Hi JasonGY,
from the side above and a bit of modification you'll get this for successful login by users to specific host :
source="WinEventLog:security" (EventCode=528 OR EventCode=540 OR EventCode=4624 ) host=myServer
| eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon")
| stats count by status, Account_Name, host
Or all login by specific user to any host :
source="WinEventLog:security" (EventCode=528 OR EventCode=540 OR EventCode=4624 ) host=*
(Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539)
| eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon", EventCode=4625, "Failed Logon", EventCode=529, "Failed Logon", EventCode=530, "Failed Logon", EventCode=531, "Failed Logon", EventCode=532, "Failed Logon", EventCode=533, "Failed Logon", EventCode=534, "Failed Logon", EventCode=535, "Failed Logon", EventCode=536, "Failed Logon", EventCode=537, "Failed Logon", EventCode=539, "Failed Logon")
| stats count by status, Account_Name, host
This is all un-tested, so modify it to your needs and save it as alert.
Hope this helps ...
cheers, MuS
Hi JasonGY,
from the side above and a bit of modification you'll get this for successful login by users to specific host :
source="WinEventLog:security" (EventCode=528 OR EventCode=540 OR EventCode=4624 ) host=myServer
| eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon")
| stats count by status, Account_Name, host
Or all login by specific user to any host :
source="WinEventLog:security" (EventCode=528 OR EventCode=540 OR EventCode=4624 ) host=*
(Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539)
| eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon", EventCode=4625, "Failed Logon", EventCode=529, "Failed Logon", EventCode=530, "Failed Logon", EventCode=531, "Failed Logon", EventCode=532, "Failed Logon", EventCode=533, "Failed Logon", EventCode=534, "Failed Logon", EventCode=535, "Failed Logon", EventCode=536, "Failed Logon", EventCode=537, "Failed Logon", EventCode=539, "Failed Logon")
| stats count by status, Account_Name, host
This is all un-tested, so modify it to your needs and save it as alert.
Hope this helps ...
cheers, MuS
Mus - this is really great. The first one works very well. In the second one: I do not see where I can enter in criteria for a specific username to alert on. Please advise.
Just add the specific user name into the base search :
source="WinEventLog:security" (EventCode=528 OR EventCode=540 OR EventCode=4624 ) host=* Account_Name=foo
(Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539)
cheers, MuS
That worked, thank you again!
Great, please accept the answer in this case 😉
cheers, MuS
What logs are you capturing?
Server logs, windows event security logs from AD.
This site has a pretty good collection of Splunk queries for Security logs. See if you find anything that you can use.
That site has some really great content, but still nothing specific to my question. I can't see how to alert on successful logons to a specific hosts or all logons for a specific account to any host.