when diving into the data, it looks like the authentication data model is returning two events for one actual login. It looks like the event to get permission from the domain controller, is recorded and then the actual login to the computer is logged.
Is this normal, incorrect windows setup, or bad datamodel?
Thank you,
Rick
So, I know this is an older post, but I am having this problem as well. I am seeing the 4624 and then also the 4776. So, the question is should we tweak the windows TA to remove the tags for all but the 4624 events?
Hi @RickbondPNT , if my answer helped, please accept it as the answer. Otherwise please provide more information and I'll be glad to help. Thanks!!
@RickbondPNT just wondering if it worked or what other issues you might be having? Thanks!
have you checked your eventtypes ? the events should be filtered there.
May need some more information, you mentioned "get permissions", so you may be referring to Event ID 4672, which is not always logged with each logon (4624).
The events you are describing should be separate EventCodes aka EventIDs, the values of which should be in the "signature_id" field in the data model.
Assuming you have the Windows TA installed on your indexer and search head, try the search below (change index to match your Windows events) to see order of events in a more readable format.
Notice the relationship between 4672 (Special privileges assigned to new logon) versus 4624 (An account was successfully logged on)
Not all events 4624 events will be preceded by 4672.
index=* (sourcetype=WinEventLog* OR sourcetype=XmlWinEventLog*)
| lookup windows_signatures.csv signature_id as EventCode OUTPUT signature as description
| table _time user EventCode action description
If your Authentication data model is accelerated, you can run this search to view the events with Event ID.
| tstats summariesonly=t count from datamodel=Authentication by _time span=1m Authentication.user Authentication.signature_id Authentication.action sourcetype
Just remove the 'summariesonly=t' if you have not accelerated that data model.