Alerting

How do i get the result based on the logon type 3 with no preceding logon type 10 or 2

massumtaqi
New Member

From windows explorer, If i \ in to a server with my admin credentials, that would be log on type 3 that i want to see in my results .

How can i configure that alert in such a way that there is only type 3 logon with no preceding logon type 10 because when i RDP in to the server i get results for both logon type 3 and preceding logon type 10.

If i remove the ! from the last statement, i get results whenever i RDP into server:

| transaction maxspan=2s startswith=Logon_Type="3" endswith= (Logon_Type="10" or Logon_Type="2")

but i am looking to get results when i "\" into the server. Any help is appreciated

EventCode=4624
| rex "(?ms)Logon Type:...(?\w+)"
| rex "(?ms)New Logon:\s+Security ID:..(?[AEW]+.\w+.\w+)"
| where (like (Login_Security_ID,"%mtaqi.a%"))
| where Logon_GUID!="{00000000-0000-0000-0000-000000000000}"
| transaction maxspan=15s startswith=Logon_Type="3" endswith=(Logon_Type!="10" OR Logon_Type!="2")

Tags (1)
0 Karma

woodcock
Esteemed Legend

First of all, you don't need to do the rex if you have Splunk_TA_windows installed so do that first then try this:

index=win* AND EventCode=4624
 | streamstats count(eval(Logon_Type=="3")) AS sessionID BY Security_ID
 | stats list(*) AS * list(_time) AS time values(Logon_Type) AS LTs last(Logon_Type) AS last_Logon_Type BY sessionID Security_ID
 | where (last_Logon_Type=="10" OR last_Logon_Type=="2")
0 Karma

woodcock
Esteemed Legend

Try this:

index=win* EventCode=4624
| rex "(?ms)Logon Type:[\r\n\s]+(?<Logon_Type>\w+)" 
| rex "(?ms)New Logon:[\r\n\s]+Security ID:[\r\n\s]+(?<Login_Security_ID>\S+)"
| streamstats count(eval(Logon_Type=="3")) AS sessionID BY Login_Security_ID
| stats list(*) AS * list(_time) AS time values(Logon_Type) AS LTs BY sessionID Login_Security_ID
| where NOT (LTs IN("2", "10"))
0 Karma

massumtaqi
New Member

Thanks for your response. however, it did not work.

It shows both events:

1) when I rdp into the server (logon type 3 with preceding logon type 10)
2) when I \ into the server (logon type 3 with no preceding logon type 10)

How do i accomplish just number 2) ?

I already accomplished 1) by using this: | transaction maxspan=15s startswith=Logon_Type="3" endswith=(Logon_Type="10" OR Logon_Type="2")

0 Karma

woodcock
Esteemed Legend

I had a typo and re-edited to fix it. You can try this one again or my new one which I think will work better for you.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!