Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do i get the result based on the logon type 3 with no preceding logon type 10 or 2

massumtaqi
New Member
‎05-07-2019 01:24 PM

From windows explorer, If i \ in to a server with my admin credentials, that would be log on type 3 that i want to see in my results .

How can i configure that alert in such a way that there is only type 3 logon with no preceding logon type 10 because when i RDP in to the server i get results for both logon type 3 and preceding logon type 10.

If i remove the ! from the last statement, i get results whenever i RDP into server:

| transaction maxspan=2s startswith=Logon_Type="3" endswith= (Logon_Type="10" or Logon_Type="2")

but i am looking to get results when i "\" into the server. Any help is appreciated

EventCode=4624
| rex "(?ms)Logon Type:...(?\w+)"
| rex "(?ms)New Logon:\s+Security ID:..(?[AEW]+.\w+.\w+)"
| where (like (Login_Security_ID,"%mtaqi.a%"))
| where Logon_GUID!="{00000000-0000-0000-0000-000000000000}"
| transaction maxspan=15s startswith=Logon_Type="3" endswith=(Logon_Type!="10" OR Logon_Type!="2")

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-08-2019 10:17 AM

First of all, you don't need to do the rex if you have Splunk_TA_windows installed so do that first then try this:

index=win* AND EventCode=4624
 | streamstats count(eval(Logon_Type=="3")) AS sessionID BY Security_ID
 | stats list(*) AS * list(_time) AS time values(Logon_Type) AS LTs last(Logon_Type) AS last_Logon_Type BY sessionID Security_ID
 | where (last_Logon_Type=="10" OR last_Logon_Type=="2")
0 Karma
Reply

woodcock
Esteemed Legend
‎05-07-2019 06:35 PM

Try this:

index=win* EventCode=4624
| rex "(?ms)Logon Type:[\r\n\s]+(?<Logon_Type>\w+)" 
| rex "(?ms)New Logon:[\r\n\s]+Security ID:[\r\n\s]+(?<Login_Security_ID>\S+)"
| streamstats count(eval(Logon_Type=="3")) AS sessionID BY Login_Security_ID
| stats list(*) AS * list(_time) AS time values(Logon_Type) AS LTs BY sessionID Login_Security_ID
| where NOT (LTs IN("2", "10"))
0 Karma
Reply

massumtaqi
New Member
‎05-08-2019 06:29 AM

Thanks for your response. however, it did not work.

It shows both events:

1) when I rdp into the server (logon type 3 with preceding logon type 10)
2) when I \ into the server (logon type 3 with no preceding logon type 10)

How do i accomplish just number 2) ?

I already accomplished 1) by using this: | transaction maxspan=15s startswith=Logon_Type="3" endswith=(Logon_Type="10" OR Logon_Type="2")

0 Karma
Reply

woodcock
Esteemed Legend
‎07-08-2019 10:22 AM

I had a typo and re-edited to fix it. You can try this one again or my new one which I think will work better for you.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...