Splunk Search

Find Any windows login from a source IP other than the known one

websplunk01
Engager

Hi , 
I have a list of allowed IP addresses and want to use splunk to find any windows login from a source Ip other than the one I have on my list .
Can you help me write a query please ?
Thank you 
The events I get in splunk are security application and system 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What data do you have in your events?

0 Karma

websplunk01
Engager
01/14/2022 09:47:17 AM
LogName=Security
EventCode=4624
EventType=0
ComputerName=2R4EHQA
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=166686450
Keywords=Audit Success
TaskCategory=Logon
OpCode=Info
Message=An account was successfully logged on.

Subject:
	Security ID:		NT AUTHORITY\SYSTEM
	Account Name:		2R4EHQA$
	Account Domain:		WGG25TJD3
	Logon ID:		0x3E7

Logon Information:
	Logon Type:		10
	Restricted Admin Mode:	No
	Virtual Account:		No
	Elevated Token:		No

Impersonation Level:		Impersonation

New Logon:
	Security ID:		2R4EHQA\admin
	Account Name:		admin
	Account Domain:		2R4EHQA
	Logon ID:		0x10B4B3F587
	Linked Logon ID:		0x10B4B3F54B
	Network Account Name:	-
	Network Account Domain:	-
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

Process Information:
	Process ID:		0x914
	Process Name:		C:\Windows\System32\svchost.exe

Network Information:
	Workstation Name:	2R4EHQA
	Source Network Address:	192.168.2.11
	Source Port:		0

Detailed Authentication Information:
	Logon Process:		User32 
	Authentication Package:	Negotiate
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Which fields do you already have extracted for these events? For example, Source Network Address?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...