Splunk Search

How to generate a search for non Public Key Infrastructure (PKI) logins in Active Directory over a 90 day period?

Explorer

I am a complete newbie to Splunk.

I have an environment in which users are set "token mandatory" by default for PKI (Public Key Infrastructure) login in AD (Active Directory). We have noticed lately that there is an overly large number of users that have requested waivers so that they can logon using username / pwd combo.

I there a way to track instances of "non token" login attempts over a 90 day period? My suspicion is that many of these waivers are not really needed. If I can show a trend of how many users are actually logging on with username / pwd combo vs logging on with PKI tokens, it would help me prove my case.

0 Karma
1 Solution

Explorer

I think I may have found an answer to my own question.

index-wineventlog sourcetype="WinEventLog:Security" kerberos Pre-Authentication_Type=2 |eval time=strftime(_time, "%m/%d/%y %I:%M %p") |rename AccountName AS NonTokenAuth_AccountName |stats latest(time) as last_NonTokenAuth-Timestamp by NonTokenAuth_AccountName |table last_NonTokenAuth-Timestamp,NonTokenAuth_AccountName

View solution in original post

0 Karma

Explorer

I think I may have found an answer to my own question.

index-wineventlog sourcetype="WinEventLog:Security" kerberos Pre-Authentication_Type=2 |eval time=strftime(_time, "%m/%d/%y %I:%M %p") |rename AccountName AS NonTokenAuth_AccountName |stats latest(time) as last_NonTokenAuth-Timestamp by NonTokenAuth_AccountName |table last_NonTokenAuth-Timestamp,NonTokenAuth_AccountName

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Esteemed Legend

Yes, this is exactly what the SecKit app does:

https://splunkbase.splunk.com/app/3059/

0 Karma