Security

help with AD user search where user!="*$"

Path Finder

Hi,

I'm doing searches for account login failures using EventCode="4625".

The problem is the search returns a lot of results of user "$" trying to log onto itself or other hosts. I believe these logon event types are something to do with Remote Desktop Services or mapping drives from one host to another etc, but i'm trying to filter them out of my search.

So far my search looks like:

index=wineventlog sourcetype=WinEventLog:Security host=xxxx* | where EventCode="4625"
| where user!="*$" | stats count by user, ComputerName, Eventcode,
| sort user, - count
| rename Eventcode as "Windows Event ID", count as "Number of Events", user as "Active Directory Account"

I'm trying to use where user!"$" (i.e where user doesnt equal anything ending with a $) to filter it out but it's not working.
I've also tried where user!="xxxx
" and where user!="xxxx*$" and that hasn't worked either.

Any ideas? Thanks in advance!

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

you can filter directly .. .no need for | where ....
like this;

index=wineventlog sourcetype=WinEventLog:Security host=xxxx* EventCode="4625" user!="*$" 
| stats count  as "Number of Events" by user, ComputerName, Eventcode,
| sort user, - count
| rename Eventcode as "Windows Event ID", user as "Active Directory Account"

highly recommend to go through splunk fundamentals 1
https://splunk.com/en_us/training/courses/splunk-fundamentals-1.html
and read the search manual / go through the search tutorial in deatil
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/WelcometotheSearchTutorial

good luck

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

you can filter directly .. .no need for | where ....
like this;

index=wineventlog sourcetype=WinEventLog:Security host=xxxx* EventCode="4625" user!="*$" 
| stats count  as "Number of Events" by user, ComputerName, Eventcode,
| sort user, - count
| rename Eventcode as "Windows Event ID", user as "Active Directory Account"

highly recommend to go through splunk fundamentals 1
https://splunk.com/en_us/training/courses/splunk-fundamentals-1.html
and read the search manual / go through the search tutorial in deatil
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/WelcometotheSearchTutorial

good luck

View solution in original post

0 Karma

Path Finder

That did the trick! Thanks so much.

Yeah fair call, i'd better go back and have another look.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!