Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Users loging into workstations with local admin or domain admin privs

ldefoor
New Member
‎08-26-2020 09:15 AM

First off, I am very new to Splunk and that may be my downfall. Our latest Splunk guru has left and this fell to me rather abruptly, so I apologize in advance.

I have been tasked with generating a report showing users that are logging into the local computers with elevated privileges of their standard daily accounts.

For example, if a user has two logins, username and ADUserName. I need to find out if username is a local admin on their computer and when they have logged in using that account.

I have been trying to figure this out but for the last two weeks haven't actually made any progress.

Hoping someone can point me in the right direction - thank you very much!

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-26-2020 12:24 PM

Are you collecting logs from endpoints to see if  user is making login locally instead using his/her domain account.

You need to have event logs from each endpoint to detect if they are login  locally using admin rights. 4672 is the event code.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4672

or you could easily detect employees who are login using local admin account if you have Microsoft defender ATP installed on endpoints.

————————————
If this helps, give a like below.
0 Karma
Reply

ldefoor
New Member
‎08-26-2020 12:44 PM

We are ingesting those logs from all the end points.

I have searched on that and am only finding systems logging in with elevated privs. I know the admins are doing this, they will tell me they are, but looking for a way to see the activity 😞

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-27-2020 11:45 AM

Did you see 4672 events collected from endpoints?

————————————
If this helps, give a like below.
0 Karma
Reply

ldefoor
New Member
‎08-27-2020 11:56 AM

Yes, I do see 4672 from end points.Splunk.jpg

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-27-2020 11:58 AM

Can you try accessing endpoint using local admin account and see how events is generated then you can understand event behavior.

————————————
If this helps, give a like below.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...