All Apps and Add-ons

Clarification on eventtypes when using the Splunk App for Windows Infrastructure

bayman
Path Finder

I have the Splunk Windows Infrastructure app installed and when I run this search below:

eventtype=msad-failed-user-logons host="*"

I get this returned below, but I'm not understanding how the search result is associated to eventtype=msad-failed-user-logons. The below shows EventType=0. What does msad-failed-user-logons mean and how come it doesn't show that in the search result?

09/19/2017 03:42:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4776
EventType=0
Type=Information
ComputerName=xxxxx.domain.local
TaskCategory=Credential Validation
OpCode=Info
RecordNumber=9555000
Keywords=Audit Failure
Message=The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:  someuser1
Source Workstation: WORKSTATION
Error Code: 0xC0000071
Collapse
host=somehost   source=WinEventLog:Security    sourcetype=WinEventLog:Security
0 Karma
1 Solution

somesoni2
Revered Legend

The eventtype here is not the field EventType in your data but Splunk's eventtype which in simple word is an alias to a base search or search term. Often for ease of reading and maintenance, we save commonly used search terms as eventtype instead of full search terms. ( see more about eventtype here).

To see what's the actual search being run when you run eventtype=msad-failed-user-logons, you can
1. In the Job dropdown below the search bar, click on Inspect job. On that Job inspector page, look for value in attribute "normalizedSearch". That would give you expanded eventtype.
2. Go to Settings->Event types and look for msad-failed-user-logons. You may have to change the app context or select All apps. The search string column will give you the underline search.

View solution in original post

somesoni2
Revered Legend

The eventtype here is not the field EventType in your data but Splunk's eventtype which in simple word is an alias to a base search or search term. Often for ease of reading and maintenance, we save commonly used search terms as eventtype instead of full search terms. ( see more about eventtype here).

To see what's the actual search being run when you run eventtype=msad-failed-user-logons, you can
1. In the Job dropdown below the search bar, click on Inspect job. On that Job inspector page, look for value in attribute "normalizedSearch". That would give you expanded eventtype.
2. Go to Settings->Event types and look for msad-failed-user-logons. You may have to change the app context or select All apps. The search string column will give you the underline search.

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...