Splunk Search

How to generate a search to pull Active Directory logons for a specific user and include source IP address?

mattj81
New Member

Hi, I'm struggling with a search string to pull back Active Directory logon times for a specific user and to include the source IP address. is this possible please? thanks!

0 Karma

javiergn
SplunkTrust
SplunkTrust

Assuming you have the Windows TA deployed you can simply do:

index=YOURWINDOWSINDEX eventtype=windows_logon_success user=YOURUSERNAME
| table _time, user, src_ip

Alternatively, look for the specific EventCode used by logon events:

index=YOURWINDOWSINDEX EventCode=4624 user=YOURUSERNAME
| table _time, user, src_ip
0 Karma

mattj81
New Member

Hi, sorry for the lack of response! Ive opened a support ticket now as its not right our DC doesn't appear to be sending events via snare so something isn't right 😞

0 Karma

mattj81
New Member

Thanks for the reply! what is windows ta?

What do I use for "Yourwindowsindex" too? Can I search all indexes?

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi, you can search all the indexes but that would be slower than just searching the one containing your windows logs. If you are not sure it might be because you are only using one default index called "main".

Alternatively you can search for your index name first and then refine your query to use that index name instead of all. There are several ways to do this (assuming your sourcetype names are correct too):

| metasearch sourcetype="WinEventLog:Security" index=* | head 1 | table index

index=* EventCode=4624 
| head 1
| table index

etc

Try one of those and see if that helps.

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi @mattj81, did this solve your problem?
If yes, please don't forget to mark it as answered so that others can benefit from it.
If not, can you let us know what's going on so that we can try to help?

Thanks,
J

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Hi @mattj81 - javiergn is most likely referring to the Splunk Add-on for Microsoft Windows when he mentioned "Windows TA" 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...