analyzing-windows-event-logs-in-splunk

Featured

Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege escalation, persistence mechanisms, and lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC analysts need to investigate Windows-based threats, build detection queries, or perform forensic timeline analysis of Windows endpoints and domain controllers.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Analyzing Windows Event Logs in Splunk ## When to Use Use this skill when: - SOC analysts investigate alerts related to Windows authentication, process execution, or AD changes - Detection engineers build SPL queries for Windows-based threat detection - Incident responders need forensic timelines of Windows endpoint or domain controller activity - Periodic threat hunting targets Windows-specific ATT&CK techniques **Do not use** for Linux/macOS endpoint analysis or network-only investigations. ## Prerequisites - Splunk with Windows Event Log data ingested (sourcetype `WinEventLog:Security`, `WinEventLog:System`, `XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`) - Sysmon deployed on endpoints with SwiftOnSecurity or Olaf Hartong configuration - CIM data model acceleration for Endpoint and Authentication data models - Knowledge of Windows Security Event IDs and Sysmon event types ## Workflow ### Step 1: Authentication Attack Detection **Brute Force Detection (EventCode 4625 — Failed Logon):** ```spl index=wineventlog sourcetype="WinEventLog:Security" EventCode=4625 | stats count, dc(TargetUserName) AS unique_users, values(TargetUserName) AS targeted_users by src_ip, Logon_Type, Status | where count > 20 | eval attack_type = case( Logon_Type=3, "Network Brute Force", Logon_Type=10, "RDP Brute Force", Logon_Type=2, "Interactive Brute Force", 1=1, "Other" ) | eval status_meaning = case( Status="0xc000006d", "Bad Username or Password", Stat...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

analyzing-security-logs-with-splunk

Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents through log correlation, timeline reconstruction, and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and authentication data analysis. Activates for requests involving Splunk investigation, SPL queries, SIEM log analysis, security event correlation, or log-based incident investigation.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-lateral-movement-with-splunk

Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs, SMB traffic, and remote service abuse.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-rdp-brute-force-attacks

Detect RDP brute force attacks by analyzing Windows Security Event Logs for failed authentication patterns (Event ID 4625), successful logons after failures (Event ID 4624), NLA failures, and source IP frequency analysis.

12,642 Updated today
mukul975
AI & Automation Featured

performing-lateral-movement-detection

Detects lateral movement techniques including Pass-the-Hash, PsExec, WMI execution, RDP pivoting, and SMB-based spreading using SIEM correlation of Windows event logs, network flow data, and endpoint telemetry mapped to MITRE ATT&CK Lateral Movement (TA0008) techniques.

12,642 Updated today
mukul975
AI & Automation Featured

configuring-windows-event-logging-for-detection

Configures Windows Event Logging with advanced audit policies to generate high-fidelity security events for threat detection and forensic investigation. Use when enabling audit policies for logon events, process creation, privilege use, and object access to feed SIEM detection rules. Activates for requests involving Windows audit policy, event log configuration, security logging, or detection-oriented logging.

12,642 Updated today
mukul975