Re: Is there any way to have a search only pick up...

Erilope · ‎01-05-2023

Hello everyone,

I have a search for after hour logins between 6pm and 6am. Right now I have event codes 4625 and 4624 with logon_type 2 and 3. This alert picks up windows automated services, but I was wondering if there was a way that I can have this search only pick up on user accounts instead of windows automated services. My search string is

index=(myindexname) source="wineventlog:security" Account_Name=* EventCode=4625 OR EventCode=4624 Logon_Type=2 OR Logon_Type=2 Logon_Process=Kerberos earliest=-7@d-6h latest=-7d@d+6h

yuanliu · ‎01-05-2023

So you want to exclude Windows automated services from the search. Is this correct? Can you tell us what differentiates a human user from a user used by automated services in your data? If not, this is not the right forum.

Erilope · ‎01-09-2023

User accounts are used by real users, and services accounts are used by system services such as web services, databases, windows cleanup services. The search that I created shows users and automated services, but if John Doe logs in at 3am we would like to see that rather than needing to dig through splunk alerts for windows automated services.

yuanliu · ‎01-10-2023

What I am asking is: What in the data can tell whether a record is for a "real" user vs a Windows service user? What is the logic if you are looking at the data, not Splunk?

Is there any way to have a search only pick up user account logins?

fields

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!