Splunk Enterprise Security

How to correlate 4688 Process created and Logon 4624 events

itssuresh07
New Member

Hi,

Can someone help me in correlating 4688 Process created and Logon 4624 events?

I tried using the Transaction  and Stats command but unable to get the proper results. When I use the Transaction command with Logon_ID field I could not able to correlate both 4624 and 4688 events. Can some one help me in fixing the query.

 

(EventCode=4624 LogonType=3) OR ((EventCode=4688)
| transaction Logon_ID host startswith="4624" endswith="4688"

 

Can someone help me in getting the Correct field for Correlating the 4688 and 4624 events in splunk

0 Karma

efika
Communicator

Hi @itssuresh07 ,

 

I assume that when you run the first part of the query you do get the 4624 and 4688 Events, right ?

If so, it might be that the maxspan or maxpause options were changed to very small defaults (like 1s).

Try to explicitly declare no limits:

| transaction Logon_ID host startswith=(EventCode=4624) endswith=(EventCode=4688) maxspan=-1 maxpause=-1

 

See the docs at https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Transaction 

0 Karma

itssuresh07
New Member

I have tried the below query with maxspan=-1 maxpause=-1 but I am not getting the Hostnames. Can you please help me in getting Correct fields for matching the Logon_ID events in Splunk for 4624 and 4688. Or is there any other way for Correlating 4624 and 4688 events. 

I need to verify who has logged into the machine within the session created and ran the process from his account.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...