Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Clarification on eventtypes when using the Splunk ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the Splunk Windows Infrastructure app installed and when I run this search below:
eventtype=msad-failed-user-logons host="*"
I get this returned below, but I'm not understanding how the search result is associated to eventtype=msad-failed-user-logons. The below shows EventType=0. What does msad-failed-user-logons mean and how come it doesn't show that in the search result?
09/19/2017 03:42:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4776
EventType=0
Type=Information
ComputerName=xxxxx.domain.local
TaskCategory=Credential Validation
OpCode=Info
RecordNumber=9555000
Keywords=Audit Failure
Message=The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: someuser1
Source Workstation: WORKSTATION
Error Code: 0xC0000071
Collapse
host=somehost source=WinEventLog:Security sourcetype=WinEventLog:Security
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The eventtype here is not the field EventType in your data but Splunk's eventtype which in simple word is an alias to a base search or search term. Often for ease of reading and maintenance, we save commonly used search terms as eventtype instead of full search terms. ( see more about eventtype here).
To see what's the actual search being run when you run eventtype=msad-failed-user-logons, you can
1. In the Job dropdown below the search bar, click on Inspect job. On that Job inspector page, look for value in attribute "normalizedSearch". That would give you expanded eventtype.
2. Go to Settings->Event types and look for msad-failed-user-logons. You may have to change the app context or select All apps. The search string column will give you the underline search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The eventtype here is not the field EventType in your data but Splunk's eventtype which in simple word is an alias to a base search or search term. Often for ease of reading and maintenance, we save commonly used search terms as eventtype instead of full search terms. ( see more about eventtype here).
To see what's the actual search being run when you run eventtype=msad-failed-user-logons, you can
1. In the Job dropdown below the search bar, click on Inspect job. On that Job inspector page, look for value in attribute "normalizedSearch". That would give you expanded eventtype.
2. Go to Settings->Event types and look for msad-failed-user-logons. You may have to change the app context or select All apps. The search string column will give you the underline search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @somesoni2 what a great idea to name it same way and using upper/lower case to make them different between eventtype & EventType... 😶
Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud
Wrapping Up Cybersecurity Awareness Month
🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2
