Here’s a short list but I plan on added more in the near future.
#WINDOWS
Find when an account was created and by who:
(index="wineventlog" OR source=*WinEventLog*) eventtype=windows_account_created * (index="wineventlog" OR source=*WinEventLog*) eventtype=windows_account_created * IISService1
Find who was added to the Local Administrator Group:
(index="wineventlog" OR source=*WinEventLog*) name="A member was added to a security-enabled local group" AND user_group="Administrators" * | rename dest_nt_domain as domain, EventCode as "event id", Display_Name as "user name",host as server | eval added_by=mvindex(Security_ID,0) | eval user=mvindex(Security_ID,1)
#CISCO ASA REMOTE ACCESS VPN
Invalid Password:
host="cisco-5555x-a.cordero.me" Cisco_ASA_message_id=113005
Authenticated successfully:
host="cisco-5555x-a.cordero.me" Cisco_ASA_message_id=113004
Default Group Policy:
host="cisco-5555x-a.cordero.me" Cisco_ASA_message_id=113009
AAA ACCEPT or DENY:
host="cisco-5555x-a.cordero.me" Cisco_ASA_message_id=113008
Disconnect with DURATION and REASON:
host="cisco-5555x-a.cordero.me" Cisco_ASA_message_id=113019
Same as above but added Anyconnect to be more specific:
host="cisco-5555x-a.cordero.me" Cisco_ASA_message_id=113019 type="AnyConnect-Parent"
WebVPN Session Terminated:
host="cisco-5555x-a.cordero.me" Cisco_ASA_message_id=716002
User requested disconnect:
host="cisco-5555x-a.cordero.me" Cisco_ASA_message_id=722012
#PALO ALTO
Palo Alto Users and APP-ID:
host="192.168.1.11" app=dropbox-base
#EXAMPLES
Anyconnect Logged In with User:
host="cisco-asa5555xa.e-ins.net" Cisco_ASA_message_id=113004 kcordero
#APPS NEEDED FOR SPLUNK
Cisco Networks Add-on for Splunk Enterprise:
https://splunkbase.splunk.com/app/1467/
Palo Alto Networks App for Splunk:
https://splunkbase.splunk.com/app/491/
Windows Event Logs Analysis:
https://splunkbase.splunk.com/app/3067/
#Cisco Syslog Messages:
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html