Splunk Search

Tracking user logon (standard and admin account) Windows AD

araiv1998
Engager

Hello, I am looking to create a report of a search. I have a requirement of tracking user logon to window machines (Active directory). I am currently getting all the data, but I am having problems with false logons, or services using the credentials. for example, I will see people logged in at 1 am, but the logon id is 0x0, or there is an error code 000, so that most likely will be a service or something using the credentials of someone, and no one actually logging in. there are about 1500 records a day of these false logons. 

I also have the requirement to track Monday - Friday from 6pm to 6am overnight, and I cant seem to get the time of recording properly in the search. Below is the search I am currently using, and help would be appreciated, thank you! 

 

source= “wineventlog: security" EventCode=528 OR EventCode=540 OR EventCode=4624 OR

(EventCode=4776 Error_Code=0x0) NOT Account_Name=“*$” NOT Logon _Account="*$" NOT User_Name="*$'

| eval Account_Name=mvindex(Account Name, 1)

| eval User=coalesce(Account_Name, Logon_Account, Logon_account, User_Name)

| eval User=lower (User)

| table  _time, User, EventCode

Labels (1)
Tags (4)
0 Karma

araiv1998
Engager

@Stefanie what would you recommend for the time? So I am looking to track between 6pm and 5am, I tried this but it did not seem to work:

 

"date_hour›16 date_hour ‹06"

 

"sourcetype-foo

| eval date_ hour=strftime(_time, "%H)

| eval date_wday = strftime(_time, "%W")

| search date_hour>=16 date_hour<=06 date_wday>=1 date_wday<=5"

0 Karma

Stefanie
Builder

Adding the search range into the search itself its not very efficient. Next to the box you type your searches in is a drop down box to select your range. You can select the timeframe there using the "Date and Timeframe" range.

0 Karma

araiv1998
Engager

@Stefanie hello! I am getting an error when I paste it into search, about time error. Could you please advise? Thank you 

0 Karma

Stefanie
Builder

Sure I messaged you.

0 Karma

Stefanie
Builder

Try this search. I saved it a while back and its been useful. You may have to modify it to match exactly what account names you don't want to track.

source="wineventlog:security" action=success Logon_Type=2 (EventCode=4624 OR EventCode=4634 OR EventCode=4779 OR EventCode=4800 OR EventCode=4801 OR EventCode=4802 OR EventCode=4803 OR EventCode=4804 ) user!="anonymous logon" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!=*$ (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10)
| convert timeformat="%a %B %d %Y" ctime(_time) AS Date 
| streamstats earliest(_time) AS login, latest(_time) AS logout by Date, host
| eval session_duration=logout-login 
| eval h=floor(session_duration/3600) 
| eval m=floor((session_duration-(h*3600))/60) 
| eval SessionDuration=h."h ".m."m " 
| convert timeformat=" %m/%d/%y - %I:%M %P" ctime(login) AS login 
| convert timeformat=" %m/%d/%y - %I:%M %P" ctime(logout) AS logout 
| stats count AS auth_event_count, earliest(login) as login, max(SessionDuration) AS sesion_duration, latest(logout) as logout, values(Logon_Type) AS logon_types by Date, host, user
0 Karma

araiv1998
Engager

@Stefanie Thank you very much for the reply! I am so sorry, could you possibly explain a little? On this section, 

“user!="anonymous logon" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!=*$ (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10)”

Are those you are saying to keep out of the search since they are system related? Or are this account you are specifically telling it to look for? I apologize for the dumb question, I am very new to Splunk.. I was told on Friday I needed to learn Splunk asap with zero knowledge hahaha. So I am still very much learning. I am just curious, as I remember if this is something we do not want searched, we put "NOT" in front correct? 

0 Karma

Stefanie
Builder

No worries. Those are items I am telling it to NOT look for.

the "!" in front of the "=" means "NOT" 🙂

So in your case... Account_Name!="*$" is the same as you saying "NOT Account_Name="*$""

 

 

araiv1998
Engager

Awesome! Thank you so much! truly appreciate it.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...