Searching for windows logins

ktaylor · ‎01-17-2024

Hello to all, really hoping I can make sense while asking this.... I'm an entry level IT Security Specialist and I have been tasked with re-writing our current query for overnight logins as our existing query does not put out the correct information we need. Here is the current query:

source=WinEventLog:Security EventCode=4624 OR (EventCode=4776 Keywords="Audit Success")
| eval Account = mvindex(Account_Name, 1)
| eval TimeHour = Strftime(_time, "%H")
| eval Source = coalesce(Source_Network_Address, Sorce_Workstation)
| eval Source=if(Source="127.0.0.1" or Source="::1" OR Source="-" OR Source="", hos, Source)
| where (Time_Hour > 20 AND Time_Hour <24) OR (Time_Hour > 0 AND Time_Hour < 5)
| bin _time span=12h aligntime=@d+20h
| eval NightOf = strftime(_time "%m/%d/%Y)
| lookup dnslookup clienttip as Source OUTPUT clienthost as SourceDevice
| search NOT Account="*$" NOT Account=HealthMail*" NOT Account="System"
| stats count as LoginEvents values(sourceDevice) as SourceDevices by Account NightOf
| sort NightOfAccount SourceDevices
| table NightOf Account Source Devices LoginEvents

I need to somehow add an exclusion to the query for logon type 3, (meaning for splunk to omit them from its search), as well as add our asset to the query, that way splunk will only target searches from that particular asset.

I know nothing about coding, or scripts, and my boss just thought it would be super fun if the guy with the least experience try to figure it all out since the current query does not give us the data that we need for our audits. In a nutshell, we need splunk to tell us who was logged in between 8pm-5am, that it was a logon type 2 , and what computer system they were on. If anyone could help out an absolute noob here I would greatly appreciate it!

bowesmana · ‎01-17-2024

If you have little knowledge, then an easy way to learn it to deconstruct the search by first running the first line, understanding what you see then adding line 2, run again, then line 3, again and so on.

When you have only raw data results returned, you can get a better visual output of what you have by just adding the following at the end of each search as you run it

| table _time *

which will give you rows of data being returned, so run

source=WinEventLog:Security EventCode=4624 OR (EventCode=4776 Keywords="Audit Success")
| table _time *

and you will see a ton of columns

source=WinEventLog:Security EventCode=4624 OR (EventCode=4776 Keywords="Audit Success")
| eval Account = mvindex(Account_Name, 1)
| table _time *

You will see a new column called Account which was derived from the second value of Account_Name.

Keep going and figure out what each line does to your data. Use the search reference for each command to work out the command

https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Eval

ktaylor · ‎01-18-2024

That makes a lot of sense, thanks for that. And thank you for the link!

PickleRick · ‎01-17-2024

Ok, two things. Three actually.

1. Check out the Splunk edu site for entry level courses on splunk searching.

2. If you want to just search for logon type 2, add the condition to the initial search (searching for particular value is much more effective than excluding a value from your search so if "not logon type 3" can be simplified to logon type 2, it's great)

3. I have honestly no idea what you mean by "add our asset to the search" (in Splunk terminology those are called searches, not queries).

bowesmana · ‎01-17-2024

@PickleRick

One thing, no 2 really, or actually 3, or maybe 4

1. Item 1

2. I thought of this half way though my reply

3. I am using an editor

4. I can correct mistakes

5. Or can I

😁

ktaylor · ‎01-17-2024

Thanks for your reply. Honestly, I wish I knew what I was talking about so that my question could be more clear. Our company has different 6 digit asset numbers for each site, which there are multiple of. So in the search, I am trying to figure out how to have Splunk only search our asset for overnight type 2 logins, as we do not need the data from all of the other assets. Hopefully that painted a better picture. Thanks again!

PickleRick · ‎01-17-2024

OK. There is a free track of entry-level trainings on the Splunk educational platform - the links from the new STEP page are a bit strange so just search for "Splunk Search Beginner Learning Path". It's a relatively quick way to learn the basics.

If you have any experience with unix shell scripting, it should be quite intuitive - you just pass your set of results through sequence of subsequent commands connected with pipe characters.

As @bowesmana showed - you can see what your search does right from the start and add more and more commands to see how they affect the results.

About the asset numbers - well, I assume you don't have this information in the events themselves, right? So it's a bit more advanced topic because you must get it stored somewhere inside Splunk (most probably as a lookup) and correlate that info with your events to use it for further filtering. There is probably more than one way to go about it but the proper approach would depend on particular use case. It's not possible to give you a general answer without knowing the details.

ktaylor · ‎01-18-2024

I appreciate your time, thanks again!

I figured there wouldn't be an "easy" button, finding this community for ideas is as close as it gets. I will check out some tutorials and hopefully it's one foot after another from there.

Have a great weekend to all!

Searching for windows logins

other

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk