All Apps and Add-ons
Highlighted

Clarification on eventtypes when using the Splunk App for Windows Infrastructure

Path Finder

I have the Splunk Windows Infrastructure app installed and when I run this search below:

eventtype=msad-failed-user-logons host="*"

I get this returned below, but I'm not understanding how the search result is associated to eventtype=msad-failed-user-logons. The below shows EventType=0. What does msad-failed-user-logons mean and how come it doesn't show that in the search result?

09/19/2017 03:42:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4776
EventType=0
Type=Information
ComputerName=xxxxx.domain.local
TaskCategory=Credential Validation
OpCode=Info
RecordNumber=9555000
Keywords=Audit Failure
Message=The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:  someuser1
Source Workstation: WORKSTATION
Error Code: 0xC0000071
Collapse
host=somehost   source=WinEventLog:Security    sourcetype=WinEventLog:Security
0 Karma
Highlighted

Re: Clarification on eventtypes when using the Splunk App for Windows Infrastructure

SplunkTrust
SplunkTrust

The eventtype here is not the field EventType in your data but Splunk's eventtype which in simple word is an alias to a base search or search term. Often for ease of reading and maintenance, we save commonly used search terms as eventtype instead of full search terms. ( see more about eventtype here).

To see what's the actual search being run when you run eventtype=msad-failed-user-logons, you can
1. In the Job dropdown below the search bar, click on Inspect job. On that Job inspector page, look for value in attribute "normalizedSearch". That would give you expanded eventtype.
2. Go to Settings->Event types and look for msad-failed-user-logons. You may have to change the app context or select All apps. The search string column will give you the underline search.

View solution in original post