Splunk Search

Tracking user logon (standard and admin account) Windows AD

araiv1998
Engager

Hello, I am looking to create a report of a search. I have a requirement of tracking user logon to window machines (Active directory). I am currently getting all the data, but I am having problems with false logons, or services using the credentials. for example, I will see people logged in at 1 am, but the logon id is 0x0, or there is an error code 000, so that most likely will be a service or something using the credentials of someone, and no one actually logging in. there are about 1500 records a day of these false logons. 

I also have the requirement to track Monday - Friday from 6pm to 6am overnight, and I cant seem to get the time of recording properly in the search. Below is the search I am currently using, and help would be appreciated, thank you! 

 

source= “wineventlog: security" EventCode=528 OR EventCode=540 OR EventCode=4624 OR

(EventCode=4776 Error_Code=0x0) NOT Account_Name=“*$” NOT Logon _Account="*$" NOT User_Name="*$'

| eval Account_Name=mvindex(Account Name, 1)

| eval User=coalesce(Account_Name, Logon_Account, Logon_account, User_Name)

| eval User=lower (User)

| table  _time, User, EventCode
Labels (1)
Tags (4)
0 Karma

araiv1998
Engager

@Stefanie what would you recommend for the time? So I am looking to track between 6pm and 5am, I tried this but it did not seem to work:

 

"date_hour›16 date_hour ‹06"

 

"sourcetype-foo

| eval date_ hour=strftime(_time, "%H)

| eval date_wday = strftime(_time, "%W")

| search date_hour>=16 date_hour<=06 date_wday>=1 date_wday<=5"
0 Karma

Stefanie
Builder

Adding the search range into the search itself its not very efficient. Next to the box you type your searches in is a drop down box to select your range. You can select the timeframe there using the "Date and Timeframe" range.

0 Karma

araiv1998
Engager

@Stefanie hello! I am getting an error when I paste it into search, about time error. Could you please advise? Thank you 

0 Karma

Stefanie
Builder

Sure I messaged you.

0 Karma

Stefanie
Builder

Try this search. I saved it a while back and its been useful. You may have to modify it to match exactly what account names you don't want to track.

source="wineventlog:security" action=success Logon_Type=2 (EventCode=4624 OR EventCode=4634 OR EventCode=4779 OR EventCode=4800 OR EventCode=4801 OR EventCode=4802 OR EventCode=4803 OR EventCode=4804 ) user!="anonymous logon" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!=*$ (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10)
| convert timeformat="%a %B %d %Y" ctime(_time) AS Date 
| streamstats earliest(_time) AS login, latest(_time) AS logout by Date, host
| eval session_duration=logout-login 
| eval h=floor(session_duration/3600) 
| eval m=floor((session_duration-(h*3600))/60) 
| eval SessionDuration=h."h ".m."m " 
| convert timeformat=" %m/%d/%y - %I:%M %P" ctime(login) AS login 
| convert timeformat=" %m/%d/%y - %I:%M %P" ctime(logout) AS logout 
| stats count AS auth_event_count, earliest(login) as login, max(SessionDuration) AS sesion_duration, latest(logout) as logout, values(Logon_Type) AS logon_types by Date, host, user
0 Karma

araiv1998
Engager

@Stefanie Thank you very much for the reply! I am so sorry, could you possibly explain a little? On this section, 

“user!="anonymous logon" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!=*$ (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10)”

Are those you are saying to keep out of the search since they are system related? Or are this account you are specifically telling it to look for? I apologize for the dumb question, I am very new to Splunk.. I was told on Friday I needed to learn Splunk asap with zero knowledge hahaha. So I am still very much learning. I am just curious, as I remember if this is something we do not want searched, we put "NOT" in front correct? 

0 Karma

Stefanie
Builder

No worries. Those are items I am telling it to NOT look for.

the "!" in front of the "=" means "NOT" 🙂

So in your case... Account_Name!="*$" is the same as you saying "NOT Account_Name="*$""

 

 

sgtwolf1
Explorer

I was hoping to get some help, in modifying the query above. I got an Index and a source type for my windows environment. I would like to see the following: 

- Authentication PackagesName  = This looks to shows the type of Authentication taking place like NTLM, Kerberos, MFA, etc.... I need this to show for each user  (Windows Authentication Technical Overview | Microsoft Learn)

- Logon Type = used by Windows to shows successful login and failers logs like (4624, 4625, 4648) and should have a count related to the above attribute  (Windows Logon Scenarios | Microsoft Learn)

- LogonProcessName = The process name for the authentication action taking place for the user 

PS. The idea here it sees what Authentication action is taking place for each user so I can say yea there are using NTLM or Kerberos to access this host or resource. Thanks again Community!!!!

0 Karma

araiv1998
Engager

Awesome! Thank you so much! truly appreciate it.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...