Looking to query a domain account and find out the...

Sotu · ‎05-01-2024

I wrote a simple query to parse my Windows Event Security logs to look for a user account, however I am looking to add onto this and find out which devices the accounts are running on.

index="wineventlog" source="WinEventLog:Security" user="domainaccount"

My end goal is to be able to type in a domain account in my search and find what device its associated with or is running as a service under.

Sotu · ‎05-01-2024

Thanks! I am still learning Splunk and will modify my query to check for the events.

deepakc · ‎05-01-2024

You normally need to find the events that show you the data, so these need to be logged first and then into Splunk, so check to see if the below events are there and search for those based on the user.

Search for eventid field - I cant remeber the exact name, but it should be there.

The below events many help find the data you are looking for for others check on Google plenty there.

EventCode=4624: Successful user logon (interactive logon).
EventCode=4625: Failed user logon attempt.
EventCode=4648: Logon using explicit credentials (e.g., "Run As" or services).

Looking to query a domain account and find out the device it is logged into or running on

field extraction

lookup

other

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

Splunk Smartness with Brandon Sternfield | Episode 3