🛡️ Enterprise Security Reference • Splunk • Active Directory • DUO

Splunk Tier 2 / Tier 3 SOC Cheat Sheet

A polished, high-density SPL reference for experienced SOC analysts working in Windows Active Directory environments. This page prioritizes fast pivots, reusable detections, incident triage speed, and practical query patterns that map to real security operations workflows.

57 CommandsCopy-ready SPL examples
11 DomainsAD, DUO, network, Wi-Fi, health
Advanced AudienceTier 2 / Tier 3 SOC analysts
Live FilterSearch by keyword, event ID, or use case
57 visible commands

Overview

This cheat sheet is designed for analysts who already understand base Windows eventing and Splunk search behavior, and need a premium reference page for recurring SOC tasks. The examples assume Windows Security logs, domain controller visibility, endpoint telemetry, DUO authentication data, and infrastructure logs are already normalized into Splunk.

Primary Focus

Account lockouts, authentication failures, AD object changes, privileged activity, process execution, lateral movement, network operations, and SPL operator examples relevant to enterprise triage.

Why This Format Works

Every entry is intentionally short: title, full SPL query, and one-line analyst guidance. This keeps the page usable during active investigations, bridge calls, and escalations.

Important Assumption

Field names vary by TA, data model, and source onboarding. Treat these queries as solid starting patterns and adjust host, user, src, ComputerName, AuthenticationPackageName, or Duo field names to match your environment.

Requirements

Before these searches produce useful results, make sure your SOC pipeline exposes the right telemetry, retention, and field extraction coverage.

Recommended Data Sources

  • Windows Security logs from workstations, servers, and domain controllers
  • Sysmon or endpoint process telemetry for command-line visibility
  • DUO authentication and admin reporting data
  • DNS, DHCP, VPN, firewall, wireless controller, and infrastructure logs
  • Asset or identity lookup tables for owner, location, or tier enrichment

Analyst Notes

  • Prefer scoped indexes over index=* in production except during discovery or emergency triage
  • Correlate DC events with endpoint telemetry to separate user mistakes from attacker workflow
  • Use earliest/latest bounds aggressively to reduce cost and accelerate pivots
  • Pair lockout and 4625 searches with source host, LogonType, and authentication package fields

List of Commands

Use the live filter to narrow by event ID, field, or scenario. Every card below contains a copy-ready query and a one-line operational description.

Account Lockouts

6 commands

Locked-Out Account Search

index=* EventCode=4740 Username="<username>"

Searches for account lockout events by username and is the fastest first pivot for a locked user report.

Lockouts by Source Machine

index=wineventlog EventCode=4740 Username="jdoe" | stats count values(Caller_Computer_Name) as source_hosts by Username

Shows which workstation or member server is triggering repeated lockouts for a specific account.

Lockouts by Domain Controller

index=wineventlog EventCode=4740 Username="svc_sqlbackup" | stats count by ComputerName, Caller_Computer_Name

Identifies which domain controller logged the lockout and the calling host associated with the event.

Lockout Frequency Trend

index=wineventlog EventCode=4740 earliest=-24h | timechart span=30m count by Username limit=10

Trends lockouts over time so analysts can spot bursts, persistence, or after-hours spikes.

Top Locked Accounts

index=wineventlog EventCode=4740 earliest=-7d | stats count by Username | sort - count | head 15

Ranks the most frequently locked accounts and helps identify chronic service, stale, or targeted users.

Recent Lockouts Snapshot

index=wineventlog EventCode=4740 earliest=-60m | table _time Username Caller_Computer_Name ComputerName | sort - _time

Provides a fast most-recent table view for current lockout escalations and help desk bridge calls.

Authentication Failures

6 commands

Failed Login Search by User

index=wineventlog EventCode=4625 Account_Name="jdoe" earliest=-24h | table _time host Account_Name Failure_Reason Source_Network_Address Logon_Type

Pulls failed logons for a user with context fields needed to distinguish typo noise from real attack traffic.

Bad Password Attempts

index=wineventlog EventCode=4625 Status="0xC000006A" earliest=-24h | stats count by Account_Name Source_Network_Address Workstation_Name | sort - count

Targets bad-password failures to isolate repeated credential guessing or stale credential use.

Brute Force Pattern by Source

index=wineventlog EventCode=4625 earliest=-1h | stats count dc(Account_Name) as unique_users values(Account_Name) as targeted_users by Source_Network_Address | where count>20 OR unique_users>5 | sort - count

Highlights source IPs generating enough failures across one or many users to look like password spraying or brute force activity.

Failed Logins by Source IP

index=wineventlog EventCode=4625 earliest=-4h | stats count values(Account_Name) as users by Source_Network_Address | sort - count | head 20

Shows which IPs are driving the highest failed login volume over the selected period.

Disabled or Locked Account Failures

index=wineventlog EventCode=4625 (Status="0xC0000072" OR Status="0xC0000234") earliest=-24h | table _time Account_Name Status Sub_Status Source_Network_Address Workstation_Name

Surfaces sign-in attempts against disabled or already locked accounts, useful for persistence or stale service credentials.

Password Spray Window Detection

index=wineventlog EventCode=4625 earliest=-2h | bin _time span=10m | stats dc(Account_Name) as unique_users count by _time, Source_Network_Address | where unique_users>8 AND count>8 | sort - _time

Finds short windows where one source touches many usernames, a classic password spraying pattern.

User Activity in Active Directory

8 commands

Password Change Attempts

index=wineventlog (EventCode=4723 OR EventCode=4724) Target_Account="jdoe" earliest=-7d | table _time EventCode Subject_Account_Name Target_Account host

Shows self-service and administrative password change or reset events for a targeted user.

New Account Creation

index=wineventlog EventCode=4720 earliest=-7d | table _time Target_Account Subject_Account_Name ComputerName | sort - _time

Lists newly created accounts and who created them, making it useful for daily identity hygiene reviews.

Account Deletion Events

index=wineventlog EventCode=4726 earliest=-30d | table _time Target_Account Subject_Account_Name ComputerName

Identifies deleted user accounts and the administrators or systems responsible for the action.

Group Membership Changes

index=wineventlog (EventCode=4728 OR EventCode=4732) earliest=-7d | table _time Member_Name Group_Name Subject_Account_Name ComputerName | sort - _time

Tracks users added to security groups and supports privilege escalation investigations.

Logon and Logoff Trail

index=wineventlog (EventCode=4624 OR EventCode=4634) Account_Name="jdoe" earliest=-24h | table _time EventCode host Logon_Type Source_Network_Address

Builds a user session timeline showing where the user logged in and when the session ended.

Explicit Credential Use

index=wineventlog EventCode=4648 earliest=-24h | table _time Subject_Account_Name Target_Server_Name Process_Name Account_Whose_Credentials_Were_Used

Useful for spotting RunAs-style behavior, explicit credential use, or administrative pivots.

Logon Types by User

index=wineventlog EventCode=4624 Account_Name="jdoe" earliest=-7d | stats count by Logon_Type host | sort - count

Shows whether a user is authenticating interactively, remotely, via batch jobs, or through services.

Privilege Use Attempts

index=wineventlog (EventCode=4673 OR EventCode=4674) earliest=-48h | table _time host Account_Name Process_Name PrivilegeList ObjectName

Surfaces sensitive privilege use and can help explain suspicious account or process behavior around escalation.

Privilege Escalation & Suspicious Account Activity

6 commands

Admin Logins to Critical Hosts

index=wineventlog EventCode=4624 Logon_Type IN (2,10) Account_Name IN ("adm_jdoe","domainadmin01") host IN ("dc01","dc02","fileserver01") earliest=-24h

Checks where privileged accounts logged in interactively or via RDP to critical systems.

Sensitive Privileges Assigned

index=wineventlog EventCode=4672 earliest=-24h | table _time host Account_Name PrivilegeList Logon_ID | sort - _time

Shows logons where sensitive privileges were granted, a strong pivot for elevated or high-risk sessions.

New Admin Group Additions

index=wineventlog (EventCode=4728 OR EventCode=4732) (Group_Name="Domain Admins" OR Group_Name="Administrators") earliest=-30d | table _time Member_Name Group_Name Subject_Account_Name

Finds identities recently added to highly privileged groups, one of the clearest privilege escalation indicators.

Service Account Interactive Logons

index=wineventlog EventCode=4624 Logon_Type IN (2,10) Account_Name="svc_backup" earliest=-14d | table _time host Account_Name Logon_Type Source_Network_Address

Flags service accounts authenticating like humans, which often indicates misuse, password disclosure, or hands-on-keyboard activity.

Re-Enabled Privileged Accounts

index=wineventlog EventCode=4722 earliest=-30d | search Target_Account="adm_*" | table _time Target_Account Subject_Account_Name ComputerName

Shows admin-style accounts being re-enabled, which can indicate emergency access use or suspicious reactivation.

Privileged Session with Source IP

index=wineventlog (EventCode=4624 OR EventCode=4672) Account_Name="adm_jdoe" earliest=-24h | stats values(Source_Network_Address) as src values(host) as hosts values(PrivilegeList) as privileges count by Logon_ID Account_Name

Correlates privileged session identifiers to source IP and privilege assignment details for rapid escalation review.

Computer Objects

4 commands

New Computer Objects Added

index=wineventlog EventCode=4741 earliest=-30d | table _time Target_Account Subject_Account_Name ComputerName

Finds newly created computer accounts, useful during rogue asset or domain join investigations.

Computer Account Changes

index=wineventlog EventCode=4742 earliest=-14d | table _time Target_Account Subject_Account_Name ServicePrincipalNames UserAccountControl

Shows modifications to computer account attributes that may affect authentication or delegation behavior.

Computer Account Logons

index=wineventlog EventCode=4624 Account_Name="*$" earliest=-24h | stats count by Account_Name host Logon_Type | sort - count

Highlights machine account authentications and can help investigate trust, service, or lateral movement behavior.

Deleted Computer Objects

index=wineventlog EventCode=4743 earliest=-30d | table _time Target_Account Subject_Account_Name ComputerName

Useful for asset lifecycle review and identifying unauthorized removal of computer objects from the domain.

DUO Security

5 commands

DUO MFA Activity for an Account

index=duo user="jdoe" earliest=-7d | table _time user access_device.ip application result factor reason

Provides a concise authentication history for a single Duo user and is ideal for account compromise triage.

DUO Authentication Failures

index=duo result IN ("denied","fraud","timeout") earliest=-24h | stats count values(reason) as reasons by user, access_device.ip, application | sort - count

Surfaces denied, fraudulent, or timed-out MFA attempts and supports suspicious push investigation.

DUO Bypass Code Use

index=duo (result="bypass" OR reason="bypass_code") earliest=-30d | table _time user application access_device.ip result reason

Finds authentications that succeeded through bypass behavior instead of standard user-verified MFA.

DUO Enrollment Status Query

index=duo sourcetype="duo:admin" action="user_update" earliest=-30d | stats latest(status) as enrollment_status latest(email) as email by username

Summarizes latest enrollment-like status values for users from administrative telemetry when available.

DUO Geo Variance Review

index=duo user="jdoe" earliest=-48h | stats values(access_device.ip) as ips values(access_device.location.city) as cities values(access_device.location.country) as countries by user

Quickly reviews geographic spread and IP diversity for a Duo user during suspicious login assessments.

Lateral Movement

5 commands

Remote Logons by Host

index=wineventlog EventCode=4624 Logon_Type IN (3,10) earliest=-24h | stats count values(Account_Name) as users values(Source_Network_Address) as src by host Logon_Type | sort - count

Shows remote network and RDP logons hitting hosts, useful for identifying suspect lateral access.

Pass-the-Hash Indicator Search

index=wineventlog EventCode=4624 Authentication_Package="NTLM" Logon_Type IN (3,9) earliest=-24h | table _time host Account_Name Source_Network_Address Process_Name Authentication_Package

Focuses on NTLM-backed remote-style logons that can align with pass-the-hash or token abuse patterns.

Admin Share Access

index=wineventlog EventCode=5140 Share_Name IN ("\\*\\ADMIN$","\\*\\C$","\\*\\IPC$") earliest=-24h | table _time host Account_Name Share_Name Source_Address

Captures access to common administrative shares frequently used during remote execution or file staging.

Kerberos Ticket Anomalies

index=wineventlog (EventCode=4768 OR EventCode=4769) earliest=-24h | stats count values(Service_Name) as services values(Ticket_Encryption_Type) as enc by Account_Name Client_Address | sort - count

Summarizes ticket activity by user and source to spot unusual service access or encryption patterns.

Credential Use Followed by Remote Logon

index=wineventlog (EventCode=4648 OR EventCode=4624) Account_Name="adm_jdoe" earliest=-2h | transaction Account_Name maxspan=15m startswith=(EventCode=4648) endswith=(EventCode=4624) | table _time duration Account_Name host EventCode

Uses transaction to correlate explicit credential use with a later successful logon in the same short window.

Process Execution & Command-Line Investigation

5 commands

Suspicious Process Launches

index=wineventlog EventCode=4688 earliest=-24h (New_Process_Name="*\\powershell.exe" OR New_Process_Name="*\\cmd.exe" OR New_Process_Name="*\\rundll32.exe") | table _time host Creator_Process_Name New_Process_Name Process_Command_Line Account_Name

Pulls common LOLBin and shell executions with full command-line context for analyst review.

PowerShell Execution Review

index=wineventlog (EventCode=4688 OR EventCode=4104) earliest=-24h ("powershell" OR "Invoke-Expression" OR "DownloadString") | table _time host Account_Name Process_Command_Line Message

Blends process creation and script block evidence to review suspicious PowerShell behavior more efficiently.

Encoded PowerShell Commands

index=wineventlog EventCode=4688 earliest=-7d Process_Command_Line="*-enc*" OR Process_Command_Line="*-EncodedCommand*" | table _time host Account_Name Process_Command_Line

Flags PowerShell encoded command usage, which commonly appears in malicious staging and defense evasion.

Office Spawning Shells

index=wineventlog EventCode=4688 earliest=-7d Creator_Process_Name IN ("*\\WINWORD.EXE","*\\EXCEL.EXE","*\\OUTLOOK.EXE") New_Process_Name IN ("*\\cmd.exe","*\\powershell.exe","*\\wscript.exe") | table _time host Account_Name Creator_Process_Name New_Process_Name Process_Command_Line

Hunts for document-driven execution chains that often appear in phishing or macro abuse incidents.

LOLBin Execution Watchlist

index=wineventlog EventCode=4688 earliest=-7d New_Process_Name IN ("*\\certutil.exe","*\\mshta.exe","*\\regsvr32.exe","*\\bitsadmin.exe") | table _time host Account_Name New_Process_Name Process_Command_Line

Targets living-off-the-land binaries frequently abused for download, execution, or proxy behavior.

Network Issues

4 commands

DNS Failures by Host

index=dns earliest=-24h (rcode="NXDOMAIN" OR rcode="SERVFAIL") | stats count values(query) as queries by src_host, rcode | sort - count

Surfaces hosts experiencing repeated DNS failures, which may reflect malware beaconing or resolver issues.

DHCP Error Review

index=dhcp earliest=-24h ("DECLINE" OR "NACK" OR "No free leases") | table _time dhcp_server client_ip client_hostname Message

Useful for endpoint connectivity complaints tied to DHCP declines, address conflicts, or exhausted scopes.

Connectivity Drop Events

index=network earliest=-24h (action="disconnect" OR event_type="link_down" OR message="*session terminated*") | stats count by host, src_ip, dest_ip, event_type, action | sort - count

Reviews disconnect patterns across network telemetry to support outage triage and endpoint complaints.

High Connection Volume by Host

index=network earliest=-1h | stats count dc(dest_ip) as unique_destinations by src_ip, src_host | where count>500 OR unique_destinations>100 | sort - count

Flags systems generating unusually high connection volume, useful for scans, malware spread, or noisy misconfigurations.

Wi-Fi Issues

4 commands

Wireless Association Failures

index=wifi earliest=-24h (event="association_failed" OR reason="auth_failed") | table _time client_mac username ap_name ssid reason

Pinpoints failed joins to wireless infrastructure and helps separate credential problems from RF issues.

Wi-Fi Disconnects

index=wifi earliest=-24h (event="disassociate" OR event="deauth" OR reason="client_disconnected") | stats count by username, client_mac, ap_name, ssid, reason | sort - count

Summarizes wireless disconnect reasons so analysts can identify bad coverage, aggressive roaming, or auth drops.

SSID Anomaly Review

index=wifi earliest=-7d | stats count by ssid | where count<5 | sort count

Highlights rarely seen SSIDs in the environment, useful for rogue network review or unusual site behavior.

Top Failing Wireless Clients

index=wifi earliest=-24h (event="association_failed" OR event="deauth") | stats count values(reason) as reasons by username, client_mac | sort - count | head 20

Ranks users or devices with the worst wireless experience so engineers can prioritize troubleshooting.

Log Source Health / Index Investigation

4 commands

Index Summary

index=* earliest=-24h | stats count by index | sort - count

Provides a broad ingestion snapshot and is often the first search during source health investigations.

Sourcetype Volume Counts

index=* earliest=-24h | stats count by sourcetype | sort - count | head 30

Shows which sourcetypes dominate volume and helps validate whether expected sources are still flowing.

Missing Log Sources by Last Seen

| metadata type=hosts index=wineventlog | eval age_hours=round((now()-lastTime)/3600,2) | where age_hours>4 | table host lastTime age_hours recentTime totalCount

Finds Windows log sources that appear stale or offline based on metadata instead of event scans.

Host Data Gap Check

index=wineventlog host="server123" earliest=-24h | stats count min(_time) as first_seen max(_time) as last_seen by host

Quickly confirms whether a named host has recent events and the last timeframe observed in Splunk.

SPL Operators & Functions

5 commands

stats Example

index=wineventlog EventCode=4625 earliest=-24h | stats count dc(Account_Name) as unique_users by host

Uses stats to aggregate failed logins and count distinct impacted users by host.

eval + rex Example

index=wineventlog EventCode=4688 earliest=-24h | rex field=Process_Command_Line "(?<encoded_flag>-enc|-EncodedCommand)" | eval suspicious=if(isnotnull(encoded_flag),"yes","no") | stats count by suspicious, New_Process_Name

Combines field extraction and conditional logic to classify encoded command activity in process telemetry.

transaction Example

index=wineventlog (EventCode=4625 OR EventCode=4624) Account_Name="jdoe" earliest=-2h | transaction Account_Name maxspan=5m | table _time duration eventcount Account_Name host

Groups nearby auth events into a short sequence to understand failure-then-success behavior for a user.

lookup + timechart + dedup Workflow

index=wineventlog EventCode=4624 earliest=-24h | lookup asset_lookup host OUTPUT owner business_unit | dedup host Account_Name | rename Account_Name as user | where business_unit="Finance" | timechart span=1h count by owner limit=10

Demonstrates enrichment, deduplication, rename, filtering, and trending in a single reusable SOC workflow.

fields + where Cleanup Pattern

index=wineventlog EventCode=4740 earliest=-24h | fields _time Username Caller_Computer_Name ComputerName | where like(Username,"svc_%") | rename Caller_Computer_Name as source_host, ComputerName as domain_controller

Shows a clean pattern for reducing field noise, filtering service accounts, and renaming columns for analysts.

No commands matched your filter. Try an event code like 4740, 4625, 4688, or a keyword like duo, kerberos, lockout, or lookup.

Best Practices

A strong cheat sheet matters most when the underlying analyst workflow is disciplined.

Start Narrow, Then Pivot

Use the user, host, source IP, Logon_ID, or domain controller as your first pivot. Expand only after establishing whether the activity is isolated, repeated, or spreading laterally.

Correlate Across Event Families

Lockouts without 4625 context are incomplete. Privileged sessions without 4672 or 4648 context are also incomplete. The fastest Tier 3 work usually comes from chaining multiple event types.

Normalize Your Field Names

Create macros, eventtypes, tags, and field aliases for your environment so these searches become durable runbook building blocks instead of one-off custom queries.

FAQ

Fast answers to common implementation questions analysts raise when operationalizing search content like this.

Why do some field names differ from my environment?

Splunk field names depend on your TA, source normalization, CIM mappings, and custom props/transforms. Update Account_Name, Username, Caller_Computer_Name, Source_Network_Address, or Duo fields to align with your data onboarding.

Should I keep using index=* in production?

Only when exploring unknown data or during urgent triage. In repeatable workflows, narrow to the correct indexes and sourcetypes for speed, cost control, and better search head performance.

Which commands are best for triage under pressure?

Start with 4740, 4625, 4624, 4672, 4648, and 4688. Those usually provide enough context to establish identity misuse, privileged access, or suspicious execution direction within minutes.

How should I operationalize this page?

Convert high-value searches into macros, dashboards, ES correlations, saved searches, and runbook-linked investigations. This page works best as a human-friendly front door to those standardized workflows.