Translate my windows event viewer search query to ...

jarves · ‎07-29-2019

Hi,

I would like to translate my windows event log custom query to splunk search syntax.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security"> 
*[EventData[Data[@Name='TargetUserName'] = 'ztm31029']] and *[System[(EventID='4624')]]
    </Select>
    <Select Path="Security"> 
*[EventData[Data[@Name='IpAddress'] = '10.228.36.66']] and *[System[(EventID='4624')]]
    </Select>
  </Query>
</QueryList>

The three important fields to searh are IpAddress, EventID and TargetUserName under security events.

Thanks!

woodcock · ‎08-06-2019

If you are using the Splunk_TA_windows then the fields are called host, EventCode, src, user, Security_ID, and ComputerName.

guarisma · ‎08-02-2019

This depends if you have the Splunk Add-on for Windows installed for extractions and calculations of the fields or not.

If yes, IpAddress should match calculated field src_ip, EventID would be EventCode, TargettUserName should be user

So you'll have a search like:

index=<index_with_windows_events>  EventCode=4624 (src_ip=10.228.36.66 OR user=ztm31029)

If not, we would need to see how the RAW data looks in Splunk to do the proper extractions and calculations, or just match to a regular expression.

kmorris_splunk · ‎07-29-2019

Can you give a brief description of what the search needs to do? For example, are you looking for where TargetUserName='ztm31029' AND IPAddress='10.228.26.66' AND EventID=4624? Or is it an OR on the user and ip?

jarves · ‎07-29-2019

It's an AND

gcusello · ‎07-29-2019

Hi jarves,
ingest your Windows logs and see the exacts fields names.
Anyway,

EventID is EventCode
I don't see any IpAddress
TargetUserName should be Account_Name

Remeber that by default you haven't the extraction of all fields, you have to install the TA_Windows ( https://splunkbase.splunk.com/app/742/ ) or manually extract using regexes.

Than you can create your own search:

index=wineventlog sourcetype=wineventlog:Security IpAddress=my_ip EventICode=xxxx Account_Name=xxxxx
| ...

Bye.
Giuseppe

jarves · ‎07-29-2019

The IpAddress is the IP from where the user did the user authenticated from.

jarves · ‎07-29-2019

I tried that syntax but no results.

gcusello · ‎07-30-2019

Hi jarves,
run index=wineventlog (the index where your Windows EventLogs are stored), so you can see if there are all the fields extractions.
If you already have fields, use in search the ones corrisponding to your fields (remember that fields names are case sensitive), if not you have two choices:

install TA_Windows ( https://splunkbase.splunk.com/app/742/ ),
manually extract fields using regexes.

I suggest to use the first one.

When you have the field extraction, you can build your search using the correct fields, but the first step is extract them.

Bye.
Giuseppe

jarves · ‎08-01-2019

Hi @gcusello Where should TA_Windows be installed?

gcusello · ‎08-02-2019

Windows TA is usually installed on Universal Forwarder to ingest windows data, but can also be installed on Search Heads to use all the eventtypes and fields extraction.

Bye.
Giuseppe

Translate my windows event viewer search query to splunk search query

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!

Enterprise Security Content Update (ESCU) | New Releases