Security

help with AD user search where user!="*$"

sdewar83
Path Finder

Hi,

I'm doing searches for account login failures using EventCode="4625".

The problem is the search returns a lot of results of user "$" trying to log onto itself or other hosts. I believe these logon event types are something to do with Remote Desktop Services or mapping drives from one host to another etc, but i'm trying to filter them out of my search.

So far my search looks like:

index=wineventlog sourcetype=WinEventLog:Security host=xxxx* | where EventCode="4625"
| where user!="*$" | stats count by user, ComputerName, Eventcode,
| sort user, - count
| rename Eventcode as "Windows Event ID", count as "Number of Events", user as "Active Directory Account"

I'm trying to use where user!"$" (i.e where user doesnt equal anything ending with a $) to filter it out but it's not working.
I've also tried where user!="xxxx
" and where user!="xxxx*$" and that hasn't worked either.

Any ideas? Thanks in advance!

Tags (2)
0 Karma
1 Solution

adonio
Ultra Champion

you can filter directly .. .no need for | where ....
like this;

index=wineventlog sourcetype=WinEventLog:Security host=xxxx* EventCode="4625" user!="*$" 
| stats count  as "Number of Events" by user, ComputerName, Eventcode,
| sort user, - count
| rename Eventcode as "Windows Event ID", user as "Active Directory Account"

highly recommend to go through splunk fundamentals 1
https://splunk.com/en_us/training/courses/splunk-fundamentals-1.html
and read the search manual / go through the search tutorial in deatil
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/WelcometotheSearchTutorial

good luck

View solution in original post

0 Karma

adonio
Ultra Champion

you can filter directly .. .no need for | where ....
like this;

index=wineventlog sourcetype=WinEventLog:Security host=xxxx* EventCode="4625" user!="*$" 
| stats count  as "Number of Events" by user, ComputerName, Eventcode,
| sort user, - count
| rename Eventcode as "Windows Event ID", user as "Active Directory Account"

highly recommend to go through splunk fundamentals 1
https://splunk.com/en_us/training/courses/splunk-fundamentals-1.html
and read the search manual / go through the search tutorial in deatil
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/WelcometotheSearchTutorial

good luck

0 Karma

sdewar83
Path Finder

That did the trick! Thanks so much.

Yeah fair call, i'd better go back and have another look.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...