Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Whitelist bad logon

sswigart
Engager
‎01-20-2020 03:46 PM

I want to whitelist events when users put the password in the logon window during login.
See example below, note the *****:

An account failed to log on.

Subject:
Security ID: SYSTEM
Account Name: Computer01
Account Domain: MyDomain
Logon ID: 0x3E7

Logon Type: 7

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: User
Account Domain: MyDomain

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D **************
Sub Status: 0xC000006A

Process Information:
Caller Process ID: 0x8e0D
Caller Process Name: C:\Windows\System32\svchost.exe

Network Information:
Workstation Name: Computer01
Source Network Address: 127.0.0.1
Source Port: 0

Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

My whitelist is as follows:

whitelist = EventCode = "4625" Message = "Failure\sInformation\sStatus:\s+0xc000006d"

Need assistance with coding the 0xc000006d

Thank you!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-21-2020 12:10 AM

Hi @sswigart,
sorry but I don't understand what do you mean with "whitelist": do you want as search result all the 4625 events? or what else?
If you want to filter events to extract logFail events (EventCode=4625) you could run something like this:

index=wineventlog EventCode=4625 Message="Failure\sInformation\sStatus:\s+0xc000006d"
| table ...

Ciao.
Giuseppe

0 Karma
Reply

sswigart
Engager
‎01-24-2020 09:04 AM

Giuseppe,
Thank you for your suggestion.
I am trying to create a whitelist in the etc\system\local\inputs.conf file.
Still not having any success.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-24-2020 09:16 AM

Hi @sswigart,
you can whitelist the EventCodes related to logins but in this way you exclude all the other EventCodes, I think that it's better to filter these events at search time.
Anyway, at http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf there's an example of whitelisting Windows EventCodes.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...