Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

best practice multiple eventID 4624 for one logon

Aufex
New Member
‎08-01-2017 12:05 AM

Hi,
i try to identify how often a user account was loged on. the problem is that the DC generates multible 4624 in very short time (different processes?). is there any best practice soltion to get a correct number of logon events? there are some topic whit that question but i cant find any useable solution.
i tryes with | debuc Logon_GUID but that dont work 😞

sourcetype="WinEventLog:Security" EventCode=4624| eval Account_Name=if(Account_Name="-", (mvindex(Account_Name,1)), Account_Name)| eval Account_Domain=if(Account_Domain="-", (mvindex(Account_Domain,1)), Account_Domain)| dedup Logon_GUID | chart count by Account_Name | sort - count

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎08-01-2017 05:39 AM

For my environment I was able to do this:

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| table _time, TargetUserName, TargetDomainName, Computer

The notable items in the base search:
- LogonGuid - this appeared to be all zeros when it was just normal auth activity but not a logon
- TargetUserName - the users in my environment all end without a $ (those are system connections)

So the table will give you a list of the activity, but if you want a count you could use stats or timechart to see patterns over time.

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| stats count by TargetUserName, Computer

OR

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| timechart count by TargetUserName

Hopefully a Windows expert will have better insight into how to filter the results to avoid the duplicates, but this should be good to get your going.

View solution in original post

Reply
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎08-01-2017 05:39 AM

For my environment I was able to do this:

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| table _time, TargetUserName, TargetDomainName, Computer

The notable items in the base search:
- LogonGuid - this appeared to be all zeros when it was just normal auth activity but not a logon
- TargetUserName - the users in my environment all end without a $ (those are system connections)

So the table will give you a list of the activity, but if you want a count you could use stats or timechart to see patterns over time.

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| stats count by TargetUserName, Computer

OR

index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| timechart count by TargetUserName

Hopefully a Windows expert will have better insight into how to filter the results to avoid the duplicates, but this should be good to get your going.

Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...