forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathpreviously_seen_windows_service_starts.yml
More file actions
37 lines (37 loc) · 1.66 KB
/
previously_seen_windows_service_starts.yml
File metadata and controls
37 lines (37 loc) · 1.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
baseline:
splunk:
schedule:
cron_schedule: ''
earliest_time: -30d@d
latest_time: -10m@m
search: eventtype=wineventlog_system signature_id=7036 | rename param1 as service_name | rename param2 as action | search action="running" | stats earliest(_time) as firstTime, latest(_time) as lastTime by service_name | outputlookup previously_seen_running_windows_services | stats count
creation_date: '2018-07-20'
data_metadata:
data_eventtypes:
- wineventlog_system
data_source:
- Windows Event Logs
providing_technologies:
- Microsoft Windows
description: This collects the services that have been started across your entire
enterprise.
eli5: In this support search, we look for Windows system-event code that indicates
a status change of a Windows service. In this specific log event, the `param1` field represents the
"service_name" and the `param2` represents the action/status of the service. This search will create a table of the first and last time as particular Windows service was seen to be in the `running` status.
how_to_implement: While this search does not require you to adhere to Splunk CIM,
you must be ingesting your Windows security-event logs for it to execute successfully. Please ensure that the Splunk Add-on for Microsoft Windows is version 5.0.0 or above.
id: 64ce0ade-cb01-4678-bddd-d31c0b175394
known_false_positives: ''
maintainers:
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
modification_date: '2020-01-13'
name: Previously Seen Running Windows Services
original_authors:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
spec_version: 2
type: splunk
version: '2.0'