Hello!
First, I'll admit that I'm relatively new to Splunk, so thank you in advance! I've been tasked to build a search that will detect remote users logging on to local admin accounts. So far I've managed to pull the local admins via WMI using the following search string:
sourcetype="WMI:LocalAdmins" Name="Administrators" | rex field=_raw "PartComp.*?,Name=\"(?<UserName>[^\"]+)\"" | dedup host,Name,UserName | transaction host,Name | table host,UserName
I also know that I can detect external logins using this string (this is specific enough for my purposes):
sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=3
Now.. I need to find a way to utilize the local admins in the first search, and narrow the second search to only the local admin accounts identified. I'm still progressing in my research into this, but if you fine folks could point me in the right direction I would definitely be thankful.
... View more