topic Re: How to search for logon/logoff activity of domain admins in Splunk Enterprise

How to search for logon/logoff activity of domain admins

dhrechkosy — Fri, 10 Feb 2017 16:26:31 GMT

Trying to figure out how to search for all logon/logoff attempts by any users in the "Domain Admins" group in active directory. I am currently using Splunk Light 6.5.2 and forwarding the security log events from one single domain controller to Splunk.

What would be a proper search string to use to find account logon/logoff activity for domain admins? Will I need to do a general search for all logon and logoff activity and then filter it to the specific users I'm looking for?

There are 3 staff in the domain admins group as well as the built in domain-administrator account. Management wants me to find a way to track logs for every logon/logoff for these four accounts.

Any suggestions will be helpful as I'm still quite new to this software.

Re: How to search for logon/logoff activity of domain admins

nickhills — Sat, 11 Feb 2017 09:41:07 GMT

You could add your domain admins to a lookup file/table.
Using a sub search you could read your list of users using inputlookup and then in the main search look for login events.

tag=authentication tag=login [search inputlookup admin_users.csv]

(I'm not near a system with windows logs to test/get you proper syntax but hopefully that gives you enough)

Re: How to search for logon/logoff activity of domain admins

starcher — Sat, 11 Feb 2017 12:24:20 GMT

This is the easiest being new. Longer term you could make a lookup table inspired by the Enterprise Security app format for identities.
http://docs.splunk.com/Documentation/ES/4.6.0/User/AssetandIdentityLookupReference

Then apply it as an auto lookup on the sourcetype of those logs.
http://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Knowledge/Makeyourlookupautomatic

Re: How to search for logon/logoff activity of domain admins

dhrechkosy — Mon, 13 Feb 2017 14:55:12 GMT

Perfect I will try this suggestion. Do you know where the admin_users.csv file will need to be placed in order for splunk to recognize it when I run this sub search?

Re: How to search for logon/logoff activity of domain admins

starcher — Mon, 13 Feb 2017 14:57:19 GMT

https://docs.splunk.com/Documentation/Splunk/latest/PivotTutorial/AddlookupfilestoSplunk

Re: How to search for logon/logoff activity of domain admins

dhrechkosy — Mon, 13 Feb 2017 15:08:32 GMT

Thank you!

Re: How to search for logon/logoff activity of domain admins

dhrechkosy — Mon, 13 Feb 2017 15:38:05 GMT

Just a few more questions/clarifications needed:

For the two tags you mentioned "authentication" and "login" what field should those correspond to?

I set authentication to EventCode=4634 and EventCode=4672, not sure if thats right and not certain what login should be set as.

For the admin_users.csv file what is the format it should be in? Currently I just had an empty csv file with:

Username
Username
Username

Should there be any special formatting inside the .csv file to list the domain admin names properly?

Re: How to search for logon/logoff activity of domain admins

nickhills — Mon, 13 Feb 2017 16:45:56 GMT

your CSV will need to contain a header row, and you may find it useful to drop some friendly names in too.

username, firstname, surname
bob.jones, bob, jones
user662237, mike, smith

etc.

Re: How to search for logon/logoff activity of domain admins

dhrechkosy — Mon, 13 Feb 2017 16:52:22 GMT

Hi Nick,

Thanks looks like I have that all figured out now. As for the tags what field value pairs do you recommend?

authentication:

Re: How to search for logon/logoff activity of domain admins

viscarra — Wed, 18 Dec 2024 19:48:15 GMT

Hi do you mind sharing the search string/spl you used to the the AD login information?

Thank you!