Splunk Search
Highlighted

How to search Windows server logs if there are EventCodes 4634 and 4624 for the same Logon_ID within a 10 second time window?

New Member

Hello,

I'm quite new to Splunk and am trying the following:

In Windows Server Logs, I'm trying to evaluate if there are

EventCode=4634 AND EventCode=4624 Events for both the same Logon_ID within a time window of 10 seconds.

(this may indicate a logon attempt where authentication worked, but authorization did not ...)

How can this be done?

Thanks

RB

0 Karma
Highlighted

Re: How to search Windows server logs if there are EventCodes 4634 and 4624 for the same Logon_ID within a 10 second time window?

SplunkTrust
SplunkTrust

This is fraught with perils. But, ...

index=* EventCode=4634 OR EventCode=4624 
| transaction maxspan=15s Logon_GUID startswith=EventCode=4624 endswith=EventCode=4634 
| table Logon_GUID EventCode

In my case, I use LogonGUID (because of the extra-perilousness of LogonID, and Windows' duplicated IDs in each event) and I used 15s (because that's what I typed - feel free to use your own).

I get a ton of hits on this search, it looks like service account activity. A lot better filtering would need to be done up front to make sure only the right sets of each EventCode is grabbed - filtering out certain accounts, only finding Audit Failures for one of them, ... something.

But, there's your search!

0 Karma