topic Re: Search for Windows logon events for usernames matching a pattern with anomalousvalue Workstation Name in Splunk Search

Search for Windows logon events for usernames matching a pattern with anomalousvalue Workstation Name

ajmb — Wed, 01 Jul 2015 19:12:13 GMT

I want to start out with: EventIdentifier=4624 | AnomalousValue "Workstation Name"
...but this search returns an error. What am I doing wrong here? It's like Splunk doesn't know what the "Workstation Name" field is.

Re: Search for Windows logon events for usernames matching a pattern with anomalousvalue Workstation Name

woodcock — Wed, 01 Jul 2015 19:24:09 GMT

Are you sure that it is a field? If it is, this will work, if not you need to make the field exist:

EventIdentifier=4624 | anomalousvalue $Workstation Name$

Re: Search for Windows logon events for usernames matching a pattern with anomalousvalue Workstation Name

ajmb — Wed, 01 Jul 2015 19:44:04 GMT

Well that doesn't work so I guess it isn't a 'field'. This is annoying and confusing.

The event data has a section like this...

Network Information:
Workstation Name: TestClientPc
Source Network Address: 192.168.1.247
Source Port: 52404

So what the heck do I do here? Is this something I have to use eval() for?

Re: Search for Windows logon events for usernames matching a pattern with anomalousvalue Workstation Name

woodcock — Wed, 01 Jul 2015 20:44:20 GMT

Well obviously EventIdentifier is a field so some fields are being created. What do you get from this:

 EventIdentifier=4624 | stats first(*)

This will show you what fields do exist. Perhaps this field is being extracted as Name instead of Workstation Name.

Re: Search for Windows logon events for usernames matching a pattern with anomalousvalue Workstation Name

ajmb — Wed, 01 Jul 2015 21:18:40 GMT

It returned the field as Workstation_Name, but I've tried:

EventIdentifier=4624 | ...

AnomalousValue 'Workstation_Name'
AnomalousValue "Workstation_Name"
AnomalousValue $Workstation_Name"

every single one of these returns "Error in 'anomalousvalue' command: found no qualifying results. Please verify that the field names are correct"

Re: Search for Windows logon events for usernames matching a pattern with anomalousvalue Workstation Name

woodcock — Wed, 01 Jul 2015 21:29:17 GMT

Based on your clarification, this should work:

EventIdentifier=4624 | anomalousvalue Workstation_Name

Re: Search for Windows logon events for usernames matching a pattern with anomalousvalue Workstation Name

woodcock — Sat, 18 Jul 2015 04:44:36 GMT

Did this work?