<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Whitelist bad logon in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Whitelist-bad-logon/m-p/485517#M83117</link>
    <description>&lt;P&gt;I want to whitelist events when users put the password in the logon window during login.&lt;BR /&gt;
See example below, note the *****:&lt;/P&gt;

&lt;P&gt;An account failed to log on.&lt;/P&gt;

&lt;P&gt;Subject:&lt;BR /&gt;
    Security ID:        SYSTEM&lt;BR /&gt;
    Account Name:       Computer01&lt;BR /&gt;
    Account Domain:     MyDomain&lt;BR /&gt;
    Logon ID:       0x3E7&lt;/P&gt;

&lt;P&gt;Logon Type:         7&lt;/P&gt;

&lt;P&gt;Account For Which Logon Failed:&lt;BR /&gt;
    Security ID:        NULL SID&lt;BR /&gt;
    Account Name:       User&lt;BR /&gt;
    Account Domain:     MyDomain&lt;/P&gt;

&lt;P&gt;Failure Information:&lt;BR /&gt;
    Failure Reason:     Unknown user name or bad password.&lt;BR /&gt;
    Status:         0xC000006D      **************&lt;BR /&gt;
        Sub Status:     0xC000006A&lt;/P&gt;

&lt;P&gt;Process Information:&lt;BR /&gt;
    Caller Process ID:  0x8e0D&lt;BR /&gt;
    Caller Process Name:    C:\Windows\System32\svchost.exe&lt;/P&gt;

&lt;P&gt;Network Information:&lt;BR /&gt;
    Workstation Name:   Computer01&lt;BR /&gt;
    Source Network Address: 127.0.0.1&lt;BR /&gt;
    Source Port:        0&lt;/P&gt;

&lt;P&gt;Detailed Authentication Information:&lt;BR /&gt;
    Logon Process:      User32 &lt;BR /&gt;
    Authentication Package: Negotiate&lt;BR /&gt;
    Transited Services: -&lt;BR /&gt;
    Package Name (NTLM only):   -&lt;BR /&gt;
    Key Length:     0&lt;/P&gt;

&lt;P&gt;My whitelist is as follows:&lt;/P&gt;

&lt;P&gt;whitelist = EventCode = "4625" Message = "Failure\sInformation\sStatus:\s+0xc000006d"&lt;/P&gt;

&lt;P&gt;Need assistance with coding the 0xc000006d&lt;/P&gt;

&lt;P&gt;Thank you!&lt;/P&gt;</description>
    <pubDate>Mon, 20 Jan 2020 23:46:42 GMT</pubDate>
    <dc:creator>sswigart</dc:creator>
    <dc:date>2020-01-20T23:46:42Z</dc:date>
    <item>
      <title>Whitelist bad logon</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Whitelist-bad-logon/m-p/485517#M83117</link>
      <description>&lt;P&gt;I want to whitelist events when users put the password in the logon window during login.&lt;BR /&gt;
See example below, note the *****:&lt;/P&gt;

&lt;P&gt;An account failed to log on.&lt;/P&gt;

&lt;P&gt;Subject:&lt;BR /&gt;
    Security ID:        SYSTEM&lt;BR /&gt;
    Account Name:       Computer01&lt;BR /&gt;
    Account Domain:     MyDomain&lt;BR /&gt;
    Logon ID:       0x3E7&lt;/P&gt;

&lt;P&gt;Logon Type:         7&lt;/P&gt;

&lt;P&gt;Account For Which Logon Failed:&lt;BR /&gt;
    Security ID:        NULL SID&lt;BR /&gt;
    Account Name:       User&lt;BR /&gt;
    Account Domain:     MyDomain&lt;/P&gt;

&lt;P&gt;Failure Information:&lt;BR /&gt;
    Failure Reason:     Unknown user name or bad password.&lt;BR /&gt;
    Status:         0xC000006D      **************&lt;BR /&gt;
        Sub Status:     0xC000006A&lt;/P&gt;

&lt;P&gt;Process Information:&lt;BR /&gt;
    Caller Process ID:  0x8e0D&lt;BR /&gt;
    Caller Process Name:    C:\Windows\System32\svchost.exe&lt;/P&gt;

&lt;P&gt;Network Information:&lt;BR /&gt;
    Workstation Name:   Computer01&lt;BR /&gt;
    Source Network Address: 127.0.0.1&lt;BR /&gt;
    Source Port:        0&lt;/P&gt;

&lt;P&gt;Detailed Authentication Information:&lt;BR /&gt;
    Logon Process:      User32 &lt;BR /&gt;
    Authentication Package: Negotiate&lt;BR /&gt;
    Transited Services: -&lt;BR /&gt;
    Package Name (NTLM only):   -&lt;BR /&gt;
    Key Length:     0&lt;/P&gt;

&lt;P&gt;My whitelist is as follows:&lt;/P&gt;

&lt;P&gt;whitelist = EventCode = "4625" Message = "Failure\sInformation\sStatus:\s+0xc000006d"&lt;/P&gt;

&lt;P&gt;Need assistance with coding the 0xc000006d&lt;/P&gt;

&lt;P&gt;Thank you!&lt;/P&gt;</description>
      <pubDate>Mon, 20 Jan 2020 23:46:42 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Whitelist-bad-logon/m-p/485517#M83117</guid>
      <dc:creator>sswigart</dc:creator>
      <dc:date>2020-01-20T23:46:42Z</dc:date>
    </item>
    <item>
      <title>Re: Whitelist bad logon</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Whitelist-bad-logon/m-p/485518#M83118</link>
      <description>&lt;P&gt;Hi @sswigart,&lt;BR /&gt;
sorry but I don't understand what do you mean with "whitelist": do you want as search result all the 4625 events? or what else?&lt;BR /&gt;
If you want to filter events to extract logFail events (EventCode=4625) you could run something like this:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;index=wineventlog EventCode=4625 Message="Failure\sInformation\sStatus:\s+0xc000006d"
| table ...
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Ciao.&lt;BR /&gt;
Giuseppe&lt;/P&gt;</description>
      <pubDate>Tue, 21 Jan 2020 08:10:05 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Whitelist-bad-logon/m-p/485518#M83118</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2020-01-21T08:10:05Z</dc:date>
    </item>
    <item>
      <title>Re: Whitelist bad logon</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Whitelist-bad-logon/m-p/485519#M83119</link>
      <description>&lt;P&gt;Giuseppe,&lt;BR /&gt;
Thank you for your suggestion.&lt;BR /&gt;
I am trying to create a whitelist in the etc\system\local\inputs.conf file.&lt;BR /&gt;
Still not having any success.&lt;/P&gt;</description>
      <pubDate>Fri, 24 Jan 2020 17:04:03 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Whitelist-bad-logon/m-p/485519#M83119</guid>
      <dc:creator>sswigart</dc:creator>
      <dc:date>2020-01-24T17:04:03Z</dc:date>
    </item>
    <item>
      <title>Re: Whitelist bad logon</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Whitelist-bad-logon/m-p/485520#M83120</link>
      <description>&lt;P&gt;Hi @sswigart,&lt;BR /&gt;
you can whitelist the EventCodes related to logins but in this way you exclude all the other EventCodes, I think that it's better to filter these events at search time.&lt;BR /&gt;
Anyway, at &lt;A href="http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf"&gt;http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf&lt;/A&gt; there's an example of whitelisting Windows EventCodes.&lt;/P&gt;

&lt;P&gt;Ciao.&lt;BR /&gt;
Giuseppe&lt;/P&gt;</description>
      <pubDate>Fri, 24 Jan 2020 17:16:22 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Whitelist-bad-logon/m-p/485520#M83120</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2020-01-24T17:16:22Z</dc:date>
    </item>
  </channel>
</rss>

