Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Find Any windows login from a source IP other than the known one

websplunk01
Engager
‎01-13-2022 11:20 AM

Hi , 
I have a list of allowed IP addresses and want to use splunk to find any windows login from a source Ip other than the one I have on my list .
Can you help me write a query please ?
Thank you 
The events I get in splunk are security application and system 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-13-2022 11:33 AM

What data do you have in your events?

0 Karma
Reply

websplunk01
Engager
‎01-14-2022 06:51 AM 
01/14/2022 09:47:17 AM
LogName=Security
EventCode=4624
EventType=0
ComputerName=2R4EHQA
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=166686450
Keywords=Audit Success
TaskCategory=Logon
OpCode=Info
Message=An account was successfully logged on.

Subject:
	Security ID:		NT AUTHORITY\SYSTEM
	Account Name:		2R4EHQA$
	Account Domain:		WGG25TJD3
	Logon ID:		0x3E7

Logon Information:
	Logon Type:		10
	Restricted Admin Mode:	No
	Virtual Account:		No
	Elevated Token:		No

Impersonation Level:		Impersonation

New Logon:
	Security ID:		2R4EHQA\admin
	Account Name:		admin
	Account Domain:		2R4EHQA
	Logon ID:		0x10B4B3F587
	Linked Logon ID:		0x10B4B3F54B
	Network Account Name:	-
	Network Account Domain:	-
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

Process Information:
	Process ID:		0x914
	Process Name:		C:\Windows\System32\svchost.exe

Network Information:
	Workstation Name:	2R4EHQA
	Source Network Address:	192.168.2.11
	Source Port:		0

Detailed Authentication Information:
	Logon Process:		User32 
	Authentication Package:	Negotiate
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-14-2022 08:11 AM

Which fields do you already have extracted for these events? For example, Source Network Address?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...