Solved: How to search for logon/logoff activity of domain ...

dhrechkosy · ‎02-10-2017

Trying to figure out how to search for all logon/logoff attempts by any users in the "Domain Admins" group in active directory. I am currently using Splunk Light 6.5.2 and forwarding the security log events from one single domain controller to Splunk.

What would be a proper search string to use to find account logon/logoff activity for domain admins? Will I need to do a general search for all logon and logoff activity and then filter it to the specific users I'm looking for?

There are 3 staff in the domain admins group as well as the built in domain-administrator account. Management wants me to find a way to track logs for every logon/logoff for these four accounts.

Any suggestions will be helpful as I'm still quite new to this software.

nickhills · ‎02-11-2017

You could add your domain admins to a lookup file/table.
Using a sub search you could read your list of users using inputlookup and then in the main search look for login events.

tag=authentication tag=login [search inputlookup admin_users.csv]

(I'm not near a system with windows logs to test/get you proper syntax but hopefully that gives you enough)

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills · ‎02-11-2017

You could add your domain admins to a lookup file/table.
Using a sub search you could read your list of users using inputlookup and then in the main search look for login events.

tag=authentication tag=login [search inputlookup admin_users.csv]

(I'm not near a system with windows logs to test/get you proper syntax but hopefully that gives you enough)

If my comment helps, please give it a thumbs up!

dhrechkosy · ‎02-13-2017

Perfect I will try this suggestion. Do you know where the admin_users.csv file will need to be placed in order for splunk to recognize it when I run this sub search?

starcher · ‎02-13-2017

https://docs.splunk.com/Documentation/Splunk/latest/PivotTutorial/AddlookupfilestoSplunk

dhrechkosy · ‎02-13-2017

Just a few more questions/clarifications needed:

For the two tags you mentioned "authentication" and "login" what field should those correspond to?

I set authentication to EventCode=4634 and EventCode=4672, not sure if thats right and not certain what login should be set as.

For the admin_users.csv file what is the format it should be in? Currently I just had an empty csv file with:

Username
Username
Username

Should there be any special formatting inside the .csv file to list the domain admin names properly?

nickhills · ‎02-13-2017

your CSV will need to contain a header row, and you may find it useful to drop some friendly names in too.

username, firstname, surname
bob.jones, bob, jones
user662237, mike, smith

etc.

If my comment helps, please give it a thumbs up!

dhrechkosy · ‎02-13-2017

Hi Nick,

Thanks looks like I have that all figured out now. As for the tags what field value pairs do you recommend?

authentication:

login:

dhrechkosy · ‎02-13-2017

Thank you!

starcher · ‎02-11-2017

This is the easiest being new. Longer term you could make a lookup table inspired by the Enterprise Security app format for identities.
http://docs.splunk.com/Documentation/ES/4.6.0/User/AssetandIdentityLookupReference

Then apply it as an auto lookup on the sourcetype of those logs.
http://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Knowledge/Makeyourlookupautomatic

How to search for logon/logoff activity of domain admins

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?