Splunk Search
Highlighted

How to generate a search that will display successful login attempts by members of Domain Admin group?

New Member

Pretty new to all this.

I've got a Splunk 6.5.1 environment gathering data from Windows servers/desktops and Active Directory (AD). Need to create a search that will show me all login attempts and successes by members of the Domain Admins group. I can search data about the logins and I can get group membership via SA-LDAPSearch. How do I make the info about the Domain Admin group members available to the logins search?

TIA

0 Karma
Highlighted

Re: How to generate a search that will display successful login attempts by members of Domain Admin group?

Ultra Champion
Highlighted

Re: How to generate a search that will display successful login attempts by members of Domain Admin group?

New Member

Thanks for this. I've looked through it and it will get me the info I want based on the current Domain Admins group. I am hoping there's a way to update the information from Domain Admins each time I run the query.

0 Karma
Highlighted

Re: How to generate a search that will display successful login attempts by members of Domain Admin group?

Legend

Hi scottwhittier,
to search login,logout and logfail events you have to insert in your search (eventually using a lookup) the following EventIds:
528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539, 540, 4624, 4625, 4634, 4647, 4648, 4672, 4675, 4771, 17055, 18450, 18451, 18452, 18453, 18454, 18455, 18456, 18457, 18458, 18459, 18460, 18461, 24001, 24002, 24003 (the last ones are for Exchange and SQL Server).
Beware to duplicated Login Events: each access generates many login events, so you have to filter them using dedup or transaction commands.
Bye.
Giuseppe

0 Karma