Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Query

whitecat001
Explorer
‎05-24-2024 08:52 AM

Can i get a Splunk query that shows the last logon date for a group of active directory service account 

 

 

Thanks 

0 Karma
Reply

antoniolamonica
SplunkTrust
SplunkTrust
‎05-31-2024 07:23 AM

index=wineventlog
sourcetype=WinEventLog
EventCode=4624
user="svc*"

| eval EventTime=_time
| eval EventTime=strftime(_time, "%m/%d/%Y %H:%M:%S %Z"

| stats latest(EventTime) as lastlogon by user
| table lastlogon, user
Tags (2)
0 Karma
Reply

emdaax
Explorer
‎05-28-2024 02:29 PM

Hi @whitecat001,

Assuming your Active Directory logs are being indexed under "index=windows" and you are forwarding the logon events EventCode=4624 (successful logons), you can use the following query:

 

index=windows* source="WinEventLog:Security" sourcetype=xmlwineventlog host=* user!="*$" EventCode=4624 dest_nt_domain=<your domain name> Logon_Type=5
| stats max(_time) as last_login by index, host, dest, dest_nt_domain, user, src_ip, Logon_Type
| eval last_login=strftime(last_login, "%Y-%m-%d %H:%M:%S")

 

The EventCode=4624  filters the logs to only include successful logon events.

You can use the field "Logon_Type", which points out how the user logged on.
There are a total of nine different types of logons, the most common logon types are: logon type 2 (interactive) and logon type 3 (network).

Any logon type other than 5 (which denotes a service startup) is a red flag.

Logon TypeLogon TitleDescription
0SystemUsed only by the System account, for example at system startup.
2InteractiveA user logged on to this computer.
3NetworkA user or computer logged on to this computer from the network.
4BatchBatch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
5ServiceA service was started by the Service Control Manager.
7UnlockThis workstation was unlocked.
8NetworkCleartextA user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).
9NewCredentialsA caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
10RemoteInteractiveA user logged on to this computer remotely using Terminal Services or Remote Desktop.
11CachedInteractiveA user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.
12CachedRemoteInteractiveSame as RemoteInteractive. This is used for internal auditing.
13CachedUnlockWorkstation logon.

 

best regards,

P.S.: Karma Points are always appreciated 😉

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-25-2024 08:12 AM

First and foremost - what data do you have in your Splunk?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-24-2024 09:38 PM

Hi @whitecat001 ,

you could try with something like this:

index=your_index
| stats latest(_time) AS _time BY Account_name

if you don't like to use the _time field, but you want to rename it, remember that _time is in epochtime and that's automaticay displayed in Human readable, if you rename, you have aso to convert in Human Readable format.

index=your_index
| stats latest(_time) AS latest BY Account_name
| eval latest=strftime(latest),"%Y-%m-%d %H:%M:%S")

Ciao.

Giuseppe

0 Karma
Reply

whitecat001
Explorer
‎05-28-2024 01:08 PM

can i pls get another search that can show last logon date for active directory service account

0 Karma
Reply

whitecat001
Explorer
‎05-28-2024 12:57 PM

its not working

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...