Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows Admin User Logins

bkeyser
New Member
‎01-23-2024 04:11 AM

I want to create an alert that notifies when Windows admins login and the accounts they are using. I want to ensure they are not using admin accounts for daily drivers. I want the search top produce a count of the logins and to which account they are utilizing. Can someone give me some direction on this please?

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-23-2024 05:27 AM

This is more of a windows question than Splunk. But if you're using TA_windows you have a nice predefined eventtype to easily find successful logins

index IN (your,windows,events,index(es)) eventtype=windows_logon_sucessful

If you can easily distinguish your admin users because, for example, by convention they have a "-adm" postfix, you can easily add additional condition to that to match only those values of Account_Name.

I'm not sure if windows reports a group membership or privilege level of the user logging in so if your account schema is more complicated you might need to correlate that with an external source of inventory (for example, keep a list of admin accounts to perform a lookup against).

0 Karma
Reply

bkeyser
New Member
‎01-23-2024 05:34 AM

My goal is to ensure the daily driver is used and admin accounts are only logged into for admin purposes. I have the query to trigger for the successful logon, but I was hoping I could get around having to list out every admin account and user account individually to iterate through. The people Im interested in have two accounts and I want to know how often they're using each.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-23-2024 05:57 AM

No. Remember that Splunk is "just" a data processing solution. In order to process the data it must have that data. The logon events only contain so much data. If you don't have any external source of information that you could correlate with it, you simply don't have that data. But if you know you have a closed list of accounts you want to check (for example userA, userB and Administrator), you can explicitly look for only those logins.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...