Hi,
i try to identify how often a user account was loged on. the problem is that the DC generates multible 4624 in very short time (different processes?). is there any best practice soltion to get a correct number of logon events? there are some topic whit that question but i cant find any useable solution.
i tryes with | debuc Logon_GUID but that dont work 😞
sourcetype="WinEventLog:Security" EventCode=4624| eval Account_Name=if(Account_Name="-", (mvindex(Account_Name,1)), Account_Name)| eval Account_Domain=if(Account_Domain="-", (mvindex(Account_Domain,1)), Account_Domain)| dedup Logon_GUID | chart count by Account_Name | sort - count
For my environment I was able to do this:
index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| table _time, TargetUserName, TargetDomainName, Computer
The notable items in the base search:
- LogonGuid
- this appeared to be all zeros when it was just normal auth activity but not a logon
- TargetUserName
- the users in my environment all end without a $
(those are system connections)
So the table will give you a list of the activity, but if you want a count you could use stats
or timechart
to see patterns over time.
index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| stats count by TargetUserName, Computer
OR
index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| timechart count by TargetUserName
Hopefully a Windows expert will have better insight into how to filter the results to avoid the duplicates, but this should be good to get your going.
For my environment I was able to do this:
index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| table _time, TargetUserName, TargetDomainName, Computer
The notable items in the base search:
- LogonGuid
- this appeared to be all zeros when it was just normal auth activity but not a logon
- TargetUserName
- the users in my environment all end without a $
(those are system connections)
So the table will give you a list of the activity, but if you want a count you could use stats
or timechart
to see patterns over time.
index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| stats count by TargetUserName, Computer
OR
index=wineventlog source=WinEventLog:Security EventID=4624 LogonGuid!="{00000000-0000-0000-0000-000000000000}" TargetUserName!=*$
| timechart count by TargetUserName
Hopefully a Windows expert will have better insight into how to filter the results to avoid the duplicates, but this should be good to get your going.