<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic How can I create an alert for RDP logins without CyberArk credential check out in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-can-I-create-an-alert-for-RDP-logins-without-CyberArk/m-p/414031#M73233</link>
    <description>&lt;P&gt;I am looking for a way to capture events where a user did not check out credentials from CyberArk before using them to RDP, so a scenario would be that someone checked out some credentials for 12 hours, he used it, then uses it again after 12 hours without doing another checkout. &lt;/P&gt;

&lt;P&gt;I have a search where I am using a transaction command to capture CyberArk checkout events and Windows login events and looking for incomplete transactions with closed_txn=0. I have a query built but it does not seem to be capturing the right events because the result that shows up which has the two logs combined (Cyberark checkout and windows login) don’t have the correct information, the account name that was checked out does not match the account name used to login via RDP.&lt;/P&gt;

&lt;P&gt;(index=wineventlog AND sourcetype="WinEventLog:Security" AND (Logon_Type=3 OR Logon_Type=10 OR Logon_Type=11) AND [inputlookup xxx.csv | fields + Account_Name ])&lt;BR /&gt;
OR (index=main AND sourcetype="cyberark:epv:cef" AND "Retrieve password" AND (cn2="(Action: Show Password)" OR cn2="(Action: Copy Password)"))&lt;BR /&gt;
| eval "Logon Behaviour"=case(Logon_Type==3,"Interactive",Logon_Type==10,"Remote Interactive",Logon_Type==11,"Cached Interactive") &lt;BR /&gt;
| eval "Windows Account"=mvindex(Account_Name,1) &lt;BR /&gt;
| transaction startswith="Retrieve password" endswith="Logon Type" keepevicted=1 keeporphans=1 &lt;BR /&gt;
| search closed_txn=0 &lt;BR /&gt;
| bucket _time span=12h &lt;BR /&gt;
| stats count by _time "Windows Account" action Workstation_Name "Logon Behaviour" &lt;BR /&gt;
| rename action as "Logon Result" Workstation_Name as "Workstation"&lt;/P&gt;

&lt;P&gt;Below are a sample checkout event and a sample RDP event. I would appreciate any help in figuring this out or a better way to accomplish something like this.&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;Check Out Event&lt;/STRONG&gt;&lt;BR /&gt;
Aug 16 06:50:53 XXXXXX ABC: 0|Cyber-Ark|Vault|9.80.0000|295|Retrieve password|5|act=Retrieve password suser=user1 fname=fname1 dvc=dvc1 shost=192..x.x.x dhost=dhost1 &lt;STRONG&gt;duser=duser1&lt;/STRONG&gt; externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=EA_VSA cs3Label="Device Type" cs3=Operating System cs4Label="Database" cs4= cs5Label="Other info" cs5=192.168.122.30 cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2=(Action: Copy Password)Troubeshooting  msg=(Action: Copy Password)Troubeshooting&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;RDP event&lt;/STRONG&gt;&lt;/P&gt;

&lt;P&gt;LogName=Security&lt;BR /&gt;
SourceName=Microsoft Windows security auditing.&lt;BR /&gt;
EventCode=4625&lt;BR /&gt;
EventType=0&lt;BR /&gt;
Type=Information&lt;BR /&gt;
ComputerName=computername1&lt;BR /&gt;
TaskCategory=Logon&lt;BR /&gt;
OpCode=Info&lt;BR /&gt;
RecordNumber=12345678&lt;BR /&gt;
Keywords=Audit Failure&lt;BR /&gt;
Message=An account failed to log on.&lt;/P&gt;

&lt;P&gt;Subject:&lt;BR /&gt;
    Security ID:        NT AUTHORITY\SYSTEM&lt;BR /&gt;
    Account Name:       AccountName1&lt;BR /&gt;
    Account Domain:     domain1&lt;BR /&gt;
    Logon ID:       0x3E7&lt;/P&gt;

&lt;P&gt;Logon Type:         2&lt;/P&gt;

&lt;P&gt;Account For Which Logon Failed:&lt;BR /&gt;
    Security ID:        NULL SID&lt;BR /&gt;
    &lt;STRONG&gt;Account Name:     duser1&lt;/STRONG&gt;&lt;BR /&gt;
    Account Domain:     domain1&lt;/P&gt;

&lt;P&gt;Failure Information:&lt;BR /&gt;
    Failure Reason:     Unknown user name or bad password.&lt;BR /&gt;
    Status:         0xC000006D&lt;BR /&gt;
    Sub Status:     0xC000006A&lt;/P&gt;

&lt;P&gt;Process Information:&lt;BR /&gt;
    Caller Process ID:  0x5f4&lt;BR /&gt;
    Caller Process Name:    C:\Program Files\process &lt;/P&gt;

&lt;P&gt;Network Information:&lt;BR /&gt;
    Workstation Name:   workstation1&lt;BR /&gt;
    Source Network Address: -&lt;BR /&gt;
    Source Port:        -&lt;/P&gt;

&lt;P&gt;Detailed Authentication Information:&lt;BR /&gt;
    Logon Process:      Advapi&lt;BR /&gt;&lt;BR /&gt;
    Authentication Package: Negotiate&lt;BR /&gt;
    Transited Services: -&lt;BR /&gt;
    Package Name (NTLM only):   -&lt;BR /&gt;
    Key Length:     0&lt;/P&gt;</description>
    <pubDate>Tue, 29 Sep 2020 20:56:44 GMT</pubDate>
    <dc:creator>akhan92394</dc:creator>
    <dc:date>2020-09-29T20:56:44Z</dc:date>
    <item>
      <title>How can I create an alert for RDP logins without CyberArk credential check out</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-can-I-create-an-alert-for-RDP-logins-without-CyberArk/m-p/414031#M73233</link>
      <description>&lt;P&gt;I am looking for a way to capture events where a user did not check out credentials from CyberArk before using them to RDP, so a scenario would be that someone checked out some credentials for 12 hours, he used it, then uses it again after 12 hours without doing another checkout. &lt;/P&gt;

&lt;P&gt;I have a search where I am using a transaction command to capture CyberArk checkout events and Windows login events and looking for incomplete transactions with closed_txn=0. I have a query built but it does not seem to be capturing the right events because the result that shows up which has the two logs combined (Cyberark checkout and windows login) don’t have the correct information, the account name that was checked out does not match the account name used to login via RDP.&lt;/P&gt;

&lt;P&gt;(index=wineventlog AND sourcetype="WinEventLog:Security" AND (Logon_Type=3 OR Logon_Type=10 OR Logon_Type=11) AND [inputlookup xxx.csv | fields + Account_Name ])&lt;BR /&gt;
OR (index=main AND sourcetype="cyberark:epv:cef" AND "Retrieve password" AND (cn2="(Action: Show Password)" OR cn2="(Action: Copy Password)"))&lt;BR /&gt;
| eval "Logon Behaviour"=case(Logon_Type==3,"Interactive",Logon_Type==10,"Remote Interactive",Logon_Type==11,"Cached Interactive") &lt;BR /&gt;
| eval "Windows Account"=mvindex(Account_Name,1) &lt;BR /&gt;
| transaction startswith="Retrieve password" endswith="Logon Type" keepevicted=1 keeporphans=1 &lt;BR /&gt;
| search closed_txn=0 &lt;BR /&gt;
| bucket _time span=12h &lt;BR /&gt;
| stats count by _time "Windows Account" action Workstation_Name "Logon Behaviour" &lt;BR /&gt;
| rename action as "Logon Result" Workstation_Name as "Workstation"&lt;/P&gt;

&lt;P&gt;Below are a sample checkout event and a sample RDP event. I would appreciate any help in figuring this out or a better way to accomplish something like this.&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;Check Out Event&lt;/STRONG&gt;&lt;BR /&gt;
Aug 16 06:50:53 XXXXXX ABC: 0|Cyber-Ark|Vault|9.80.0000|295|Retrieve password|5|act=Retrieve password suser=user1 fname=fname1 dvc=dvc1 shost=192..x.x.x dhost=dhost1 &lt;STRONG&gt;duser=duser1&lt;/STRONG&gt; externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=EA_VSA cs3Label="Device Type" cs3=Operating System cs4Label="Database" cs4= cs5Label="Other info" cs5=192.168.122.30 cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2=(Action: Copy Password)Troubeshooting  msg=(Action: Copy Password)Troubeshooting&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;RDP event&lt;/STRONG&gt;&lt;/P&gt;

&lt;P&gt;LogName=Security&lt;BR /&gt;
SourceName=Microsoft Windows security auditing.&lt;BR /&gt;
EventCode=4625&lt;BR /&gt;
EventType=0&lt;BR /&gt;
Type=Information&lt;BR /&gt;
ComputerName=computername1&lt;BR /&gt;
TaskCategory=Logon&lt;BR /&gt;
OpCode=Info&lt;BR /&gt;
RecordNumber=12345678&lt;BR /&gt;
Keywords=Audit Failure&lt;BR /&gt;
Message=An account failed to log on.&lt;/P&gt;

&lt;P&gt;Subject:&lt;BR /&gt;
    Security ID:        NT AUTHORITY\SYSTEM&lt;BR /&gt;
    Account Name:       AccountName1&lt;BR /&gt;
    Account Domain:     domain1&lt;BR /&gt;
    Logon ID:       0x3E7&lt;/P&gt;

&lt;P&gt;Logon Type:         2&lt;/P&gt;

&lt;P&gt;Account For Which Logon Failed:&lt;BR /&gt;
    Security ID:        NULL SID&lt;BR /&gt;
    &lt;STRONG&gt;Account Name:     duser1&lt;/STRONG&gt;&lt;BR /&gt;
    Account Domain:     domain1&lt;/P&gt;

&lt;P&gt;Failure Information:&lt;BR /&gt;
    Failure Reason:     Unknown user name or bad password.&lt;BR /&gt;
    Status:         0xC000006D&lt;BR /&gt;
    Sub Status:     0xC000006A&lt;/P&gt;

&lt;P&gt;Process Information:&lt;BR /&gt;
    Caller Process ID:  0x5f4&lt;BR /&gt;
    Caller Process Name:    C:\Program Files\process &lt;/P&gt;

&lt;P&gt;Network Information:&lt;BR /&gt;
    Workstation Name:   workstation1&lt;BR /&gt;
    Source Network Address: -&lt;BR /&gt;
    Source Port:        -&lt;/P&gt;

&lt;P&gt;Detailed Authentication Information:&lt;BR /&gt;
    Logon Process:      Advapi&lt;BR /&gt;&lt;BR /&gt;
    Authentication Package: Negotiate&lt;BR /&gt;
    Transited Services: -&lt;BR /&gt;
    Package Name (NTLM only):   -&lt;BR /&gt;
    Key Length:     0&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 20:56:44 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-can-I-create-an-alert-for-RDP-logins-without-CyberArk/m-p/414031#M73233</guid>
      <dc:creator>akhan92394</dc:creator>
      <dc:date>2020-09-29T20:56:44Z</dc:date>
    </item>
    <item>
      <title>Re: How can I create an alert for RDP logins without CyberArk credential check out</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-can-I-create-an-alert-for-RDP-logins-without-CyberArk/m-p/414032#M73234</link>
      <description>&lt;P&gt;@akhan92394,&lt;/P&gt;

&lt;P&gt;Does this general logic work for you ?&lt;/P&gt;

&lt;UL&gt;
&lt;LI&gt;latest(_time) of events from two sources(windows,cyberark) by username&lt;/LI&gt;
&lt;LI&gt;Calc diff between two times and if diff &amp;gt;12hrs, user hasn't retrieved password.&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Sun, 26 Aug 2018 03:49:52 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-can-I-create-an-alert-for-RDP-logins-without-CyberArk/m-p/414032#M73234</guid>
      <dc:creator>renjith_nair</dc:creator>
      <dc:date>2018-08-26T03:49:52Z</dc:date>
    </item>
  </channel>
</rss>

