Hello!
First, I'll admit that I'm relatively new to Splunk, so thank you in advance! I've been tasked to build a search that will detect remote users logging on to local admin accounts. So far I've managed to pull the local admins via WMI using the following search string:
sourcetype="WMI:LocalAdmins" Name="Administrators" | rex field=_raw "PartComp.*?,Name=\"(?<UserName>[^\"]+)\"" | dedup host,Name,UserName | transaction host,Name | table host,UserName
I also know that I can detect external logins using this string (this is specific enough for my purposes):
sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=3
Now.. I need to find a way to utilize the local admins in the first search, and narrow the second search to only the local admin accounts identified. I'm still progressing in my research into this, but if you fine folks could point me in the right direction I would definitely be thankful.
Try this
sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=3|join type=outer [search sourcetype="WMI:LocalAdmins" Name="Administrators" | rex field=_raw "PartComp.*?,Name=\"(?[^\"]+)\"" | dedup host,Name,UserName | transaction host,Name | fields UserName]
Hope this helps!
Thanks,
Raghav
Try this
sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=3|join type=outer [search sourcetype="WMI:LocalAdmins" Name="Administrators" | rex field=_raw "PartComp.*?,Name=\"(?[^\"]+)\"" | dedup host,Name,UserName | transaction host,Name | fields UserName]
Hope this helps!
Thanks,
Raghav
This seems to be working! Didn't think the join command could be implemented so simply; I'll have to read up on that one.
Thank you so much Raghav. Have a great day.
Glad i could help!