Log Analysis with Splunk: Security Use Cases

Splunk is the leading SIEM platform. Learning SPL (Splunk Processing Language) is essential for security analysts.

Common Security Queries

Failed Login Detection

index=windows EventCode=4625
| stats count by src_ip, user
| where count > 5
| sort -count

Successful Login After Failures

index=windows (EventCode=4625 OR EventCode=4624) user=*
| transaction user maxspan=10m
| where eventcount > 1 AND EventCode=4624
| table _time, user, src_ip, EventCode

PowerShell Encoded Commands

index=windows source="WinEventLog:Microsoft-Windows-PowerShell/Operational"
| regex ScriptBlockText="(?i)encodedcommand|frombase64"
| table _time, ComputerName, UserName, ScriptBlockText

Building Dashboards

<dashboard>
  <label>Security Overview</label>
  <row>
    <panel>
      <title>Failed Logins (24h)</title>
      <single>
        <search>
          <query>index=windows EventCode=4625 | stats count</query>
        </search>
      </single>
    </panel>
  </row>
</dashboard>

SPL Tips

Use stats for aggregation, table for output
transaction groups related events
rex for regex field extraction
Always filter early to improve performance

December 2024

Splunk Security Use Cases

Common Security Queries

Failed Login Detection

Successful Login After Failures

PowerShell Encoded Commands

Building Dashboards

SPL Tips

Related Content