Help with Splunk Query to detect unusual logons to different computers

New Member

Good morning,

I am wondering what commands that I can use in order to detect a user account logging into a machine that is different from the norm.

Use case:

jbloggs usually logs into Computer A,
jbloggs logs into Computer B (which has never been accessed by this account before)

Any help will be greatly appreciated

Thanks in advance.

0 Karma


The search depends on the data from your source. Assuming, you are looking at windows events from endpoints [ local computer], you can look at EventCode=4624 and it will give you the computer user is loging in and user id. So you could create a search something like index=yourindexname EventCode=4624 | table time, user, WorkstationName that could get you started.

Alternatively, if you have the data in Authentication datamodel, that can be used as well.

0 Karma