Alerting

How do i get the result based on the logon type 3 with no preceding logon type 10 or 2

massumtaqi
New Member

From windows explorer, If i \ in to a server with my admin credentials, that would be log on type 3 that i want to see in my results .

How can i configure that alert in such a way that there is only type 3 logon with no preceding logon type 10 because when i RDP in to the server i get results for both logon type 3 and preceding logon type 10.

If i remove the ! from the last statement, i get results whenever i RDP into server:

| transaction maxspan=2s startswith=Logon_Type="3" endswith= (Logon_Type="10" or Logon_Type="2")

but i am looking to get results when i "\" into the server. Any help is appreciated

EventCode=4624
| rex "(?ms)Logon Type:...(?\w+)"
| rex "(?ms)New Logon:\s+Security ID:..(?[AEW]+.\w+.\w+)"
| where (like (Login_Security_ID,"%mtaqi.a%"))
| where Logon_GUID!="{00000000-0000-0000-0000-000000000000}"
| transaction maxspan=15s startswith=Logon_Type="3" endswith=(Logon_Type!="10" OR Logon_Type!="2")

Tags (1)
0 Karma

woodcock
Esteemed Legend

First of all, you don't need to do the rex if you have Splunk_TA_windows installed so do that first then try this:

index=win* AND EventCode=4624
 | streamstats count(eval(Logon_Type=="3")) AS sessionID BY Security_ID
 | stats list(*) AS * list(_time) AS time values(Logon_Type) AS LTs last(Logon_Type) AS last_Logon_Type BY sessionID Security_ID
 | where (last_Logon_Type=="10" OR last_Logon_Type=="2")
0 Karma

woodcock
Esteemed Legend

Try this:

index=win* EventCode=4624
| rex "(?ms)Logon Type:[\r\n\s]+(?<Logon_Type>\w+)" 
| rex "(?ms)New Logon:[\r\n\s]+Security ID:[\r\n\s]+(?<Login_Security_ID>\S+)"
| streamstats count(eval(Logon_Type=="3")) AS sessionID BY Login_Security_ID
| stats list(*) AS * list(_time) AS time values(Logon_Type) AS LTs BY sessionID Login_Security_ID
| where NOT (LTs IN("2", "10"))
0 Karma

massumtaqi
New Member

Thanks for your response. however, it did not work.

It shows both events:

1) when I rdp into the server (logon type 3 with preceding logon type 10)
2) when I \ into the server (logon type 3 with no preceding logon type 10)

How do i accomplish just number 2) ?

I already accomplished 1) by using this: | transaction maxspan=15s startswith=Logon_Type="3" endswith=(Logon_Type="10" OR Logon_Type="2")

0 Karma

woodcock
Esteemed Legend

I had a typo and re-edited to fix it. You can try this one again or my new one which I think will work better for you.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...