Getting Data In

How can I search Windows security events to track which admin users logged on or off our domain computer?

pateld
Explorer

Hi

How can I use Window security events to track which admin users ("-admin") did log on or log off into our domain computer?

thanks

1 Solution

woodcock
Esteemed Legend

First you need to build a list of Domain Controllers and save it as a lookup. Let's assume that you have done this and it has a single column/field called host and is in a lookup definition called DCs (pointing to a lookup file called anything you like). Then you can do this:

index=yourIndexHere "Account Name" = "*-admin*" (EventCode="538" OR EventCode="4634" OR EventCode="528" OR EventCode="540" OR EventCode="4624" OR EventCode="551" OR EventCode="4647") [|inputlookup DCs] 

View solution in original post

0 Karma

woodcock
Esteemed Legend

First you need to build a list of Domain Controllers and save it as a lookup. Let's assume that you have done this and it has a single column/field called host and is in a lookup definition called DCs (pointing to a lookup file called anything you like). Then you can do this:

index=yourIndexHere "Account Name" = "*-admin*" (EventCode="538" OR EventCode="4634" OR EventCode="528" OR EventCode="540" OR EventCode="4624" OR EventCode="551" OR EventCode="4647") [|inputlookup DCs] 
0 Karma
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 3)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Digital Resilience Assessment Launch | How prepared are you for disruption?

Disruption is inevitable. The question is – how prepared are you to handle it? In today’s fast-moving digital ...

Buttercup Games: Further Dashboarding Techniques (Part 2)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...