Knowledge Management

best practice multiple eventID 4624 for one logon

Aufex
Explorer

Hi,
i try to identify how often a user account was loged on. the problem is that the DC generates multible 4624 in very short time (different processes?). is there any best practice soltion to get a correct number of logon events? there are some topic whit that question but i cant find any useable solution.
i tryes with | debuc Logon_GUID but that dont work 😞

sourcetype="WinEventLog:Security" EventCode=4624| eval Account_Name=if(Account_Name="-", (mvindex(Account_Name,1)), Account_Name)| eval Account_Domain=if(Account_Domain="-", (mvindex(Account_Domain,1)), Account_Domain)| dedup Logon_GUID | chart count by Account_Name | sort - count

0 Karma
1 Solution

sloshburch
Splunk Employee
Splunk Employee

For my environment I was able to do this:

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| table _time, TargetUserName, TargetDomainName, Computer

The notable items in the base search:
- LogonGuid - this appeared to be all zeros when it was just normal auth activity but not a logon
- TargetUserName - the users in my environment all end without a $ (those are system connections)

So the table will give you a list of the activity, but if you want a count you could use stats or timechart to see patterns over time.

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| stats count by TargetUserName, Computer

OR

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| timechart count by TargetUserName

Hopefully a Windows expert will have better insight into how to filter the results to avoid the duplicates, but this should be good to get your going.

View solution in original post

sloshburch
Splunk Employee
Splunk Employee

For my environment I was able to do this:

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| table _time, TargetUserName, TargetDomainName, Computer

The notable items in the base search:
- LogonGuid - this appeared to be all zeros when it was just normal auth activity but not a logon
- TargetUserName - the users in my environment all end without a $ (those are system connections)

So the table will give you a list of the activity, but if you want a count you could use stats or timechart to see patterns over time.

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| stats count by TargetUserName, Computer

OR

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| timechart count by TargetUserName

Hopefully a Windows expert will have better insight into how to filter the results to avoid the duplicates, but this should be good to get your going.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...