Security-Related Queries for Windows

This post has several queries you can run in Sumo to detect potential security issues in Windows environment.  

A query will return no results if the problem it's looking for does not exist. No results indicates no problem.

Monitor Privilege Groups

Privileged accounts and groups are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action. A security best practice is to reduce risk by adopting the principle of “least privilege for access management”, that is to minimize assignment of accounts to privileged groups. This query allows you to monitor accounts that were added to Privileged Groups.

_sourceCategory=Labs/OS/windows and "CategoryString = \"Security Group Management\"" and added
| parse regex "Subject:[\s\S]+?Account\sName:\t+(?<src_user>[^\r]+)" nodrop
| parse regex "Subject:[\s\S]+?Account\sDomain:\t+(?<src_domain>[^\r]+)" nodrop
| parse regex "Member:[\s\S]+?Account\sName:\t+(?<dest_user>[^\r]+)" nodrop
| parse regex "Group:[\s\S]+?Account\sName:\t+(?<dest_group>[^\r]+)" nodrop
| parse regex "Group:[\s\S]+?Account\sDomain:\t+(?<dest_domain>[^\r]+)" nodrop
| parse regex "Group\sName:\t+(?<dest_group>[^\r]+)" nodrop
| parse regex "Group\sDomain:\t+(?<dest_domain>[^\r]+)" nodrop
| where dest_group="Administrators"
| formatDate(_messagetime, "MM/dd/yyyy hh:mm:ss") as date
| count date, event_id, dest_user, dest_group, dest_domain, src_user, src_domain
//If you have custom groups, use something like
// where dest_group in ("Administrators", "Domain Admins”, "My Group")

Monitor Account Lockouts

Locked Accounts can be a sign of compromised credentials. This query allows you to identify Account Lockouts.

_sourceCategory= Labs/OS/windows and "CategoryString = \"User Account Management\"" and "EventCode = 4740;"
| parse regex "Subject:[\s\S]+?Account\sName:\t+(?<src_user>[^\r]+)"
| parse regex "Subject:[\s\S]+?Account\sDomain:\t+(?<src_domain>[^\r]+)"
| parse regex ".*?Account.*?:[\s\S]+?Account\sName:\t+(?<dest_user>[^\r]+)" nodrop
| parse regex ".*?Account.*?:[\s\S]+?Account\sDomain:\t+(?<dest_domain>[^\r]+)" nodrop
| formatDate(_messagetime, "MM/dd/yyyy hh:mm:ss") as date
| count date, event_id, dest_user, dest_domain
| fields - _count
| sort date
// Of course, you can also search for a specific src_user

Monitor Excessive Failed Logins

A high number of failed logins can be a sign of compromised credentials. This query allows you to identify excessive failed logins.

_sourceCategory= Labs/OS/windows and "EventCode = 4625;"
| parse regex "Logon\sType:\t+(?<logon_type>\d{1,2})\r" nodrop
| parse regex "Subject:[\s\S]+?Account\sName:\t+(?<src_user>[^\r]+)" nodrop
| parse regex "Subject:[\s\S]+?Account\sDomain:\t+(?<src_domain>[^\r]+)" nodrop
| parse regex "Account\sFor\sWhich\sLogon\sFailed:[\s\S]+?Account\sName:\t+(?<dest_user>[^\r]+)" nodrop
| parse regex "Account\sFor\sWhich\sLogon\sFailed:[\s\S]+?Account\sDomain:\t+(?<dest_domain>[^\r]+)" nodrop
| parse regex "Network\sInformation:[\s\S]+?Workstation\sName:\t+(?<wkstation>[^\r]+)" nodrop
| parse regex "Network\sInformation:[\s\S]+?Source\sNetwork\sAddress:\t+(?<src_ip>[^\r]+)" nodrop
| parse regex "Failure\sInformation:[\s\S]+?Failure\sReason:\t+(?<fail_reason>[^\r]+)" nodrop
| parse regex "Failure\sInformation:[\s\S]+?Status:\t+(?<fail_status>[^\r]+)" nodrop
| parse regex "Failure\sInformation:[\s\S]+?Sub Status:\t+(?<fail_sub_status>[^\r]+)" nodrop
| parse regex "Detailed\sAuthentication\sInformation:[\s\S]+?Logon\sProcess:\t+(?<logon_process>[^\s]+)" nodrop
| parse regex "Process\sInformation:[\s\S]+?Process\sID:\t+(?<process_id>[^\r]+)" nodrop
| parse regex "Process\sInformation:[\s\S]+?Process\sName:\t+(?<process_name>[^\r]+)" nodrop
| formatDate(_messagetime, "MM/dd/yyyy hh:mm:ss") as date
| count event_id, dest_user, dest_domain //, logon_type, logon_process, fail_reason, fail_status
| where _count > 10
//choose a threshold meaningful to your investigation