All Apps and Add-ons

authentication searches return extra events

RickbondPNT
Engager

when diving into the data, it looks like the authentication data model is returning two events for one actual login. It looks like the event to get permission from the domain controller, is recorded and then the actual login to the computer is logged.

Is this normal, incorrect windows setup, or bad datamodel?

Thank you,

Rick

dagar_ruralking
Loves-to-Learn

So, I know this is an older post, but I am having this problem as well.  I am seeing the 4624 and then also the 4776.  So, the question is should we tweak the windows TA to remove the tags for all but the 4624 events?

0 Karma

moliminous
Path Finder

Hi @RickbondPNT , if my answer helped, please accept it as the answer. Otherwise please provide more information and I'll be glad to help. Thanks!!

0 Karma

moliminous
Path Finder

@RickbondPNT just wondering if it worked or what other issues you might be having? Thanks!

0 Karma

rupesh26
Path Finder

have you checked your eventtypes ? the events should be filtered there.

0 Karma

moliminous
Path Finder

May need some more information, you mentioned "get permissions", so you may be referring to Event ID 4672, which is not always logged with each logon (4624).

The events you are describing should be separate EventCodes aka EventIDs, the values of which should be in the "signature_id" field in the data model.

Assuming you have the Windows TA installed on your indexer and search head, try the search below (change index to match your Windows events) to see order of events in a more readable format.

Notice the relationship between 4672 (Special privileges assigned to new logon) versus 4624 (An account was successfully logged on)
Not all events 4624 events will be preceded by 4672.

index=* (sourcetype=WinEventLog* OR sourcetype=XmlWinEventLog*)
| lookup windows_signatures.csv signature_id as EventCode OUTPUT signature as description
| table _time user EventCode action description

If your Authentication data model is accelerated, you can run this search to view the events with Event ID.

| tstats summariesonly=t count from datamodel=Authentication by _time span=1m Authentication.user Authentication.signature_id Authentication.action sourcetype

Just remove the 'summariesonly=t' if you have not accelerated that data model.

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...