topic Re: How do you separate computer login attempts from real user login attempts? in Getting Data In

How do you separate computer login attempts from real user login attempts?

mpasha — Tue, 29 Sep 2020 22:04:24 GMT

Good day,

I am trying to monitor our User Account logon activity through Splunk. As you might know, Active directory creates a huge amount of account logon events when a computer tries to access the network and does account activities as well. The only difference is that the Computer accounts have a "$" at the end of their names. this behavior will cause a lot of confusion for the teams when they are monitoring the environments for "Real" user activities.

I was thinking to create a field at indexing time "using an index time transform" to tag accounts with a $ in their names.
Here is the relevant part of the config in transforms.conf, props.conf and Fields.conf
Transforms.conf:

[AD_Computer]
REGEX = (?ms)\s+((Logon Account|Account Name):\s+\w+(\$)) \\this Regex will search for $ in the Account Name or Logon Account 
FORMAT = AD_Server::1
WRITE_META = True

Props.conf:

TRANSFORMS-ISComputer= AD_Computer

and the Fields.conf

[AD_Server]
INDEXED = true

here are the problems now:
1- The new tag "AD_Server"can not be found in the list of fields, but if I type "AD_Server=1" in the search bar, then i see some results.
2- the main purpose of this new field/tag was to be able to exclude the computer accounts from the search. However, when i add:
"AD_Server!=1" no results are returned!!

is there a way to say, if the Regex does not match a $, then the value for AD_Server is zero?

I was wondering if you have a better method to filter out these computer accounts or make the method i explained work properly.

Thanks for your help.

Re: How do you separate computer login attempts from real user login attempts?

richgalloway — Sat, 17 Nov 2018 00:24:41 GMT

What's wrong with filtering names at search time? index=wineventlog sourcetype=WinEventLog:Security NOT Account_Name="*$" | ...

Re: How do you separate computer login attempts from real user login attempts?

acharlieh — Tue, 29 Sep 2020 22:04:29 GMT

@richgalloway's very valid point aside... You should know that there are two ways of searching for a field not equal to a particular value in Splunk, and their semantics are slightly different:

AD_Server!=1 -> Means find all events that have a field named AD_Server with a value that is not equal to 1

whereas

NOT AD_Server=1 -> Means find all events that do not have a field named AD_Server with value equal to 1

It's very slight, but only the second form will find those events where the field AD_Server is not defined... the first form it will only return events that have a field named AD_Server. (which since you're only creating the field when you're assigning 1 to it, you want the second form)

You could indeed setup a second transform that would match only if the username does not contain a $... which likely would be a rather expensive regex, possibly involving backreferences... and you would have to run both the AD_Computer and the NOT AD_Computer regexes... Or you would just need to change your filter a bit, which might be the easier option.

Re: How do you separate computer login attempts from real user login attempts?

mpasha — Mon, 19 Nov 2018 16:48:22 GMT

Thanks!! that works perfectly!!