Find Any windows login from a source IP other tha...

websplunk01 · ‎01-13-2022

Hi ,
I have a list of allowed IP addresses and want to use splunk to find any windows login from a source Ip other than the one I have on my list .
Can you help me write a query please ?
Thank you
The events I get in splunk are security application and system

ITWhisperer · ‎01-13-2022

What data do you have in your events?

websplunk01 · ‎01-14-2022

01/14/2022 09:47:17 AM
LogName=Security
EventCode=4624
EventType=0
ComputerName=2R4EHQA
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=166686450
Keywords=Audit Success
TaskCategory=Logon
OpCode=Info
Message=An account was successfully logged on.

Subject:
	Security ID:		NT AUTHORITY\SYSTEM
	Account Name:		2R4EHQA$
	Account Domain:		WGG25TJD3
	Logon ID:		0x3E7

Logon Information:
	Logon Type:		10
	Restricted Admin Mode:	No
	Virtual Account:		No
	Elevated Token:		No

Impersonation Level:		Impersonation

New Logon:
	Security ID:		2R4EHQA\admin
	Account Name:		admin
	Account Domain:		2R4EHQA
	Logon ID:		0x10B4B3F587
	Linked Logon ID:		0x10B4B3F54B
	Network Account Name:	-
	Network Account Domain:	-
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

Process Information:
	Process ID:		0x914
	Process Name:		C:\Windows\System32\svchost.exe

Network Information:
	Workstation Name:	2R4EHQA
	Source Network Address:	192.168.2.11
	Source Port:		0

Detailed Authentication Information:
	Logon Process:		User32 
	Authentication Package:	Negotiate
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

ITWhisperer · ‎01-14-2022

Which fields do you already have extracted for these events? For example, Source Network Address?

Find Any windows login from a source IP other than the known one

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!