- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Re: User Account Activity_Add/Del/Modify
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is possible to single report for below ? if possible, could you please help me.
4625 An account failed to log on
4720 A user account was created
4722 A user account was enabled
4723 An attempt was made to change an account's password
4724 An attempt was made to reset an accounts password
4725 A user account was disabled
4726 A user account was deleted
4738 A user account was changed
4727 A security-enabled global group was created
4731 A security-enabled local group was created
thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A cheaper and easier solution (quick solution), would be
Put the above list into a csv e.g. winEventCodes_custom.csv with headers (EventID,EventIDDescription) .So it looks like
EventID,EventIDDescription
4625,"An account failed to log on"
4720,"A user account was created"
4722 ,"A user account was enabled"
...
Then do a lookup in your search something like (to get a count)
index=* sourcetype=WinEventLog:*
| lookup winEventCodes_custom.csv EventID OUTPUT EventIDDescription
| stats count by EventID,EventIDDescription
You can do any type of analysis based on above query. (like get users, like SecurityID etc.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A cheaper and easier solution (quick solution), would be
Put the above list into a csv e.g. winEventCodes_custom.csv with headers (EventID,EventIDDescription) .So it looks like
EventID,EventIDDescription
4625,"An account failed to log on"
4720,"A user account was created"
4722 ,"A user account was enabled"
...
Then do a lookup in your search something like (to get a count)
index=* sourcetype=WinEventLog:*
| lookup winEventCodes_custom.csv EventID OUTPUT EventIDDescription
| stats count by EventID,EventIDDescription
You can do any type of analysis based on above query. (like get users, like SecurityID etc.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, its working .....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
created csv file "winEventCodes_custom.csv"
EventCode,EventCodeDescription
4625,"An account failed to log on"
4720,"A user account was created"
4722 ,"A user account was enabled"
index=* sourcetype=WinEventLog:*
| lookup winEventCodes_custom EventCode OUTPUT EventCodeDescription
| stats count by EventCode,EventCodeDescription
-------- this is working for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Koshyk for helping me.
No Result yet found for below code,
index=* sourcetype=WinEventLog:*
| lookup winEventCodes_custom EventID OUTPUT EventIDDescription
| stats count by EventID,EventIDDescription
But, i am able to see the failed logs, If i run below code.
sourcetype=WinEventLog:Security EventCode=4625
| Stats count by Account_Name, EventCode, Workstation_Name
| Sort - count
Why i am not getting same entries for lookup code?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The best way to handle this is to install Splunk_TA_windows addon on your Search Heads. this should already have quite lot of logic to extract fields and identify the user actions. I'm expecting the tags like "add",
Please see the code sample from the TA
## EventCodes 4720, 4741, 624, 645
[windows_account_created]
search = sourcetype=*:Security (EventCode=4720 OR EventCode=4741 OR EventCode=624 OR EventCode=645)
#tags = add
Then you just need to query : index=* tag=add
After you put the TA and still if you haven't extracted, you need to extract the fields/eventtypes yourself
for instances, create an TA of your own and put line in eventtypes.conf and create all your eventcodes into single tag.
[windows_custom_my_eventcodes]
search = sourcetype=*:Security (EventCode=4720 OR xxxxx)
#tags = custom_tag_1
and in tags.conf, just add the custom_tag_1
and in final report you just need to do index=* tag=custom_tag_1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is looks like out of my knowledge in Splunk, could you please share any videos or demo for this.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
