Splunk Search

Windows Admin User Logins

bkeyser
New Member

I want to create an alert that notifies when Windows admins login and the accounts they are using. I want to ensure they are not using admin accounts for daily drivers. I want the search top produce a count of the logins and to which account they are utilizing. Can someone give me some direction on this please?

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

This is more of a windows question than Splunk. But if you're using TA_windows you have a nice predefined eventtype to easily find successful logins

index IN (your,windows,events,index(es)) eventtype=windows_logon_sucessful

If you can easily distinguish your admin users because, for example, by convention they have a "-adm" postfix, you can easily add additional condition to that to match only those values of Account_Name.

I'm not sure if windows reports a group membership or privilege level of the user logging in so if your account schema is more complicated you might need to correlate that with an external source of inventory (for example, keep a list of admin accounts to perform a lookup against).

0 Karma

bkeyser
New Member

My goal is to ensure the daily driver is used and admin accounts are only logged into for admin purposes. I have the query to trigger for the successful logon, but I was hoping I could get around having to list out every admin account and user account individually to iterate through. The people Im interested in have two accounts and I want to know how often they're using each.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

No. Remember that Splunk is "just" a data processing solution. In order to process the data it must have that data. The logon events only contain so much data. If you don't have any external source of information that you could correlate with it, you simply don't have that data. But if you know you have a closed list of accounts you want to check (for example userA, userB and Administrator), you can explicitly look for only those logins.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...