Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Windows Admin User Logins

bkeyser
New Member
‎01-23-2024 04:11 AM

I want to create an alert that notifies when Windows admins login and the accounts they are using. I want to ensure they are not using admin accounts for daily drivers. I want the search top produce a count of the logins and to which account they are utilizing. Can someone give me some direction on this please?

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-23-2024 05:27 AM

This is more of a windows question than Splunk. But if you're using TA_windows you have a nice predefined eventtype to easily find successful logins

index IN (your,windows,events,index(es)) eventtype=windows_logon_sucessful

If you can easily distinguish your admin users because, for example, by convention they have a "-adm" postfix, you can easily add additional condition to that to match only those values of Account_Name.

I'm not sure if windows reports a group membership or privilege level of the user logging in so if your account schema is more complicated you might need to correlate that with an external source of inventory (for example, keep a list of admin accounts to perform a lookup against).

0 Karma
Reply

bkeyser
New Member
‎01-23-2024 05:34 AM

My goal is to ensure the daily driver is used and admin accounts are only logged into for admin purposes. I have the query to trigger for the successful logon, but I was hoping I could get around having to list out every admin account and user account individually to iterate through. The people Im interested in have two accounts and I want to know how often they're using each.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-23-2024 05:57 AM

No. Remember that Splunk is "just" a data processing solution. In order to process the data it must have that data. The logon events only contain so much data. If you don't have any external source of information that you could correlate with it, you simply don't have that data. But if you know you have a closed list of accounts you want to check (for example userA, userB and Administrator), you can explicitly look for only those logins.

0 Karma
Reply
Get Updates on the Splunk Community!

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...