Hi ,
I have a list of allowed IP addresses and want to use splunk to find any windows login from a source Ip other than the one I have on my list .
Can you help me write a query please ?
Thank you
The events I get in splunk are security application and system
What data do you have in your events?
01/14/2022 09:47:17 AM
LogName=Security
EventCode=4624
EventType=0
ComputerName=2R4EHQA
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=166686450
Keywords=Audit Success
TaskCategory=Logon
OpCode=Info
Message=An account was successfully logged on.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: 2R4EHQA$
Account Domain: WGG25TJD3
Logon ID: 0x3E7
Logon Information:
Logon Type: 10
Restricted Admin Mode: No
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: 2R4EHQA\admin
Account Name: admin
Account Domain: 2R4EHQA
Logon ID: 0x10B4B3F587
Linked Logon ID: 0x10B4B3F54B
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x914
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: 2R4EHQA
Source Network Address: 192.168.2.11
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Which fields do you already have extracted for these events? For example, Source Network Address?