Archive

best practice multiple eventID 4624 for one logon

New Member

Hi,
i try to identify how often a user account was loged on. the problem is that the DC generates multible 4624 in very short time (different processes?). is there any best practice soltion to get a correct number of logon events? there are some topic whit that question but i cant find any useable solution.
i tryes with | debuc Logon_GUID but that dont work 😞

sourcetype="WinEventLog:Security" EventCode=4624| eval Account_Name=if(Account_Name="-", (mvindex(Account_Name,1)), Account_Name)| eval Account_Domain=if(Account_Domain="-", (mvindex(Account_Domain,1)), Account_Domain)| dedup Logon_GUID | chart count by Account_Name | sort - count

0 Karma
1 Solution

Ultra Champion

For my environment I was able to do this:

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| table _time, TargetUserName, TargetDomainName, Computer

The notable items in the base search:
- LogonGuid - this appeared to be all zeros when it was just normal auth activity but not a logon
- TargetUserName - the users in my environment all end without a $ (those are system connections)

So the table will give you a list of the activity, but if you want a count you could use stats or timechart to see patterns over time.

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| stats count by TargetUserName, Computer

OR

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| timechart count by TargetUserName

Hopefully a Windows expert will have better insight into how to filter the results to avoid the duplicates, but this should be good to get your going.

View solution in original post

Ultra Champion

For my environment I was able to do this:

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| table _time, TargetUserName, TargetDomainName, Computer

The notable items in the base search:
- LogonGuid - this appeared to be all zeros when it was just normal auth activity but not a logon
- TargetUserName - the users in my environment all end without a $ (those are system connections)

So the table will give you a list of the activity, but if you want a count you could use stats or timechart to see patterns over time.

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| stats count by TargetUserName, Computer

OR

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| timechart count by TargetUserName

Hopefully a Windows expert will have better insight into how to filter the results to avoid the duplicates, but this should be good to get your going.

View solution in original post