creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 22:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-windows-event-logs-in-splunk/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

68 lines
2.0 KiB
Markdown
Raw Blame History

# API Reference: Analyzing Windows Event Logs in Splunk
## splunk-sdk Connection
```python
import splunklib.client as client
service = client.connect(host="splunk", port=8089, username="admin", password="pass")
```
## Key Windows Security Event IDs
| EventCode | Description | ATT&CK Technique |
|-----------|-------------|-------------------|
| 4624 | Successful logon | T1078 |
| 4625 | Failed logon | T1110 |
| 4648 | Explicit credential logon | T1078 |
| 4672 | Special privileges assigned | T1134 |
| 4688 | New process created | T1059 |
| 4698 | Scheduled task created | T1053.005 |
| 4720 | User account created | T1136.001 |
| 4732 | Member added to security group | T1098 |
| 4768 | Kerberos TGT requested | T1558 |
| 4769 | Kerberos service ticket | T1558.003 |
## Key Sysmon Event IDs
| EventCode | Description |
|-----------|-------------|
| 1 | Process creation (full command line, hashes) |
| 3 | Network connection |
| 7 | Image loaded (DLL) |
| 10 | Process access (LSASS credential dumping) |
| 11 | File creation |
| 13 | Registry value set |
| 22 | DNS query |
## Logon Types
| Type | Description | Context |
|------|-------------|---------|
| 2 | Interactive | Local console logon |
| 3 | Network | SMB, WMI, PowerShell Remoting |
| 7 | Unlock | Workstation unlock |
| 9 | NewCredentials | runas /netonly |
| 10 | RemoteInteractive | RDP logon |
## SPL Detection Patterns
```spl
# Brute force detection
index=wineventlog EventCode=4625 | stats count by src_ip | where count > 20
# Kerberoasting (T1558.003)
index=wineventlog EventCode=4769 Ticket_Encryption_Type=0x17
| where ServiceName != "krbtgt"
# DCSync detection (T1003.006)
index=wineventlog EventCode=4662
| where ObjectType="*domainDNS*"
| search Properties="*Replicating Directory Changes*"
```
### References
- splunk-sdk: https://pypi.org/project/splunk-sdk/
- Splunk CIM: https://docs.splunk.com/Documentation/CIM/latest/User/Overview
- Windows Security Log Encyclopedia: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
Reference in New Issue View Git Blame Copy Permalink