Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Several user logon event for same host

a_n
Path Finder
‎07-14-2021 12:00 AM

Hi,

I have Splunk on Windows network, and using UF for windows events.

I am searching to detect users logon during specific hours: 
index=main source="WinEventLog:Security"EventCode=528 OR EventCode=540 OR EventCode=4624
|where Logon_Type!=3 OR (Logon_Type=3 AND NOT LIKE(host,"DC%"))
| eval Signed_Account=mvindex (Account_Name,1)
|eval hour=strftime(_time,"%H")
| eval ShowTime=strftime(_time,"%D %H:%M")
| search Signed_Account=TThemistokleous (hour>23 OR hour<6)
| table host ShowTime Logon_Type

Issue is, in result, I have for Same HOST, on Same TIME, 2 users signed on. AND Each signed on 4 times!

Can someone please advise, what can be the issue?
Thank you

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-14-2021 05:07 AM 
| dedup host,Signed_Account,EventCode,_time

View solution in original post

Reply
Solved! Jump to solution

a_n
Path Finder
‎07-14-2021 02:16 AM

Dear @ITWhisperer 
 Thank you for your response.
As for the where clause, I agree.
date_hour does not hold the data, hour field is ok.
we need to now about working in forbidden hours, which is after 11 PM until 6 AM.

The result I have has same hostname, same event code 4624.
This is main search I have with results attached:
index=main source="WinEventLog:Security" EventCode="4624" OR EventCode="539" OR (EventCode="529" AND EventCode="537") OR (EventCode="547" AND EventCode="549")
|where (Logon_Type!=3 OR ( NOT LIKE(host,"DC%"))) AND Logon_Type!=9
| eval Signed_Account=mvindex (Account_Name,1)
|eval hour=strftime(_time,"%H")
|regex Signed_Account!="\$"
| search Signed_Account=* Signed_Account!="SYSTEM" Signed_Account!="ANONYMOUS LOGON" Signed_Account!="Administrator" (hour>23 OR hour<6)
| table host,Signed_Account,EventCode,_time

Capture2.JPG
Preview file
51 KB
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-14-2021 02:27 AM

How does date_hour not hold the information, it is derived from _time automatically, is it not?

Can you give me an example of a time that is after 11pm where the hour is greater than 23?

You should examine the "duplicate" events to see is they really are duplicates e.g. the _raw is identical, which might point to a problem with the ingesting of the events. Do the duplicates come from different indexers (assuming you have them)?

0 Karma
Reply
Solved! Jump to solution

a_n
Path Finder
‎07-14-2021 02:40 AM

Ah, yes. Now I got your point regarding the time.
I will handle it, thank you.

Back to main issue:
- I have one indexer only.
- I compared 2 problematic events. the only differences are:
Logon ID:  (0x32E964BA , 0x32E964D4)
Source Port: (54833,54835)

What is the solution? How to ignore these?

Thank you again

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-14-2021 05:07 AM 
| dedup host,Signed_Account,EventCode,_time
Reply
Solved! Jump to solution

a_n
Path Finder
‎07-15-2021 12:02 AM

Thank you,
It works, however I am still worried that I may lose some events.

Thank you very much for your help.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-14-2021 02:03 AM

Since the alternative to Logon_type!=3 is Logon_type=3, this part is redundant in the where clause i.e.

|where Logon_Type!=3 OR NOT LIKE(host,"DC%")

You may find date_hour already holds the hour so you might be able to use that rather than creating another field with the same information in.

When is hour ever going to be greater than 23? The hours are 0 - 23 inclusive.

Your table command does not include the EventCode, and your times are at the minute scale - is it possible that the "extra" events are for different EventCodes within the same minute?

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top