Getting Data In

Whitelist bad logon

sswigart
Explorer

I want to whitelist events when users put the password in the logon window during login.
See example below, note the *****:

An account failed to log on.

Subject:
Security ID: SYSTEM
Account Name: Computer01
Account Domain: MyDomain
Logon ID: 0x3E7

Logon Type: 7

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: User
Account Domain: MyDomain

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D **************
Sub Status: 0xC000006A

Process Information:
Caller Process ID: 0x8e0D
Caller Process Name: C:\Windows\System32\svchost.exe

Network Information:
Workstation Name: Computer01
Source Network Address: 127.0.0.1
Source Port: 0

Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

My whitelist is as follows:

whitelist = EventCode = "4625" Message = "Failure\sInformation\sStatus:\s+0xc000006d"

Need assistance with coding the 0xc000006d

Thank you!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sswigart,
sorry but I don't understand what do you mean with "whitelist": do you want as search result all the 4625 events? or what else?
If you want to filter events to extract logFail events (EventCode=4625) you could run something like this:

index=wineventlog EventCode=4625 Message="Failure\sInformation\sStatus:\s+0xc000006d"
| table ...

Ciao.
Giuseppe

0 Karma

sswigart
Explorer

Giuseppe,
Thank you for your suggestion.
I am trying to create a whitelist in the etc\system\local\inputs.conf file.
Still not having any success.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sswigart,
you can whitelist the EventCodes related to logins but in this way you exclude all the other EventCodes, I think that it's better to filter these events at search time.
Anyway, at http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf there's an example of whitelisting Windows EventCodes.

Ciao.
Giuseppe

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.

Can’t make it to .conf25? Join us online!

Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...