Hi,
Can someone help me in correlating 4688 Process created and Logon 4624 events?
I tried using the Transaction and Stats command but unable to get the proper results. When I use the Transaction command with Logon_ID field I could not able to correlate both 4624 and 4688 events. Can some one help me in fixing the query.
(EventCode=4624 LogonType=3) OR ((EventCode=4688)
| transaction Logon_ID host startswith="4624" endswith="4688"
Can someone help me in getting the Correct field for Correlating the 4688 and 4624 events in splunk
Hi @itssuresh07 ,
I assume that when you run the first part of the query you do get the 4624 and 4688 Events, right ?
If so, it might be that the maxspan or maxpause options were changed to very small defaults (like 1s).
Try to explicitly declare no limits:
| transaction Logon_ID host startswith=(EventCode=4624) endswith=(EventCode=4688) maxspan=-1 maxpause=-1
See the docs at https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Transaction
I have tried the below query with maxspan=-1 maxpause=-1 but I am not getting the Hostnames. Can you please help me in getting Correct fields for matching the Logon_ID events in Splunk for 4624 and 4688. Or is there any other way for Correlating 4624 and 4688 events.
I need to verify who has logged into the machine within the session created and ran the process from his account.