Knowledge Management

best practice multiple eventID 4624 for one logon

Aufex
Explorer

Hi,
i try to identify how often a user account was loged on. the problem is that the DC generates multible 4624 in very short time (different processes?). is there any best practice soltion to get a correct number of logon events? there are some topic whit that question but i cant find any useable solution.
i tryes with | debuc Logon_GUID but that dont work 😞

sourcetype="WinEventLog:Security" EventCode=4624| eval Account_Name=if(Account_Name="-", (mvindex(Account_Name,1)), Account_Name)| eval Account_Domain=if(Account_Domain="-", (mvindex(Account_Domain,1)), Account_Domain)| dedup Logon_GUID | chart count by Account_Name | sort - count

0 Karma
1 Solution

sloshburch
Splunk Employee
Splunk Employee

For my environment I was able to do this:

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| table _time, TargetUserName, TargetDomainName, Computer

The notable items in the base search:
- LogonGuid - this appeared to be all zeros when it was just normal auth activity but not a logon
- TargetUserName - the users in my environment all end without a $ (those are system connections)

So the table will give you a list of the activity, but if you want a count you could use stats or timechart to see patterns over time.

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| stats count by TargetUserName, Computer

OR

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| timechart count by TargetUserName

Hopefully a Windows expert will have better insight into how to filter the results to avoid the duplicates, but this should be good to get your going.

View solution in original post

sloshburch
Splunk Employee
Splunk Employee

For my environment I was able to do this:

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| table _time, TargetUserName, TargetDomainName, Computer

The notable items in the base search:
- LogonGuid - this appeared to be all zeros when it was just normal auth activity but not a logon
- TargetUserName - the users in my environment all end without a $ (those are system connections)

So the table will give you a list of the activity, but if you want a count you could use stats or timechart to see patterns over time.

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| stats count by TargetUserName, Computer

OR

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| timechart count by TargetUserName

Hopefully a Windows expert will have better insight into how to filter the results to avoid the duplicates, but this should be good to get your going.

Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...