_user AS "Actioned By", src_user_first AS "First Name" src_user_last AS "Last Name" name as "Action Taken"
| rex mode=sed field="Account_Name" "s/CN=//g"
| rex mode=sed field="Account_Name" "s/cn=//g"
| rex mode=sed field="Account_Name" "s/,OU.*//g"
| rex mode=sed field="Account_Name" "s/\\\//g"
| table "Actioned By" "First Name" "Last Name" Account_Name "Action Taken" Group_Name Account_Domain _time
| sort - _time
Console logins
index=wineventlog EventCode=4624 Logon_Type=2 | table _time,host,user,dvc,action,command | dedup _time
Installed Applications
index=windows sourcetype="Script:InstalledApps" | table _time,host,DisplayName,Source,Publisher,InstallSource,InstallDate
Local Admin Account
index=wineventlog EventCode=4732 Group_Name=Administrators
| table _time,ComputerName,Group_Name,Account_Name,Message
Failed Logins for Disabled Accounts
index=wineventlog source="*:Security" EventCode=4625 Sub_Status="0xC0000072" | table _time,Account_Name,app,src,src_ip,dest,name
Dormant Account
| ldapsearch domain=default search="(&(objectclass=user)(!(objectClass=computer)))" limit=0 attrs="sAMAccountName, displayName, distinguishedName, userAccountControl, whenCreated, accountExpires, lastLogonTimestamp"
| makemv userAccountControl
| search dn!="*OU=_Disabled Users*" userAccountControl!="*ACCOUNTDISABLE*"
| eval accountDisable=if(userAccountControl == "ACCOUNTDISABLE
NORMAL_ACCOUNT", "Yes", "No")
| eval dontExpirePasswd=if(userAccountControl="DONT_EXPIRE_PASSWD
NORMAL_ACCOUNT", "Yes", "No")
| eval passwdNotRequired=if(userAccountControl == "PASSWD_NOTREQD
NORMAL_ACCOUNT", "Yes", "No")
| eval lastLoginAge_epoch=strptime(lastLogonTimestamp, "%Y-%m-%dT%H:%M:%S")
| eval lastLoginAge=round((lastLoginAge_epoch - now())/86400, 0)
| where lastLoginAge < -90
| table sAMAccountName, displayName, dn, userAccountControl, whenCreated, accountDisable, dontExpirePasswd, passwdNotRequired, lastLoginAge, lastLogonTimestamp, accountExpires
Passwords Never Changed - Active Accounts:
| ldapsearch domain=default search="(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(userAccountControl:1.2.840.113556.1.4.803:=65536))" attrs="sAMAccountName,pwdLastSet" | table sAMAccountName, dn, pwdLastSet
Passwords Last Changed - Active Accounts:
| ldapsearch domain="default" search="(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" attrs="sAMAccountName,pwdLastSet" | table sAMAccountName, pwdLastSet
Password removed from never expired
index=wineventlog source="*:Security" EventCode=4738 name="A user account was changed" body="*'Don't Expire Password' - Disabled*"
| eval time = strftime(_time,"%c")
| table time,host,name,user,Logon_ID,src_user,dest
| rename time as "Time" , name as "Action" , user as "Created User" , Logon_ID as "Session ID" ,src_user as "User Created By :", dest as "Destination DC", host as "Hostname"
Password Set as Never Expired
index=wineventlog source="*:Security" EventCode=4738 name="A user account was changed" body="*'Don't Expire Password' - Enabled*"
| eval time = strftime(_time,"%c")
| table time,host,name,user,Logon_ID,src_user,dest
| rename time as "Time" , name as "Action" , user as "Modified User" , Logon_ID as "Session ID" ,src_user as "User Modified By :", dest as "Destination DC", host as "Hostname"
Detect Windows Account Privilege Changes
index=wineventlog source="*:Security" (EventCode=4672 OR EventCode=4673) | table _time,host,user,app,action,name,Privileges
User Modifications
index=wineventlog source="*:Security" EventCode=4722 OR EventCode=4725 OR EventCode=4720 OR EventCode=4726 user!=*$
| eval time = strftime(_time,"%c")
| table time,host,name,user,src_user
| rename time as "Time" , name as "Action" , user as "Target User" , src_user as "Account Modified By", host as "Hostname"
A member was added to Domain Admin Group
index=wineventlog source="*:Security" EventCode=4728 Group_Name="Domain Admins" Message="*A member was added to a security-enabled global group*" name="A member was added to a security-enabled global group"
| eval time = strftime(_time,"%c")
| table time,host,name,user,src_user,Group_Name
| rename time as "Time" , name as "Action" , user as "Target User" ,src_user as "User Modified By :", host as "Hostname", Group_Name as "Group_Name"
A member was Removed from Domain Admin Group
index=wineventlog source="*:Security" EventCode=4729 Group_Name="Domain Admins" Message="A member was removed from a security-enabled global group*" name="A member was removed from a security-enabled global group"
| eval time = strftime(_time,"%c")
| table time,host,name,user,src_user,Group_Name
| rename time as "Time" , name as "Action" , user as "Target User" ,src_user as "User Modified By :", host as "Hostname", Group_Name as "Group_Name"
A new Machine/Pc was Disabled
index=wineventlog source="*:Security" EventCode=4725 user=*$
| eval time = strftime(_time,"%c")
| table time,host,name,user,Logon_ID,src_user,dest
| rename time as "Time" , name as "Action" , user as "Disabled Host" , Logon_ID as "Session ID" ,src_user as "PC Disabled By :", dest as "Destination DC", host as "Hostname"
A new Machine/Pc was Enabled
index=wineventlog source="*:Security" EventCode=4722 user=*$
| eval time = strftime(_time,"%c")
| table time,host,name,user,Logon_ID,src_user,dest
| rename time as "Time" , name as "Action" , user as "Enabled Host" , Logon_ID as "Session ID" ,src_user as "User Enabled By :", dest as "Destination DC", host as "Hostname"
A user Account was Created
index=wineventlog source="*:Security" EventCode=4720
| eval time = strftime(_time,"%c")
| table time,host,name,user,Display_Name,src_user,dest
| rename time as "Time" , name as "Action" , user as "Created User", Display_Name as "Display Name" ,src_user as "User Created By :", dest as "Destination DC", host as "Hostname"
A user Account was Deleted
index=wineventlog source="*:Security" EventCode=4726
| eval time = strftime(_time,"%c")
| table time,host,name,user,Logon_ID,src_user,dest
| rename time as "Time" , name as "Action" , user as "Created User" , Logon_ID as "Session ID" ,src_user as "User Created By :", dest as "Destination DC", host as "Hostname"
A user Account was Disabled
index=wineventlog source="*:Security" EventCode=4725 user!=*$
| eval time = strftime(_time,"%c")
| table time,host,name,user,Logon_ID,src_user,dest
| rename time as "Time" , name as "Action" , user as "Target User" , Logon_ID as "Session ID" ,src_user as "User Modified By :", dest as "Destination DC", host as "Hostname"
A user Account was Enabled
index=wineventlog source="*:Security" EventCode=4722 user!=*$
| eval time = strftime(_time,"%c")
| table time,host,name,user,Logon_ID,src_user,dest
| rename time as "Time" , name as "Action" , user as "Enabled User" , Logon_ID as "Session ID" ,src_user as "User Enabled By :", dest as "Destination DC", host as "Hostname"
Check for Disabled User Accounts:
| ldapsearch domain="default" search="(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" attrs="sAMAccountName" | table sAMAccountName,dn
RDP Connections
index=wineventlog Logon_Type=10 ((EventCode=4624 OR EventCode=528) OR (EventCode=4625 OR EventCode=529))
| eval action=CASE(EventCode=4624 OR EventCode=528, "Success", EventCode=4625 OR EventCode=529, "Failure")
| table _time, user, src, dest,action
Member Added/Removed
index="wineventlog" EventCode=4761 OR EventCode=4762 OR EventCode=4728 OR EventCode=4729 |eval time = strftime(_time,"%c") |table time,name,MemberName,Group_Name,src_user |rename time as "Time" , name as "Action" , MemberName as "Member Name Added/Removed" , Group_Name as "Group Name" , src_user as "Member Added/Removed By :"
Security Group mgmt changed:
index="wineventlog" EventCode=4735 OR EventCode=4737 |eval time = strftime(_time,"%c") |table time,name,src_user,TargetUserName,dest,session_id |rename time as "Time" , name as "Action" , src_user as "Source User", TargetUserName as " Target Group " , dest as " Destination DC" , session_id as "Session ID"
User Enabled/Disabled:
index="wineventlog" EventCode=4722 OR EventCode=4725 |eval time = strftime(_time,"%c") |table time,name,user,src_user |rename time as "Time" , name as "Action" , user as "Target User" , src_user as "Account Enabled/Disabled By"
UserAccount Locked/Unlocked:
index="wineventlog" signature="A user account was locked out" OR signature="A user account was unlocked" |eval time = strftime(_time,"%c") |table time,dest_nt_domain,Group_Name,name,src_user |rename time as "Time" , Group_Name as "User Name" , dest_nt_domain as "Hostname", name as "Action" , src_user as "Locked/Unlocked By"
UserAccount Changed:
index="wineventlog" signature="A user account was changed" |eval time = strftime(_time,"%c") |table time,name,user,src_user,dest |rename time as "Time" , name as "Action" , user as " Target User" , src_user as "Changed By" , dest as "Destination DC"
User Created:
index="wineventlog" EventCode=4720 |eval time = strftime(_time,"%c") |table time,name,user,Logon_ID,src_user,dest |rename time as "Time" , name as "Action" , user as "Created User" , Logon_ID as "Session ID" ,src_user as "User Created By :", dest as "Destination DC"
Domain Policy Changed/Reset Passowrd:
index="wineventlog" signature="An attempt was made to change an account's password" OR signature="An attempt was made to reset an accounts password" |eval time = strftime(_time,"%c") |table time,name,user,src_user |rename time as "Time" , name as "Action" , user as "Target User" , src_user as "Password Changed/Reset By"
User Deleted By Admin:
index="wineventlog" EventCode=4726 |eval time = strftime(_time,"%c") |table time,name,src_user,user,dest |rename time as "Time" , name as "Action" , src_user as "Deleted By : ", user as "Deleted User: " , dest as "Destination DC"
Senhasegura
Sessions
index=pam act=Session dhost!="null" suser!="asc_117" | table _time, sname ,suser ,src ,dhost ,dst ,duser ,proto | rename sname as "Source Name", suser as "Source User", src as "Source IP", dhost as "Destitnation Host",dst as "Destination IP", proto as "Protocol", duser as "Destination User"
Device Creation
index=pam act=Device msg="Device creation*" | table _time,sname,src,cs3,cs4 | rename cs3 as "Server Name" , src as "Source IP" ,sname as "User Name" , cs4 as "Log Details"
Others
Office365 - Attachment Size Policy
index=office365 | search "Parameters{}.Value"="Change_Me!" | table _time,UserId,Parameters{}.Name,Parameters{}.Value | rename UserId as "Modified by"
Idrac
index=idrac virtual console | table _time,_raw
| Windows Event ID | Event Summary |
|---|---|
| 4720 | A user account was created |
| 4722 | A user account was enabled |
| 4723 | An attempt was made to change an account's password |
| 4724 | An attempt was made to reset an accounts password |
| 4725 | A user account was disabled |
| 4726 | A user account was deleted |
| 4738 | A user account was changed |
| 4781 | The name of an account was changed |
| 4782 | The password hash an account was accessed |
| 4624 | An account was successfully logged on |
| 4740 | A user account was locked out |
| 4634 | An account was logged off |
| 4625 | An account failed to log on |
| 4648 | A logon was attempted using explicit credentials |
| 4732 | A member was added to a security-enabled local group |
| 4728 | A member was added to a security-enabled global group |
| 4756 | A member was added to a security-enabled universal group |
| 4733 | A member was removed from a security-enabled local group |
| 4729 | A member was removed from a security-enabled global group |
| 4757 | A member was removed from a security-enabled universal group |
| 4657 | A registry value was modified |
| 4672 | Special privileges assigned to new logon |
| 4697 | A service was installed in the system |
| 4698 | A scheduled task was created |
| 4699 | A scheduled task was deleted |
| 4700 | A scheduled task was enabled |
| 4701 | A scheduled task was disabled |
| 4702 | A scheduled task was updated |
| 4608 | Windows is starting up |
| 4609 | Windows is shutting down |
| 4800 | The workstation was locked |
| 4801 | The workstation was unlocked |
| 5140 | A network share object was accessed |
| 5145 | A network share object was checked to see whether client can be granted desired access |
| 1102 | The audit log was cleared. (Security) |
Failure Information:
The section explains why the logon failed.
Failure Reason: textual explanation of logon failure.
Status and Sub Status: Hexadecimal codes explaining the logon failure reason. Sometimes Sub Status is filled in and sometimes not. Below are the codes we have observed.
| Status and Sub Status Codes | Description (not checked against "Failure Reason:") |
|---|---|
| 0xC0000064 | user name does not exist |
| 0xC000006A | user name is correct but the password is wrong |
| 0xC0000234 | user is currently locked out |
| 0xC0000072 | account is currently disabled |
| 0xC000006F | user tried to logon outside his day of week or time of day restrictions |
| 0xC0000070 | workstation restriction, or Authentication Policy Silo violation (look for event ID 4820 on domain controller) |
| 0xC0000193 | account expiration |
| 0xC0000071 | expired password |
| 0xC0000133 | clocks between DC and other computer too far out of sync |
| 0xC0000224 | user is required to change password at next logon |
| 0xC0000225 | evidently a bug in Windows and not a risk |
| 0xc000015b | The user has not been granted the requested logon type (aka logon right) at this machine |
Logon Types
| Type | Description |
|---|---|
| 2 | Console |
| 3 | Network |
| 4 | Batch (Scheduled Tasks) |
| 5 | Windows Services |
| 7 | Screen Lock/Unlock |
| 8 | Network (Cleartext Logon) |
| 9 | Alternate Credentials Specified (RunAs) |
| 10 | Remote Interactive (RDP) |
| 11 | Cached Credentials (e.g., Offline DC) |
| 12 | Cached Remote Interactive (RDP, similar to Type 10) |
| 13 | Cached Unlock (Similar to Type 7) |