Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Collecting Logs Windows Servers and Windows Domain Controllers

Codyy_Fast
Engager
‎08-21-2023 02:42 PM

Hello all,

I need your help in analyzing my collected log data.

I have all of our Windows servers connected in Splunk using the Universal Forwarder. This includes the domain controllers as well. Only the security event log is transmitted. I have installed the Splunk Add-on for Microsoft Windows on the Splunk servers (Indexer, Searchead,).

I want to know about failed login attempts, account lockouts, as well as tampering with Local Administrator accounts.

If I now start a search query for example on Event ID 4625, I get thousandfold messages with field "host" where my domain controllers are inside. At "host" I want to see the really affected system.
For example my Splunk query looks like this:

index=Wineventlog sourcetype=wineventlog source::WinEventLog:Security (EventCode=4625 OR EventCode=4740)
| eval Benutzerkonto = coalesce(Kontoname, Account_Name)
| eval Meldung = coalesce(Fehlerursache, Failure_Reason)
| eval IP-Quelladresse = coalesce(Source_network_address, Quellnetzwerkadresse)
| table _time, ComputerName, Benutzerkonto, Meldung, IP-Quelladresse

(I merge german and english logentries).

I only want to know when someone tries to log in to the domain controller, locks his account there or hijacks the local admin on the domain controller. I do not want to see log entries of affected systems via the domain controllers.

Do you have a solution to the problem or even suggestions for improvement?

Thanks in advance.

Best regards
Codyy_Fast

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-21-2023 11:55 PM

Hi @Codyy_Fast,

using the table command you have all the (e.g.) 4625 events, you can also group them using the stats command:

index=Wineventlog sourcetype=wineventlog source::WinEventLog:Security (EventCode=4625 OR EventCode=4740)
| eval Benutzerkonto = coalesce(Kontoname, Account_Name)
| eval Meldung = coalesce(Fehlerursache, Failure_Reason)
| eval IP-Quelladresse = coalesce(Source_network_address, Quellnetzwerkadresse)
| stats 
   count 
   earliest(_time) AS earliest
   latest(_time) AS latest
   values(Benutzerkonto) AS Benutzerkonto
   values(Meldung) AS Meldung
   values(IP-Quelladresse) AS IP-Quelladresse
   BY ComputerName

but it depends on what are the requisites of yoru search, in other words: what do you want to find?

In addition, if possible don't use "-" or spaces in your field names, use "_" because Splunk translate it as the subtraction operator.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...