topic Re: Tracking user logon (standard and admin account) Windows AD in Splunk Search

Tracking user logon (standard and admin account) Windows AD

araiv1998 — Tue, 02 Jul 2024 18:43:00 GMT

Hello, I am looking to create a report of a search. I have a requirement of tracking user logon to window machines (Active directory). I am currently getting all the data, but I am having problems with false logons, or services using the credentials. for example, I will see people logged in at 1 am, but the logon id is 0x0, or there is an error code 000, so that most likely will be a service or something using the credentials of someone, and no one actually logging in. there are about 1500 records a day of these false logons.

I also have the requirement to track Monday - Friday from 6pm to 6am overnight, and I cant seem to get the time of recording properly in the search. Below is the search I am currently using, and help would be appreciated, thank you!

source= “wineventlog: security" EventCode=528 OR EventCode=540 OR EventCode=4624 OR

(EventCode=4776 Error_Code=0x0) NOT Account_Name=“*$” NOT Logon _Account="*$" NOT User_Name="*$'

| eval Account_Name=mvindex(Account Name, 1) | eval User=coalesce(Account_Name, Logon_Account, Logon_account, User_Name) | eval User=lower (User) | table _time, User, EventCode

Re: Tracking user logon (standard and admin account) Windows AD

Stefanie — Thu, 14 Oct 2021 12:43:10 GMT

Try this search. I saved it a while back and its been useful. You may have to modify it to match exactly what account names you don't want to track.

source="wineventlog:security" action=success Logon_Type=2 (EventCode=4624 OR EventCode=4634 OR EventCode=4779 OR EventCode=4800 OR EventCode=4801 OR EventCode=4802 OR EventCode=4803 OR EventCode=4804 ) user!="anonymous logon" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!=*$ (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) | convert timeformat="%a %B %d %Y" ctime(_time) AS Date | streamstats earliest(_time) AS login, latest(_time) AS logout by Date, host | eval session_duration=logout-login | eval h=floor(session_duration/3600) | eval m=floor((session_duration-(h*3600))/60) | eval SessionDuration=h."h ".m."m " | convert timeformat=" %m/%d/%y - %I:%M %P" ctime(login) AS login | convert timeformat=" %m/%d/%y - %I:%M %P" ctime(logout) AS logout | stats count AS auth_event_count, earliest(login) as login, max(SessionDuration) AS sesion_duration, latest(logout) as logout, values(Logon_Type) AS logon_types by Date, host, user

Re: Tracking user logon (standard and admin account) Windows AD

araiv1998 — Thu, 14 Oct 2021 12:55:38 GMT

@Stefanie Thank you very much for the reply! I am so sorry, could you possibly explain a little? On this section,

“user!="anonymous logon" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!=*$ (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10)”

Are those you are saying to keep out of the search since they are system related? Or are this account you are specifically telling it to look for? I apologize for the dumb question, I am very new to Splunk.. I was told on Friday I needed to learn Splunk asap with zero knowledge hahaha. So I am still very much learning. I am just curious, as I remember if this is something we do not want searched, we put "NOT" in front correct?

Re: Tracking user logon (standard and admin account) Windows AD

Stefanie — Thu, 14 Oct 2021 13:00:37 GMT

No worries. Those are items I am telling it to NOT look for.

the "!" in front of the "=" means "NOT" 🙂

So in your case... Account_Name!="*$" is the same as you saying "NOT Account_Name="*$""

Re: Tracking user logon (standard and admin account) Windows AD

araiv1998 — Thu, 14 Oct 2021 13:13:32 GMT

Awesome! Thank you so much! truly appreciate it.

Re: Tracking user logon (standard and admin account) Windows AD

araiv1998 — Tue, 02 Jul 2024 18:43:53 GMT

@Stefanie what would you recommend for the time? So I am looking to track between 6pm and 5am, I tried this but it did not seem to work:

"date_hour›16 date_hour ‹06"

"sourcetype-foo

| eval date_ hour=strftime(_time, "%H) | eval date_wday = strftime(_time, "%W") | search date_hour>=16 date_hour<=06 date_wday>=1 date_wday<=5"

Re: Tracking user logon (standard and admin account) Windows AD

Stefanie — Thu, 14 Oct 2021 13:27:16 GMT

Adding the search range into the search itself its not very efficient. Next to the box you type your searches in is a drop down box to select your range. You can select the timeframe there using the "Date and Timeframe" range.

Re: Tracking user logon (standard and admin account) Windows AD

araiv1998 — Thu, 14 Oct 2021 17:27:48 GMT

@Stefanie hello! I am getting an error when I paste it into search, about time error. Could you please advise? Thank you

Re: Tracking user logon (standard and admin account) Windows AD

Stefanie — Thu, 14 Oct 2021 17:42:18 GMT

Sure I messaged you.

Re: Tracking user logon (standard and admin account) Windows AD

sgtwolf1 — Tue, 02 Jul 2024 18:09:45 GMT

I was hoping to get some help, in modifying the query above. I got an Index and a source type for my windows environment. I would like to see the following:

- Authentication PackagesName = This looks to shows the type of Authentication taking place like NTLM, Kerberos, MFA, etc.... I need this to show for each user (Windows Authentication Technical Overview | Microsoft Learn)

- Logon Type = used by Windows to shows successful login and failers logs like (4624, 4625, 4648) and should have a count related to the above attribute (Windows Logon Scenarios | Microsoft Learn)

- LogonProcessName = The process name for the authentication action taking place for the user

PS. The idea here it sees what Authentication action is taking place for each user so I can say yea there are using NTLM or Kerberos to access this host or resource. Thanks again Community!!!!