Splunk Queries

Here’s a short list but I plan on added more in the near future.

#WINDOWS
Find when an account was created and by who:

(index="wineventlog" OR source=*WinEventLog*) eventtype=windows_account_created *
(index="wineventlog" OR source=*WinEventLog*) eventtype=windows_account_created * IISService1

Find who was added to the Local Administrator Group:

(index="wineventlog" OR source=*WinEventLog*) name="A member was added to a security-enabled local group" AND user_group="Administrators" * | rename dest_nt_domain as domain, EventCode as "event id", Display_Name as "user name",host as server | eval added_by=mvindex(Security_ID,0) | eval user=mvindex(Security_ID,1)

#CISCO ASA REMOTE ACCESS VPN
Invalid Password:

host="cisco-5555x-a.cordero.me" Cisco_ASA_message_id=113005

Authenticated successfully:

host="cisco-5555x-a.cordero.me" Cisco_ASA_message_id=113004

Default Group Policy:

host="cisco-5555x-a.cordero.me" Cisco_ASA_message_id=113009

AAA ACCEPT or DENY:

host="cisco-5555x-a.cordero.me" Cisco_ASA_message_id=113008

Disconnect with DURATION and REASON:

host="cisco-5555x-a.cordero.me" Cisco_ASA_message_id=113019

Same as above but added Anyconnect to be more specific:

host="cisco-5555x-a.cordero.me" Cisco_ASA_message_id=113019 type="AnyConnect-Parent"

WebVPN Session Terminated:

host="cisco-5555x-a.cordero.me" Cisco_ASA_message_id=716002

User requested disconnect:

host="cisco-5555x-a.cordero.me" Cisco_ASA_message_id=722012

#PALO ALTO
Palo Alto Users and APP-ID:

host="192.168.1.11" app=dropbox-base

#EXAMPLES
Anyconnect Logged In with User:

host="cisco-asa5555xa.e-ins.net" Cisco_ASA_message_id=113004 kcordero

#APPS NEEDED FOR SPLUNK
Cisco Networks Add-on for Splunk Enterprise:

https://splunkbase.splunk.com/app/1467/

Palo Alto Networks App for Splunk:

https://splunkbase.splunk.com/app/491/

Windows Event Logs Analysis:

https://splunkbase.splunk.com/app/3067/

#Cisco Syslog Messages:
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html

More Stories
Cisco QoS – Four CoS Levels