Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to generate a search that will display successful login attempts by members of Domain Admin group?

scottwhittier
New Member
‎02-16-2017 02:04 PM

Pretty new to all this.

I've got a Splunk 6.5.1 environment gathering data from Windows servers/desktops and Active Directory (AD). Need to create a search that will show me all login attempts and successes by members of the Domain Admins group. I can search data about the logins and I can get group membership via SA-LDAPSearch. How do I make the info about the Domain Admin group members available to the logins search?

TIA

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-17-2017 12:22 AM

Hi scottwhittier,
to search login,logout and logfail events you have to insert in your search (eventually using a lookup) the following EventIds:
528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539, 540, 4624, 4625, 4634, 4647, 4648, 4672, 4675, 4771, 17055, 18450, 18451, 18452, 18453, 18454, 18455, 18456, 18457, 18458, 18459, 18460, 18461, 24001, 24002, 24003 (the last ones are for Exchange and SQL Server).
Beware to duplicated Login Events: each access generates many login events, so you have to filter them using dedup or transaction commands.
Bye.
Giuseppe

0 Karma
Reply

nickhills
Ultra Champion
‎02-16-2017 02:13 PM

This may help:

https://answers.splunk.com/answers/499526/how-to-search-for-logonlogoff-activity-of-domain-a.html

If my comment helps, please give it a thumbs up!
Reply

scottwhittier
New Member
‎02-17-2017 09:45 AM

Thanks for this. I've looked through it and it will get me the info I want based on the current Domain Admins group. I am hoping there's a way to update the information from Domain Admins each time I run the query.

0 Karma
Reply
Get Updates on the Splunk Community!

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

Splunk New Course Releases for a Changing World

Every day, the world feels like it’s moving faster with new technological breakthroughs, AI innovation, and ...