Primary Focus
Account lockouts, authentication failures, AD object changes, privileged activity, process execution, lateral movement, network operations, and SPL operator examples relevant to enterprise triage.
A polished, high-density SPL reference for experienced SOC analysts working in Windows Active Directory environments. This page prioritizes fast pivots, reusable detections, incident triage speed, and practical query patterns that map to real security operations workflows.
This cheat sheet is designed for analysts who already understand base Windows eventing and Splunk search behavior, and need a premium reference page for recurring SOC tasks. The examples assume Windows Security logs, domain controller visibility, endpoint telemetry, DUO authentication data, and infrastructure logs are already normalized into Splunk.
Account lockouts, authentication failures, AD object changes, privileged activity, process execution, lateral movement, network operations, and SPL operator examples relevant to enterprise triage.
Every entry is intentionally short: title, full SPL query, and one-line analyst guidance. This keeps the page usable during active investigations, bridge calls, and escalations.
Field names vary by TA, data model, and source onboarding. Treat these queries as solid starting patterns and adjust host, user, src, ComputerName, AuthenticationPackageName, or Duo field names to match your environment.
Before these searches produce useful results, make sure your SOC pipeline exposes the right telemetry, retention, and field extraction coverage.
Use the live filter to narrow by event ID, field, or scenario. Every card below contains a copy-ready query and a one-line operational description.
index=* EventCode=4740 Username="<username>"
Searches for account lockout events by username and is the fastest first pivot for a locked user report.
index=wineventlog EventCode=4740 Username="jdoe" | stats count values(Caller_Computer_Name) as source_hosts by Username
Shows which workstation or member server is triggering repeated lockouts for a specific account.
index=wineventlog EventCode=4740 Username="svc_sqlbackup" | stats count by ComputerName, Caller_Computer_Name
Identifies which domain controller logged the lockout and the calling host associated with the event.
index=wineventlog EventCode=4740 earliest=-24h | timechart span=30m count by Username limit=10
Trends lockouts over time so analysts can spot bursts, persistence, or after-hours spikes.
index=wineventlog EventCode=4740 earliest=-7d | stats count by Username | sort - count | head 15
Ranks the most frequently locked accounts and helps identify chronic service, stale, or targeted users.
index=wineventlog EventCode=4740 earliest=-60m | table _time Username Caller_Computer_Name ComputerName | sort - _time
Provides a fast most-recent table view for current lockout escalations and help desk bridge calls.
index=wineventlog EventCode=4625 Account_Name="jdoe" earliest=-24h | table _time host Account_Name Failure_Reason Source_Network_Address Logon_Type
Pulls failed logons for a user with context fields needed to distinguish typo noise from real attack traffic.
index=wineventlog EventCode=4625 Status="0xC000006A" earliest=-24h | stats count by Account_Name Source_Network_Address Workstation_Name | sort - count
Targets bad-password failures to isolate repeated credential guessing or stale credential use.
index=wineventlog EventCode=4625 earliest=-1h | stats count dc(Account_Name) as unique_users values(Account_Name) as targeted_users by Source_Network_Address | where count>20 OR unique_users>5 | sort - count
Highlights source IPs generating enough failures across one or many users to look like password spraying or brute force activity.
index=wineventlog EventCode=4625 earliest=-4h | stats count values(Account_Name) as users by Source_Network_Address | sort - count | head 20
Shows which IPs are driving the highest failed login volume over the selected period.
index=wineventlog EventCode=4625 (Status="0xC0000072" OR Status="0xC0000234") earliest=-24h | table _time Account_Name Status Sub_Status Source_Network_Address Workstation_Name
Surfaces sign-in attempts against disabled or already locked accounts, useful for persistence or stale service credentials.
index=wineventlog EventCode=4625 earliest=-2h | bin _time span=10m | stats dc(Account_Name) as unique_users count by _time, Source_Network_Address | where unique_users>8 AND count>8 | sort - _time
Finds short windows where one source touches many usernames, a classic password spraying pattern.
index=wineventlog (EventCode=4723 OR EventCode=4724) Target_Account="jdoe" earliest=-7d | table _time EventCode Subject_Account_Name Target_Account host
Shows self-service and administrative password change or reset events for a targeted user.
index=wineventlog EventCode=4720 earliest=-7d | table _time Target_Account Subject_Account_Name ComputerName | sort - _time
Lists newly created accounts and who created them, making it useful for daily identity hygiene reviews.
index=wineventlog EventCode=4726 earliest=-30d | table _time Target_Account Subject_Account_Name ComputerName
Identifies deleted user accounts and the administrators or systems responsible for the action.
index=wineventlog (EventCode=4728 OR EventCode=4732) earliest=-7d | table _time Member_Name Group_Name Subject_Account_Name ComputerName | sort - _time
Tracks users added to security groups and supports privilege escalation investigations.
index=wineventlog (EventCode=4624 OR EventCode=4634) Account_Name="jdoe" earliest=-24h | table _time EventCode host Logon_Type Source_Network_Address
Builds a user session timeline showing where the user logged in and when the session ended.
index=wineventlog EventCode=4648 earliest=-24h | table _time Subject_Account_Name Target_Server_Name Process_Name Account_Whose_Credentials_Were_Used
Useful for spotting RunAs-style behavior, explicit credential use, or administrative pivots.
index=wineventlog EventCode=4624 Account_Name="jdoe" earliest=-7d | stats count by Logon_Type host | sort - count
Shows whether a user is authenticating interactively, remotely, via batch jobs, or through services.
index=wineventlog (EventCode=4673 OR EventCode=4674) earliest=-48h | table _time host Account_Name Process_Name PrivilegeList ObjectName
Surfaces sensitive privilege use and can help explain suspicious account or process behavior around escalation.
index=wineventlog EventCode=4624 Logon_Type IN (2,10) Account_Name IN ("adm_jdoe","domainadmin01") host IN ("dc01","dc02","fileserver01") earliest=-24h
Checks where privileged accounts logged in interactively or via RDP to critical systems.
index=wineventlog EventCode=4672 earliest=-24h | table _time host Account_Name PrivilegeList Logon_ID | sort - _time
Shows logons where sensitive privileges were granted, a strong pivot for elevated or high-risk sessions.
index=wineventlog (EventCode=4728 OR EventCode=4732) (Group_Name="Domain Admins" OR Group_Name="Administrators") earliest=-30d | table _time Member_Name Group_Name Subject_Account_Name
Finds identities recently added to highly privileged groups, one of the clearest privilege escalation indicators.
index=wineventlog EventCode=4624 Logon_Type IN (2,10) Account_Name="svc_backup" earliest=-14d | table _time host Account_Name Logon_Type Source_Network_Address
Flags service accounts authenticating like humans, which often indicates misuse, password disclosure, or hands-on-keyboard activity.
index=wineventlog EventCode=4722 earliest=-30d | search Target_Account="adm_*" | table _time Target_Account Subject_Account_Name ComputerName
Shows admin-style accounts being re-enabled, which can indicate emergency access use or suspicious reactivation.
index=wineventlog (EventCode=4624 OR EventCode=4672) Account_Name="adm_jdoe" earliest=-24h | stats values(Source_Network_Address) as src values(host) as hosts values(PrivilegeList) as privileges count by Logon_ID Account_Name
Correlates privileged session identifiers to source IP and privilege assignment details for rapid escalation review.
index=wineventlog EventCode=4741 earliest=-30d | table _time Target_Account Subject_Account_Name ComputerName
Finds newly created computer accounts, useful during rogue asset or domain join investigations.
index=wineventlog EventCode=4742 earliest=-14d | table _time Target_Account Subject_Account_Name ServicePrincipalNames UserAccountControl
Shows modifications to computer account attributes that may affect authentication or delegation behavior.
index=wineventlog EventCode=4624 Account_Name="*$" earliest=-24h | stats count by Account_Name host Logon_Type | sort - count
Highlights machine account authentications and can help investigate trust, service, or lateral movement behavior.
index=wineventlog EventCode=4743 earliest=-30d | table _time Target_Account Subject_Account_Name ComputerName
Useful for asset lifecycle review and identifying unauthorized removal of computer objects from the domain.
index=duo user="jdoe" earliest=-7d | table _time user access_device.ip application result factor reason
Provides a concise authentication history for a single Duo user and is ideal for account compromise triage.
index=duo result IN ("denied","fraud","timeout") earliest=-24h | stats count values(reason) as reasons by user, access_device.ip, application | sort - count
Surfaces denied, fraudulent, or timed-out MFA attempts and supports suspicious push investigation.
index=duo (result="bypass" OR reason="bypass_code") earliest=-30d | table _time user application access_device.ip result reason
Finds authentications that succeeded through bypass behavior instead of standard user-verified MFA.
index=duo sourcetype="duo:admin" action="user_update" earliest=-30d | stats latest(status) as enrollment_status latest(email) as email by username
Summarizes latest enrollment-like status values for users from administrative telemetry when available.
index=duo user="jdoe" earliest=-48h | stats values(access_device.ip) as ips values(access_device.location.city) as cities values(access_device.location.country) as countries by user
Quickly reviews geographic spread and IP diversity for a Duo user during suspicious login assessments.
index=wineventlog EventCode=4624 Logon_Type IN (3,10) earliest=-24h | stats count values(Account_Name) as users values(Source_Network_Address) as src by host Logon_Type | sort - count
Shows remote network and RDP logons hitting hosts, useful for identifying suspect lateral access.
index=wineventlog EventCode=4624 Authentication_Package="NTLM" Logon_Type IN (3,9) earliest=-24h | table _time host Account_Name Source_Network_Address Process_Name Authentication_Package
Focuses on NTLM-backed remote-style logons that can align with pass-the-hash or token abuse patterns.
index=wineventlog EventCode=5140 Share_Name IN ("\\*\\ADMIN$","\\*\\C$","\\*\\IPC$") earliest=-24h | table _time host Account_Name Share_Name Source_Address
Captures access to common administrative shares frequently used during remote execution or file staging.
index=wineventlog (EventCode=4768 OR EventCode=4769) earliest=-24h | stats count values(Service_Name) as services values(Ticket_Encryption_Type) as enc by Account_Name Client_Address | sort - count
Summarizes ticket activity by user and source to spot unusual service access or encryption patterns.
index=wineventlog (EventCode=4648 OR EventCode=4624) Account_Name="adm_jdoe" earliest=-2h | transaction Account_Name maxspan=15m startswith=(EventCode=4648) endswith=(EventCode=4624) | table _time duration Account_Name host EventCode
Uses transaction to correlate explicit credential use with a later successful logon in the same short window.
index=wineventlog EventCode=4688 earliest=-24h (New_Process_Name="*\\powershell.exe" OR New_Process_Name="*\\cmd.exe" OR New_Process_Name="*\\rundll32.exe") | table _time host Creator_Process_Name New_Process_Name Process_Command_Line Account_Name
Pulls common LOLBin and shell executions with full command-line context for analyst review.
index=wineventlog (EventCode=4688 OR EventCode=4104) earliest=-24h ("powershell" OR "Invoke-Expression" OR "DownloadString") | table _time host Account_Name Process_Command_Line Message
Blends process creation and script block evidence to review suspicious PowerShell behavior more efficiently.
index=wineventlog EventCode=4688 earliest=-7d Process_Command_Line="*-enc*" OR Process_Command_Line="*-EncodedCommand*" | table _time host Account_Name Process_Command_Line
Flags PowerShell encoded command usage, which commonly appears in malicious staging and defense evasion.
index=wineventlog EventCode=4688 earliest=-7d Creator_Process_Name IN ("*\\WINWORD.EXE","*\\EXCEL.EXE","*\\OUTLOOK.EXE") New_Process_Name IN ("*\\cmd.exe","*\\powershell.exe","*\\wscript.exe") | table _time host Account_Name Creator_Process_Name New_Process_Name Process_Command_Line
Hunts for document-driven execution chains that often appear in phishing or macro abuse incidents.
index=wineventlog EventCode=4688 earliest=-7d New_Process_Name IN ("*\\certutil.exe","*\\mshta.exe","*\\regsvr32.exe","*\\bitsadmin.exe") | table _time host Account_Name New_Process_Name Process_Command_Line
Targets living-off-the-land binaries frequently abused for download, execution, or proxy behavior.
index=dns earliest=-24h (rcode="NXDOMAIN" OR rcode="SERVFAIL") | stats count values(query) as queries by src_host, rcode | sort - count
Surfaces hosts experiencing repeated DNS failures, which may reflect malware beaconing or resolver issues.
index=dhcp earliest=-24h ("DECLINE" OR "NACK" OR "No free leases") | table _time dhcp_server client_ip client_hostname Message
Useful for endpoint connectivity complaints tied to DHCP declines, address conflicts, or exhausted scopes.
index=network earliest=-24h (action="disconnect" OR event_type="link_down" OR message="*session terminated*") | stats count by host, src_ip, dest_ip, event_type, action | sort - count
Reviews disconnect patterns across network telemetry to support outage triage and endpoint complaints.
index=network earliest=-1h | stats count dc(dest_ip) as unique_destinations by src_ip, src_host | where count>500 OR unique_destinations>100 | sort - count
Flags systems generating unusually high connection volume, useful for scans, malware spread, or noisy misconfigurations.
index=wifi earliest=-24h (event="association_failed" OR reason="auth_failed") | table _time client_mac username ap_name ssid reason
Pinpoints failed joins to wireless infrastructure and helps separate credential problems from RF issues.
index=wifi earliest=-24h (event="disassociate" OR event="deauth" OR reason="client_disconnected") | stats count by username, client_mac, ap_name, ssid, reason | sort - count
Summarizes wireless disconnect reasons so analysts can identify bad coverage, aggressive roaming, or auth drops.
index=wifi earliest=-7d | stats count by ssid | where count<5 | sort count
Highlights rarely seen SSIDs in the environment, useful for rogue network review or unusual site behavior.
index=wifi earliest=-24h (event="association_failed" OR event="deauth") | stats count values(reason) as reasons by username, client_mac | sort - count | head 20
Ranks users or devices with the worst wireless experience so engineers can prioritize troubleshooting.
index=* earliest=-24h | stats count by index | sort - count
Provides a broad ingestion snapshot and is often the first search during source health investigations.
index=* earliest=-24h | stats count by sourcetype | sort - count | head 30
Shows which sourcetypes dominate volume and helps validate whether expected sources are still flowing.
| metadata type=hosts index=wineventlog | eval age_hours=round((now()-lastTime)/3600,2) | where age_hours>4 | table host lastTime age_hours recentTime totalCount
Finds Windows log sources that appear stale or offline based on metadata instead of event scans.
index=wineventlog host="server123" earliest=-24h | stats count min(_time) as first_seen max(_time) as last_seen by host
Quickly confirms whether a named host has recent events and the last timeframe observed in Splunk.
index=wineventlog EventCode=4625 earliest=-24h | stats count dc(Account_Name) as unique_users by host
Uses stats to aggregate failed logins and count distinct impacted users by host.
index=wineventlog EventCode=4688 earliest=-24h | rex field=Process_Command_Line "(?<encoded_flag>-enc|-EncodedCommand)" | eval suspicious=if(isnotnull(encoded_flag),"yes","no") | stats count by suspicious, New_Process_Name
Combines field extraction and conditional logic to classify encoded command activity in process telemetry.
index=wineventlog (EventCode=4625 OR EventCode=4624) Account_Name="jdoe" earliest=-2h | transaction Account_Name maxspan=5m | table _time duration eventcount Account_Name host
Groups nearby auth events into a short sequence to understand failure-then-success behavior for a user.
index=wineventlog EventCode=4624 earliest=-24h | lookup asset_lookup host OUTPUT owner business_unit | dedup host Account_Name | rename Account_Name as user | where business_unit="Finance" | timechart span=1h count by owner limit=10
Demonstrates enrichment, deduplication, rename, filtering, and trending in a single reusable SOC workflow.
index=wineventlog EventCode=4740 earliest=-24h | fields _time Username Caller_Computer_Name ComputerName | where like(Username,"svc_%") | rename Caller_Computer_Name as source_host, ComputerName as domain_controller
Shows a clean pattern for reducing field noise, filtering service accounts, and renaming columns for analysts.
A strong cheat sheet matters most when the underlying analyst workflow is disciplined.
Use the user, host, source IP, Logon_ID, or domain controller as your first pivot. Expand only after establishing whether the activity is isolated, repeated, or spreading laterally.
Lockouts without 4625 context are incomplete. Privileged sessions without 4672 or 4648 context are also incomplete. The fastest Tier 3 work usually comes from chaining multiple event types.
Create macros, eventtypes, tags, and field aliases for your environment so these searches become durable runbook building blocks instead of one-off custom queries.
Official and high-value references that pair well with the searches above.
Specific documentation pages that map directly to the detections and event IDs used in this cheat sheet.
Fast answers to common implementation questions analysts raise when operationalizing search content like this.
Splunk field names depend on your TA, source normalization, CIM mappings, and custom props/transforms. Update Account_Name, Username, Caller_Computer_Name, Source_Network_Address, or Duo fields to align with your data onboarding.
Only when exploring unknown data or during urgent triage. In repeatable workflows, narrow to the correct indexes and sourcetypes for speed, cost control, and better search head performance.
Start with 4740, 4625, 4624, 4672, 4648, and 4688. Those usually provide enough context to establish identity misuse, privileged access, or suspicious execution direction within minutes.
Convert high-value searches into macros, dashboards, ES correlations, saved searches, and runbook-linked investigations. This page works best as a human-friendly front door to those standardized workflows.