09/19/2021 03:55:51 PM
LogName=Security
EventCode=4624
EventType=0
ComputerName=AD-Server.testlab.local
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=27458
Keywords=Audit Success
TaskCategory=Logon
OpCode=Info
Message=An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: - This is what I am trying to capture.
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: AD-SERVER$
Account Domain: TESTLAB.LOCAL
Logon ID: 0x4DCB94
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {416FA300-18E5-910D-E3C0-C4227DAEDEA2}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name:
Source Network Address: fe80::eda5:784c:f765:5574
Source Port: 61946
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requeste
Thanks for sharing. I made some changes and now this is how it turns out.
For the time range, this is my command -
[earliest=-7d@d-5h
latest=@d+7h]
As I am running this every Monday, I guess I should the search string should search for all the data 7 days back starting 1900 hours to following day 7am.
Not sure if anyone can assist but I manage to extract out the account name with the following command -
| rex "(?ms)Account Name:.*?Account Name:\s+(?<Account_Name>\S+)"
but it's extracting out all the (hostname$) and SYSTEM.
Is there anyway to drop all the hostname$ and SYSTEM and only show the rest?
Thank You
regards,
Alex
Can you share you raw events to see what you are trying to extract from where?
@ITWhisperer,
Yes, the timings are not correct but I was just testing to see if it work.
Is it necessary to include @d?
What is the purpose of bin span=1h _time?
If I run the search string every Monday against 1 week of data, I should be able to get all the information for that 1 week from 10pm to 10am. Please correct me if I am wrong.
Thank You
Is it necessary to include @d? - this snaps the time to the beginning of the day to give a known reference point from which to get to 10pm and 10am, if you didn't use it the time of the search would depend on when it was executed
What is the purpose of bin span=1h _time? - in my example, I was showing how to set the times, the example was how to do hourly counts of _internal based on the _time timestamp. This effectively groups all events in the same hour together.
If I run the search string every Monday against 1 week of data, I should be able to get all the information for that 1 week from 10pm to 10am. Please correct me if I am wrong. - yes, you should be able to get these events, but you would need more than just defining the earliest and latest, you would need to then exclude events you weren't interested in. You should have been clearer about what you were trying to do.
@ITWhisperer, I found this online and it work
earliest= "-1d@d+19h@h" latest="@d+7h@h"
Can you please explain in more detail on your search string?
@d snaps to the beginning of the day, -2 hours is 10pm the previous day, +10 hours is 10 am on the current day which is what you said you wanted. The solution you found elsewhere goes from 7pm to 7am which is not what you wanted
For example
index=_internal earliest=@d-2h latest=@d+10h | bin span=1h _time | stats count by _time