Hello all,
I need your help in analyzing my collected log data.
I have all of our Windows servers connected in Splunk using the Universal Forwarder. This includes the domain controllers as well. Only the security event log is transmitted. I have installed the Splunk Add-on for Microsoft Windows on the Splunk servers (Indexer, Searchead,).
I want to know about failed login attempts, account lockouts, as well as tampering with Local Administrator accounts.
If I now start a search query for example on Event ID 4625, I get thousandfold messages with field "host" where my domain controllers are inside. At "host" I want to see the really affected system.
For example my Splunk query looks like this:
index=Wineventlog sourcetype=wineventlog source::WinEventLog:Security (EventCode=4625 OR EventCode=4740)
| eval Benutzerkonto = coalesce(Kontoname, Account_Name)
| eval Meldung = coalesce(Fehlerursache, Failure_Reason)
| eval IP-Quelladresse = coalesce(Source_network_address, Quellnetzwerkadresse)
| table _time, ComputerName, Benutzerkonto, Meldung, IP-Quelladresse
(I merge german and english logentries).
I only want to know when someone tries to log in to the domain controller, locks his account there or hijacks the local admin on the domain controller. I do not want to see log entries of affected systems via the domain controllers.
Do you have a solution to the problem or even suggestions for improvement?
Thanks in advance.
Best regards
Codyy_Fast
Hi @Codyy_Fast,
using the table command you have all the (e.g.) 4625 events, you can also group them using the stats command:
index=Wineventlog sourcetype=wineventlog source::WinEventLog:Security (EventCode=4625 OR EventCode=4740)
| eval Benutzerkonto = coalesce(Kontoname, Account_Name)
| eval Meldung = coalesce(Fehlerursache, Failure_Reason)
| eval IP-Quelladresse = coalesce(Source_network_address, Quellnetzwerkadresse)
| stats
count
earliest(_time) AS earliest
latest(_time) AS latest
values(Benutzerkonto) AS Benutzerkonto
values(Meldung) AS Meldung
values(IP-Quelladresse) AS IP-Quelladresse
BY ComputerName
but it depends on what are the requisites of yoru search, in other words: what do you want to find?
In addition, if possible don't use "-" or spaces in your field names, use "_" because Splunk translate it as the subtraction operator.
Ciao.
Giuseppe