Is possible to single report for below ? if possible, could you please help me.
4625 An account failed to log on
4720 A user account was created
4722 A user account was enabled
4723 An attempt was made to change an account's password
4724 An attempt was made to reset an accounts password
4725 A user account was disabled
4726 A user account was deleted
4738 A user account was changed
4727 A security-enabled global group was created
4731 A security-enabled local group was created
thanks in advance.
A cheaper and easier solution (quick solution), would be
Put the above list into a csv e.g. winEventCodes_custom.csv
with headers (EventID,EventIDDescription) .So it looks like
EventID,EventIDDescription
4625,"An account failed to log on"
4720,"A user account was created"
4722 ,"A user account was enabled"
...
Then do a lookup in your search something like (to get a count)
index=* sourcetype=WinEventLog:*
| lookup winEventCodes_custom.csv EventID OUTPUT EventIDDescription
| stats count by EventID,EventIDDescription
You can do any type of analysis based on above query. (like get users, like SecurityID etc.)
A cheaper and easier solution (quick solution), would be
Put the above list into a csv e.g. winEventCodes_custom.csv
with headers (EventID,EventIDDescription) .So it looks like
EventID,EventIDDescription
4625,"An account failed to log on"
4720,"A user account was created"
4722 ,"A user account was enabled"
...
Then do a lookup in your search something like (to get a count)
index=* sourcetype=WinEventLog:*
| lookup winEventCodes_custom.csv EventID OUTPUT EventIDDescription
| stats count by EventID,EventIDDescription
You can do any type of analysis based on above query. (like get users, like SecurityID etc.)
Thanks, its working .....
created csv file "winEventCodes_custom.csv"
EventCode,EventCodeDescription
4625,"An account failed to log on"
4720,"A user account was created"
index=* sourcetype=WinEventLog:*
| lookup winEventCodes_custom EventCode OUTPUT EventCodeDescription
| stats count by EventCode,EventCodeDescription
-------- this is working for me.
Thanks Koshyk for helping me.
No Result yet found for below code,
index=* sourcetype=WinEventLog:*
| lookup winEventCodes_custom EventID OUTPUT EventIDDescription
| stats count by EventID,EventIDDescription
But, i am able to see the failed logs, If i run below code.
sourcetype=WinEventLog:Security EventCode=4625
| Stats count by Account_Name, EventCode, Workstation_Name
| Sort - count
Why i am not getting same entries for lookup code?
The best way to handle this is to install Splunk_TA_windows addon on your Search Heads. this should already have quite lot of logic to extract fields and identify the user actions. I'm expecting the tags like "add",
Please see the code sample from the TA
## EventCodes 4720, 4741, 624, 645
[windows_account_created]
search = sourcetype=*:Security (EventCode=4720 OR EventCode=4741 OR EventCode=624 OR EventCode=645)
#tags = add
Then you just need to query : index=* tag=add
After you put the TA and still if you haven't extracted, you need to extract the fields/eventtypes yourself
for instances, create an TA of your own and put line in eventtypes.conf and create all your eventcodes into single tag.
[windows_custom_my_eventcodes]
search = sourcetype=*:Security (EventCode=4720 OR xxxxx)
#tags = custom_tag_1
and in tags.conf, just add the custom_tag_1
and in final report you just need to do index=* tag=custom_tag_1
This is looks like out of my knowledge in Splunk, could you please share any videos or demo for this.