All Apps and Add-ons

Alert on Interactive logins

diegosainz
Path Finder

I am looking to run a daily report of users from a specific OU that are listed as logging in interactively (EventCode=4624 AND Logon_Type=3). Is there a way to run the subsearch to correlate that for a daily report?

Tags (2)
0 Karma

lukejadamec
Super Champion

Schedule the following search to run once a day, and send you an email with the results.

index=main sourcetype="*security*" EventCode=4624 Logon_Type=3  |eval Account_Name=mvindex(Account_Name,1)|search NOT Account_Name="*$" NOT Account_Name="ANONYMOUS LOGON"| dedup Account_Name,ComputerName |table _time,Account_Name,ComputerName

eval Account_Name=mvindex(Account_Name,1) Takes the second Account Name field from the event Message field. Check your logs to verify it is the second Account Name you're interested in, change the 1 to a 0 if you want the first. If you want to show both, let me know.

search NOT Account_Name="*$" NOT Account_Name="ANONYMOUS LOGON" removes the system accounts and the NT Authority activity. Remove this if you want to show all accounts.

dedup Account_Name,ComputerName Takes the most recent pair and drops the others. Remove this if you want to show each logon event.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...