analyzing-windows-event-logs-in-splunk

Solid

Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege escalation, persistence mechanisms, and lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC analysts need to investigate Windows-based threats, build detection queries, or perform forensic timeline analysis of Windows endpoints and domain controllers.

AI & Automation 38 stars 5 forks Updated yesterday MIT

Install

View on GitHub

Quality Score: 89/100

Stars 20%
53
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
80
License 10%
100
Description 5%
100

Skill Content

# Analyzing Windows Event Logs in Splunk ## When to Use Use this skill when: - SOC analysts investigate alerts related to Windows authentication, process execution, or AD changes - Detection engineers build SPL queries for Windows-based threat detection - Incident responders need forensic timelines of Windows endpoint or domain controller activity - Periodic threat hunting targets Windows-specific ATT&CK techniques **Do not use** for Linux/macOS endpoint analysis or network-only investigations. ## Prerequisites - Splunk with Windows Event Log data ingested (sourcetype `WinEventLog:Security`, `WinEventLog:System`, `XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`) - Sysmon deployed on endpoints with SwiftOnSecurity or Olaf Hartong configuration - CIM data model acceleration for Endpoint and Authentication data models - Knowledge of Windows Security Event IDs and Sysmon event types ## Workflow ### Step 1: Authentication Attack Detection **Brute Force Detection (EventCode 4625 — Failed Logon):** ```spl index=wineventlog sourcetype="WinEventLog:Security" EventCode=4625 | stats count, dc(TargetUserName) AS unique_users, values(TargetUserName) AS targeted_users by src_ip, Logon_Type, Status | where count > 20 | eval attack_type = case( Logon_Type=3, "Network Brute Force", Logon_Type=10, "RDP Brute Force", Logon_Type=2, "Interactive Brute Force", 1=1, "Other" ) | eval status_meaning = case( Status="0xc000006d", "Bad Username or Password", Stat...

Details

Author
adriannoes
Repository
adriannoes/awesome-vibe-coding
Created
8 months ago
Last Updated
yesterday
Language
Jupyter Notebook
License
MIT

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

analyzing-windows-event-logs-in-splunk

Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege escalation, persistence mechanisms, and lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC analysts need to investigate Windows-based threats, build detection queries, or perform forensic timeline analysis of Windows endpoints and domain controllers.

15,448 Updated 1 weeks ago
mukul975
AI & Automation Featured

analyzing-security-logs-with-splunk

Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents through log correlation, timeline reconstruction, and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and authentication data analysis. Activates for requests involving Splunk investigation, SPL queries, SIEM log analysis, security event correlation, or log-based incident investigation.

15,448 Updated 1 weeks ago
mukul975
AI & Automation Featured

detecting-lateral-movement-with-splunk

Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs, SMB traffic, and remote service abuse.

15,448 Updated 1 weeks ago
mukul975