Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Security Events for Windows Machines

brpsingara
Explorer
‎04-09-2019 11:12 AM

Anyone help me on below,
1) Login
2) Logoff
3) Un-successful login
4) Modify authentication mechanisms
5) Create user account
6) Modify user account
7) Create role
8) Modify role
9) Grant/revoke user privileges
10) Grant/revoke role privileges
11) Privileged commands
12) Modify audit and logging
13) Objects Create/Modify/Delete
14) Modify configuration settings

I checked and confirmed, Splunk TA is installed in all windows machines and Splunk TA is installed for Active directory server.

Thanks in advance.

Tags (1)
0 Karma
Reply

ashutoshab
Communicator
‎04-09-2019 11:37 AM

I am not very sure what you are expecting in the answer. I suppose you want to monitor the enlisted events.

Windows OS, log every event with an Event ID associated with it. So every activity on the Windows has an Event ID assigned and the same is stored along with the details of the event. Below I am providing a list of event IDs associated with every event in windows. You can get help from that.
Event ID and Respective Event

4616    The system time was changed.
4624    An account was successfully logged on
4625    An account failed to log on
4634    An account was logged off
4647    User initiated logoff
4648    A logon was attempted using explicit credentials
4662    An operation was performed on an object
4670    Permissions on an object were changed
4672    Special privileges assigned to new logon
4688    A new process has been created
4689    A process has exited
4702    A scheduled task was updated
4719    System audit policy was changed
4720    A user account was created
4722    A user account was enabled
4723    An attempt was made to change an account's password
4724    An attempt was made to reset an accounts password
4725    A user account was disabled
4726    A user account was deleted
4727    A security-enabled global group was created
4731    A security-enabled local group was created
4732    A member was added to a security-enabled local group
4733    A member was removed from a security-enabled local group
4735    A security-enabled local group was changed
4738    A user account was changed
4768    A Kerberos authentication ticket (TGT) was requested
4769    A Kerberos service ticket was requested
4770    A Kerberos service ticket was renewed
4771    Kerberos pre-authentication failed
4776    The domain controller attempted to validate the credentials for an account
4779    A session was disconnected from a Window Station
4904    An attempt was made to register a security event source
4905    An attempt was made to unregister a security event source
5058    Key file operation
5061    Cryptographic operation
5136    A directory service object was modified

Hope this help.

Please elaborate your exact question so that I can answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...