Splunk Search

Monitoring logons of domain users (EventCode 4624)

Explorer

Hello!

I have logs from Domain Controller Active Directory in Splunk and try to configure monitoring of user logons (EventCode=4624).
Unfortunately, there are two fields with a name "Account Name": NAMEOFPC$ and USERACCOUNT.

I`d like to make two different fields for NAMEOFPC$ and USERACCOUNT. How can I separate them?

Thank you!

1 Solution

Communicator

Hello r2r2,

The mvindex function of the EVAL command will perform exactly what you want.

Try this.

EventCode=4624 | eval Subject_Account_Name = mvindex(Account_Name,0) | eval New_Logon_Account_Name = mvindex(Account_Name,1)

Break down of the search.

EventCode=4624, The Windows Event Log you are looking for.

| eval Subject_Account_Name = mvindex(Account_Name,0) The first eval creates the field name Subject_Account_Name (you can name this field anything you want). The mvindex function with a value of zero, finds the first occurrence of Account_Name.

| eval New_Logon_Account_Name = mvindex(Account_Name,1) The second eval creates the field name New_Logon_Account_Name (again, you can name this field anything you want). The mvindex function with a value of 1, finds the second occurrence of Account_Name.

You will find in Windows Event Logs, there are many duplicate field names in a single event.

View solution in original post

Explorer

I have another problem - now I try to add a field from another index to my table using "join".
I wrote a search source="WinEventLog:Security" EventCode=4624 AccountName="*$" | eval user = mvindex(AccountName,1) |dedup user | join type=left user [index=anotherindex employeeID=*] | table _time, user, employeeID

But column employeeID is empty.

0 Karma

Motivator

please ask this as a separate question.

Communicator

Hello r2r2,

The mvindex function of the EVAL command will perform exactly what you want.

Try this.

EventCode=4624 | eval Subject_Account_Name = mvindex(Account_Name,0) | eval New_Logon_Account_Name = mvindex(Account_Name,1)

Break down of the search.

EventCode=4624, The Windows Event Log you are looking for.

| eval Subject_Account_Name = mvindex(Account_Name,0) The first eval creates the field name Subject_Account_Name (you can name this field anything you want). The mvindex function with a value of zero, finds the first occurrence of Account_Name.

| eval New_Logon_Account_Name = mvindex(Account_Name,1) The second eval creates the field name New_Logon_Account_Name (again, you can name this field anything you want). The mvindex function with a value of 1, finds the second occurrence of Account_Name.

You will find in Windows Event Logs, there are many duplicate field names in a single event.

View solution in original post

Explorer

Thank you for your answer!

I added "source="WinEventLog:Security" EventCode=4624 AccountName="*$" | eval user = mvindex(AccountName,1) | table _time, user".

Now I recieve 3-10 same messages of successfull authentifications in 2 seconds. Is it possible to show only one message?

0 Karma

Communicator

r2r2,

You can add | dedup _time, user between your eval and table command.

However, since you are using _time in your results, dedup will only be effective if you have two events with the same time stamp and user. If you want the time stamp in your results, you are most likely receiving accurate results.

Explorer

There are similar logon types in all messages.

I added "|dedup user" and received the right result.

Thank you!

Builder

You might want to filter on Logon_Type ... in addition ... different Logon_Types ... different meaning.

Communicator

Good Point Imyrefelt.

A lookup table will come in handy here.

Create a CSV file that looks like this save the file name as logontypedesc.csv
Descriptions courtesy of www.ultimatewindowssecurity.com Win Security Log Quick Ref.

2,Interactive (logon at keyboard and screen of system)
3,Network(i.e. mapped drive)
4,Batch(i.e. schedule task)
5,Service(service startup)
7,Unlock (i.e. unattended workstation with password protected screen saver)
8,Network Cleartext (Most often indicates a logon to IIS with "basic authentication")
9,NewCredentials such as with RunAs or mapping a network drive with alternate credentials
10,Remote Desktop (Terminal Services; Remote Desktop or Remote Assistance)
11,Logon with cached credentials

Create Lookup Table files
Choose Destination app, most likely search,
Upload the csv file to Lookup table files
Make the destination file name logontypedesc.csv

Create Lookup Definition.
Choose Destination app, most likely search,
Name it winlogontypedesc,

Make Type File-based and the Lookup file should point to logontypedesc.csv,

Make the lookup Automatic.

Choose your Destination app, most likely search,
Name it winlogontypedesc
Choose lookup table winlogontypedesc
Choose sourcetype, type in WinEventLog:Security (Most likely the EventCode falls under this sourcetype)
Input fields should be Logon_Type = Logon_Type
Output fields should be LogonTypeDesc =

Perform a search,
There should be a new interesting Field LogonTypeDesc showing.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!