How to correlate 4688 Process created and Logon 46...

itssuresh07 · ‎07-14-2021

Hi,

Can someone help me in correlating 4688 Process created and Logon 4624 events?

I tried using the Transaction and Stats command but unable to get the proper results. When I use the Transaction command with Logon_ID field I could not able to correlate both 4624 and 4688 events. Can some one help me in fixing the query.

(EventCode=4624 LogonType=3) OR ((EventCode=4688)
| transaction Logon_ID host startswith="4624" endswith="4688"

Can someone help me in getting the Correct field for Correlating the 4688 and 4624 events in splunk

efika · ‎07-16-2021

Hi @itssuresh07 ,

I assume that when you run the first part of the query you do get the 4624 and 4688 Events, right ?

If so, it might be that the maxspan or maxpause options were changed to very small defaults (like 1s).

Try to explicitly declare no limits:

| transaction Logon_ID host startswith=(EventCode=4624) endswith=(EventCode=4688) maxspan=-1 maxpause=-1

See the docs at https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Transaction

itssuresh07 · ‎07-20-2021

I have tried the below query with maxspan=-1 maxpause=-1 but I am not getting the Hostnames. Can you please help me in getting Correct fields for matching the Logon_ID events in Splunk for 4624 and 4688. Or is there any other way for Correlating 4624 and 4688 events.

I need to verify who has logged into the machine within the session created and ran the process from his account.

How to correlate 4688 Process created and Logon 4624 events

correlation search

using Enterprise Security

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation