analyzing-windows-event-logs-in-splunk
CommunityDetect Windows auth threats in Splunk with SPL
AuthorAxxxxxxaaann
Version1.0.0
Installs0
System Documentation
What problem does it solve?
Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege escalation, persistence mechanisms, and lateral movement using SPL queries mapped to MITRE ATT&CK techniques.
Core Features & Use Cases
- Provides SPL-based detection patterns for authentication anomalies, privilege changes, persistence mechanisms, and lateral movement.
- Includes ready-to-run queries for brute force (EventCode 4625), password spray, new admin accounts (4720), LSASS access (Sysmon EventCode 10), and SMB/RDP lateral movement detection.
- Maps detections to MITRE ATT&CK techniques and integrates with Windows CIM data model for cross-source correlation.
Quick Start
Run a Splunk search against Windows event logs to surface brute-force and suspicious authentication events in the last 24 hours.
Dependency Matrix
Required Modules
splunk-sdk
Components
scriptsreferences
💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: analyzing-windows-event-logs-in-splunk Download link: https://github.com/Axxxxxxaaann/KAIRI-Skills/archive/main.zip#analyzing-windows-event-logs-in-splunk Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.