Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Tracking user logon (standard and admin account) Windows AD

araiv1998
Engager
‎10-14-2021 05:31 AM

Hello, I am looking to create a report of a search. I have a requirement of tracking user logon to window machines (Active directory). I am currently getting all the data, but I am having problems with false logons, or services using the credentials. for example, I will see people logged in at 1 am, but the logon id is 0x0, or there is an error code 000, so that most likely will be a service or something using the credentials of someone, and no one actually logging in. there are about 1500 records a day of these false logons. 

I also have the requirement to track Monday - Friday from 6pm to 6am overnight, and I cant seem to get the time of recording properly in the search. Below is the search I am currently using, and help would be appreciated, thank you! 

 

source= “wineventlog: security" EventCode=528 OR EventCode=540 OR EventCode=4624 OR

(EventCode=4776 Error_Code=0x0) NOT Account_Name=“*$” NOT Logon _Account="*$" NOT User_Name="*$'

| eval Account_Name=mvindex(Account Name, 1)

| eval User=coalesce(Account_Name, Logon_Account, Logon_account, User_Name)

| eval User=lower (User)

| table  _time, User, EventCode
Labels (1)
Labels
Tags (4)
0 Karma
Reply

araiv1998
Engager
‎10-14-2021 06:23 AM

@Stefanie what would you recommend for the time? So I am looking to track between 6pm and 5am, I tried this but it did not seem to work:

 

"date_hour›16 date_hour ‹06"

 

"sourcetype-foo

| eval date_ hour=strftime(_time, "%H)

| eval date_wday = strftime(_time, "%W")

| search date_hour>=16 date_hour<=06 date_wday>=1 date_wday<=5"
0 Karma
Reply

Stefanie
Builder
‎10-14-2021 06:27 AM

Adding the search range into the search itself its not very efficient. Next to the box you type your searches in is a drop down box to select your range. You can select the timeframe there using the "Date and Timeframe" range.

0 Karma
Reply

araiv1998
Engager
‎10-14-2021 10:27 AM

@Stefanie hello! I am getting an error when I paste it into search, about time error. Could you please advise? Thank you 

0 Karma
Reply

Stefanie
Builder
‎10-14-2021 10:42 AM

Sure I messaged you.

0 Karma
Reply

Stefanie
Builder
‎10-14-2021 05:43 AM

Try this search. I saved it a while back and its been useful. You may have to modify it to match exactly what account names you don't want to track.

source="wineventlog:security" action=success Logon_Type=2 (EventCode=4624 OR EventCode=4634 OR EventCode=4779 OR EventCode=4800 OR EventCode=4801 OR EventCode=4802 OR EventCode=4803 OR EventCode=4804 ) user!="anonymous logon" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!=*$ (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10)
| convert timeformat="%a %B %d %Y" ctime(_time) AS Date 
| streamstats earliest(_time) AS login, latest(_time) AS logout by Date, host
| eval session_duration=logout-login 
| eval h=floor(session_duration/3600) 
| eval m=floor((session_duration-(h*3600))/60) 
| eval SessionDuration=h."h ".m."m " 
| convert timeformat=" %m/%d/%y - %I:%M %P" ctime(login) AS login 
| convert timeformat=" %m/%d/%y - %I:%M %P" ctime(logout) AS logout 
| stats count AS auth_event_count, earliest(login) as login, max(SessionDuration) AS sesion_duration, latest(logout) as logout, values(Logon_Type) AS logon_types by Date, host, user
0 Karma
Reply

araiv1998
Engager
‎10-14-2021 05:55 AM

@Stefanie Thank you very much for the reply! I am so sorry, could you possibly explain a little? On this section, 

“user!="anonymous logon" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!=*$ (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10)”

Are those you are saying to keep out of the search since they are system related? Or are this account you are specifically telling it to look for? I apologize for the dumb question, I am very new to Splunk.. I was told on Friday I needed to learn Splunk asap with zero knowledge hahaha. So I am still very much learning. I am just curious, as I remember if this is something we do not want searched, we put "NOT" in front correct? 

0 Karma
Reply

Stefanie
Builder
‎10-14-2021 06:00 AM

No worries. Those are items I am telling it to NOT look for.

the "!" in front of the "=" means "NOT" 🙂

So in your case... Account_Name!="*$" is the same as you saying "NOT Account_Name="*$""

 

 

Reply

sgtwolf1
Explorer
‎07-02-2024 11:09 AM

I was hoping to get some help, in modifying the query above. I got an Index and a source type for my windows environment. I would like to see the following: 

- Authentication PackagesName  = This looks to shows the type of Authentication taking place like NTLM, Kerberos, MFA, etc.... I need this to show for each user  (Windows Authentication Technical Overview | Microsoft Learn)

- Logon Type = used by Windows to shows successful login and failers logs like (4624, 4625, 4648) and should have a count related to the above attribute  (Windows Logon Scenarios | Microsoft Learn)

- LogonProcessName = The process name for the authentication action taking place for the user 

PS. The idea here it sees what Authentication action is taking place for each user so I can say yea there are using NTLM or Kerberos to access this host or resource. Thanks again Community!!!!

0 Karma
Reply

araiv1998
Engager
‎10-14-2021 06:13 AM

Awesome! Thank you so much! truly appreciate it.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...