From windows explorer, If i \ in to a server with my admin credentials, that would be log on type 3 that i want to see in my results .
How can i configure that alert in such a way that there is only type 3 logon with no preceding logon type 10 because when i RDP in to the server i get results for both logon type 3 and preceding logon type 10.
If i remove the ! from the last statement, i get results whenever i RDP into server:
| transaction maxspan=2s startswith=Logon_Type="3" endswith= (Logon_Type="10" or Logon_Type="2")
but i am looking to get results when i "\" into the server. Any help is appreciated
EventCode=4624
| rex "(?ms)Logon Type:...(?\w+)"
| rex "(?ms)New Logon:\s+Security ID:..(?[AEW]+.\w+.\w+)"
| where (like (Login_Security_ID,"%mtaqi.a%"))
| where Logon_GUID!="{00000000-0000-0000-0000-000000000000}"
| transaction maxspan=15s startswith=Logon_Type="3" endswith=(Logon_Type!="10" OR Logon_Type!="2")
First of all, you don't need to do the rex
if you have Splunk_TA_windows
installed so do that first then try this:
index=win* AND EventCode=4624
| streamstats count(eval(Logon_Type=="3")) AS sessionID BY Security_ID
| stats list(*) AS * list(_time) AS time values(Logon_Type) AS LTs last(Logon_Type) AS last_Logon_Type BY sessionID Security_ID
| where (last_Logon_Type=="10" OR last_Logon_Type=="2")
Try this:
index=win* EventCode=4624
| rex "(?ms)Logon Type:[\r\n\s]+(?<Logon_Type>\w+)"
| rex "(?ms)New Logon:[\r\n\s]+Security ID:[\r\n\s]+(?<Login_Security_ID>\S+)"
| streamstats count(eval(Logon_Type=="3")) AS sessionID BY Login_Security_ID
| stats list(*) AS * list(_time) AS time values(Logon_Type) AS LTs BY sessionID Login_Security_ID
| where NOT (LTs IN("2", "10"))
Thanks for your response. however, it did not work.
It shows both events:
1) when I rdp into the server (logon type 3 with preceding logon type 10)
2) when I \ into the server (logon type 3 with no preceding logon type 10)
How do i accomplish just number 2) ?
I already accomplished 1) by using this: | transaction maxspan=15s startswith=Logon_Type="3" endswith=(Logon_Type="10" OR Logon_Type="2")
I had a typo and re-edited to fix it. You can try this one again or my new one which I think will work better for you.