Archive

Security Events for Windows Machines

brpsingara
Explorer

Anyone help me on below,
1) Login
2) Logoff
3) Un-successful login
4) Modify authentication mechanisms
5) Create user account
6) Modify user account
7) Create role
8) Modify role
9) Grant/revoke user privileges
10) Grant/revoke role privileges
11) Privileged commands
12) Modify audit and logging
13) Objects Create/Modify/Delete
14) Modify configuration settings

I checked and confirmed, Splunk TA is installed in all windows machines and Splunk TA is installed for Active directory server.

Thanks in advance.

Tags (1)
0 Karma

ashutoshab
Communicator

I am not very sure what you are expecting in the answer. I suppose you want to monitor the enlisted events.

Windows OS, log every event with an Event ID associated with it. So every activity on the Windows has an Event ID assigned and the same is stored along with the details of the event. Below I am providing a list of event IDs associated with every event in windows. You can get help from that.
Event ID and Respective Event

4616    The system time was changed.
4624    An account was successfully logged on
4625    An account failed to log on
4634    An account was logged off
4647    User initiated logoff
4648    A logon was attempted using explicit credentials
4662    An operation was performed on an object
4670    Permissions on an object were changed
4672    Special privileges assigned to new logon
4688    A new process has been created
4689    A process has exited
4702    A scheduled task was updated
4719    System audit policy was changed
4720    A user account was created
4722    A user account was enabled
4723    An attempt was made to change an account's password
4724    An attempt was made to reset an accounts password
4725    A user account was disabled
4726    A user account was deleted
4727    A security-enabled global group was created
4731    A security-enabled local group was created
4732    A member was added to a security-enabled local group
4733    A member was removed from a security-enabled local group
4735    A security-enabled local group was changed
4738    A user account was changed
4768    A Kerberos authentication ticket (TGT) was requested
4769    A Kerberos service ticket was requested
4770    A Kerberos service ticket was renewed
4771    Kerberos pre-authentication failed
4776    The domain controller attempted to validate the credentials for an account
4779    A session was disconnected from a Window Station
4904    An attempt was made to register a security event source
4905    An attempt was made to unregister a security event source
5058    Key file operation
5061    Cryptographic operation
5136    A directory service object was modified

Hope this help.

Please elaborate your exact question so that I can answer.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!