Trying to figure out how to search for all logon/logoff attempts by any users in the "Domain Admins" group in active directory. I am currently using Splunk Light 6.5.2 and forwarding the security log events from one single domain controller to Splunk.
What would be a proper search string to use to find account logon/logoff activity for domain admins? Will I need to do a general search for all logon and logoff activity and then filter it to the specific users I'm looking for?
There are 3 staff in the domain admins group as well as the built in domain-administrator account. Management wants me to find a way to track logs for every logon/logoff for these four accounts.
Any suggestions will be helpful as I'm still quite new to this software.
You could add your domain admins to a lookup file/table.
Using a sub search you could read your list of users using inputlookup and then in the main search look for login events.
tag=authentication tag=login [search inputlookup admin_users.csv]
(I'm not near a system with windows logs to test/get you proper syntax but hopefully that gives you enough)
Hi do you mind sharing the search string/spl you used to the the AD login information?
Thank you!
You could add your domain admins to a lookup file/table.
Using a sub search you could read your list of users using inputlookup and then in the main search look for login events.
tag=authentication tag=login [search inputlookup admin_users.csv]
(I'm not near a system with windows logs to test/get you proper syntax but hopefully that gives you enough)
Perfect I will try this suggestion. Do you know where the admin_users.csv file will need to be placed in order for splunk to recognize it when I run this sub search?
Just a few more questions/clarifications needed:
For the two tags you mentioned "authentication" and "login" what field should those correspond to?
I set authentication to EventCode=4634 and EventCode=4672, not sure if thats right and not certain what login should be set as.
For the admin_users.csv file what is the format it should be in? Currently I just had an empty csv file with:
Username
Username
Username
Should there be any special formatting inside the .csv file to list the domain admin names properly?
your CSV will need to contain a header row, and you may find it useful to drop some friendly names in too.
username, firstname, surname
bob.jones, bob, jones
user662237, mike, smith
etc.
Hi Nick,
Thanks looks like I have that all figured out now. As for the tags what field value pairs do you recommend?
authentication:
login:
Thank you!
This is the easiest being new. Longer term you could make a lookup table inspired by the Enterprise Security app format for identities.
http://docs.splunk.com/Documentation/ES/4.6.0/User/AssetandIdentityLookupReference
Then apply it as an auto lookup on the sourcetype of those logs.
http://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Knowledge/Makeyourlookupautomatic