Hello, I am looking to create a report of a search. I have a requirement of tracking user logon to window machines (Active directory). I am currently getting all the data, but I am having problems with false logons, or services using the credentials. for example, I will see people logged in at 1 am, but the logon id is 0x0, or there is an error code 000, so that most likely will be a service or something using the credentials of someone, and no one actually logging in. there are about 1500 records a day of these false logons.
I also have the requirement to track Monday - Friday from 6pm to 6am overnight, and I cant seem to get the time of recording properly in the search. Below is the search I am currently using, and help would be appreciated, thank you!
source= “wineventlog: security" EventCode=528 OR EventCode=540 OR EventCode=4624 OR
(EventCode=4776 Error_Code=0x0) NOT Account_Name=“*$” NOT Logon _Account="*$" NOT User_Name="*$'
| eval Account_Name=mvindex(Account Name, 1)
| eval User=coalesce(Account_Name, Logon_Account, Logon_account, User_Name)
| eval User=lower (User)
| table _time, User, EventCode
@Stefanie what would you recommend for the time? So I am looking to track between 6pm and 5am, I tried this but it did not seem to work:
"date_hour›16 date_hour ‹06"
| eval date_ hour=strftime(_time, "%H)
| eval date_wday = strftime(_time, "%W")
| search date_hour>=16 date_hour<=06 date_wday>=1 date_wday<=5"
Adding the search range into the search itself its not very efficient. Next to the box you type your searches in is a drop down box to select your range. You can select the timeframe there using the "Date and Timeframe" range.
Try this search. I saved it a while back and its been useful. You may have to modify it to match exactly what account names you don't want to track.
source="wineventlog:security" action=success Logon_Type=2 (EventCode=4624 OR EventCode=4634 OR EventCode=4779 OR EventCode=4800 OR EventCode=4801 OR EventCode=4802 OR EventCode=4803 OR EventCode=4804 ) user!="anonymous logon" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!=*$ (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) | convert timeformat="%a %B %d %Y" ctime(_time) AS Date | streamstats earliest(_time) AS login, latest(_time) AS logout by Date, host | eval session_duration=logout-login | eval h=floor(session_duration/3600) | eval m=floor((session_duration-(h*3600))/60) | eval SessionDuration=h."h ".m."m " | convert timeformat=" %m/%d/%y - %I:%M %P" ctime(login) AS login | convert timeformat=" %m/%d/%y - %I:%M %P" ctime(logout) AS logout | stats count AS auth_event_count, earliest(login) as login, max(SessionDuration) AS sesion_duration, latest(logout) as logout, values(Logon_Type) AS logon_types by Date, host, user
@Stefanie Thank you very much for the reply! I am so sorry, could you possibly explain a little? On this section,
“user!="anonymous logon" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!=*$ (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10)”
Are those you are saying to keep out of the search since they are system related? Or are this account you are specifically telling it to look for? I apologize for the dumb question, I am very new to Splunk.. I was told on Friday I needed to learn Splunk asap with zero knowledge hahaha. So I am still very much learning. I am just curious, as I remember if this is something we do not want searched, we put "NOT" in front correct?
No worries. Those are items I am telling it to NOT look for.
the "!" in front of the "=" means "NOT" 🙂
So in your case... Account_Name!="*$" is the same as you saying "NOT Account_Name="*$""