Getting Data In

Reporting on NT User Logins?

Explorer

I've been asked to monitor peoples NT login in the morning. As I look through the security logs on my domain controllers there are so many login events. Is there a specific event that a user has first logged into the network?

Suggestions?

Tags (2)
0 Karma

Motivator

Unfortunately, doing this on Windows is not quite as straightforward as one might expect.

If all you care about is the first time a user hit the network, then use Splunk's search language to just isolate the first occurrence. Most of the time, you'll want Event 4624 or 528, depending on your Windows version. The general form would be:

sourcetype="windows-snare" Success EventCode=4624 NOT user="*$"
| eval logonTime=_time
| bucket _time span=1d
| stats min(logonTime) as logonTime by user, _time
| convert ctime(logonTime)

The bucket command, and the inclusion of _time in the stats command, are optional but will break it out separately for each day.

Similarly, if you just want the first event for a user for a given day:

sourcetype="windows-snare" Success EventCode=4624 NOT user="*$"
| sort _time
| dedup user

It's important to understand that these events do not necessarily indicate a user logging in by typing their credentials -- almost any network activity can generate this event.

If you want to track when a user actually entered their name and password, and not just when they hit a network share or other resource, you need to look mainly for Logon Type 2, 7, 10, or 11. These correspond to Interactive Logon, Screen Unlock, Remote Desktop Logon, and workstations logins with Cached Credentials. Unfortunately, they will generally appear only on the workstation at which the event occurred, and not on a domain controller.

For newer windows versions, searching for Event 4776 (Credential Validation) will tell you when a domain controller actually checked the password. But remember that it won't appear for logons using cached credentials.

You may also want to take a look at Randy Franklin Smith's site, and at eventid.net. The first has a good quick reference sheet here:
     http://www.ultimatewindowssecurity.com/securitylog/quickref/Default.aspx

Motivator

Great answer. There is also an app on Splunkbase that provides EventID lookups and some easy links to eventid.net via splunk workflows: http://splunkbase.splunk.com/apps/All/4.x/Add-On/app:Windows+Event+Codes+Lookup

0 Karma

SplunkTrust
SplunkTrust

To Windows, a login is a login is a login. There's nothing special about a user's "first" login of the day. You may want to rephrase this as something more like "How can I write a search to find the first time a user logs in each day, assuming midnight starts a new day?" (Or 5AM, or 6AM, or whatever)

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!