Splunk Enterprise

How to search for logon/logoff activity of domain admins

dhrechkosy
Explorer

Trying to figure out how to search for all logon/logoff attempts by any users in the "Domain Admins" group in active directory. I am currently using Splunk Light 6.5.2 and forwarding the security log events from one single domain controller to Splunk.

What would be a proper search string to use to find account logon/logoff activity for domain admins? Will I need to do a general search for all logon and logoff activity and then filter it to the specific users I'm looking for?

There are 3 staff in the domain admins group as well as the built in domain-administrator account. Management wants me to find a way to track logs for every logon/logoff for these four accounts.

Any suggestions will be helpful as I'm still quite new to this software.

1 Solution

nickhills
Ultra Champion

You could add your domain admins to a lookup file/table.
Using a sub search you could read your list of users using inputlookup and then in the main search look for login events.

tag=authentication tag=login [search inputlookup admin_users.csv] 

(I'm not near a system with windows logs to test/get you proper syntax but hopefully that gives you enough)

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

You could add your domain admins to a lookup file/table.
Using a sub search you could read your list of users using inputlookup and then in the main search look for login events.

tag=authentication tag=login [search inputlookup admin_users.csv] 

(I'm not near a system with windows logs to test/get you proper syntax but hopefully that gives you enough)

If my comment helps, please give it a thumbs up!

dhrechkosy
Explorer

Perfect I will try this suggestion. Do you know where the admin_users.csv file will need to be placed in order for splunk to recognize it when I run this sub search?

0 Karma

dhrechkosy
Explorer

Just a few more questions/clarifications needed:

For the two tags you mentioned "authentication" and "login" what field should those correspond to?

I set authentication to EventCode=4634 and EventCode=4672, not sure if thats right and not certain what login should be set as.

For the admin_users.csv file what is the format it should be in? Currently I just had an empty csv file with:

Username
Username
Username

Should there be any special formatting inside the .csv file to list the domain admin names properly?

0 Karma

nickhills
Ultra Champion

your CSV will need to contain a header row, and you may find it useful to drop some friendly names in too.

username, firstname, surname
bob.jones, bob, jones
user662237, mike, smith

etc.

If my comment helps, please give it a thumbs up!
0 Karma

dhrechkosy
Explorer

Hi Nick,

Thanks looks like I have that all figured out now. As for the tags what field value pairs do you recommend?

authentication:

login:

0 Karma

dhrechkosy
Explorer

Thank you!

0 Karma

starcher
SplunkTrust
SplunkTrust

This is the easiest being new. Longer term you could make a lookup table inspired by the Enterprise Security app format for identities.
http://docs.splunk.com/Documentation/ES/4.6.0/User/AssetandIdentityLookupReference

Then apply it as an auto lookup on the sourcetype of those logs.
http://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Knowledge/Makeyourlookupautomatic

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...