forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathwindows_updates_install_successes.yml
More file actions
30 lines (30 loc) · 985 Bytes
/
windows_updates_install_successes.yml
File metadata and controls
30 lines (30 loc) · 985 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
name: Windows Updates Install Successes
id: 6a80535c-86a6-4b54-894c-4b446d0c701d
version: 1
date: '2017-09-14'
author: David Dorsey, Splunk
type: Baseline
datamodel: []
description: This search is intended to give you a feel for how often successful Windows
updates are applied in your environments. Fluctuations in these numbers will allow
you to determine when you should be concerned.
search: '| tstats `security_content_summariesonly` dc(Updates.dest) as count FROM
datamodel=Updates where Updates.vendor_product="Microsoft Windows" AND Updates.status=installed
by _time span=1d'
how_to_implement: You must be ingesting your Windows Update Logs
known_false_positives: none
references: []
tags:
analytic_story:
- Monitor for Updates
detections:
- No Windows Updates in a time frame
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Updates.vendor_product
- Updates.status
security_domain: endpoint