Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About aanic
aanic
Path Finder
Member since:
01-10-2017
06-05-2020
Community Statistics
| Posts | 12 |
| Solutions | 0 |
| Karma Given | 8 |
| Karma Received | 0 |
| Member Since | 01-10-2017 |
Activity Feed
- Karma Re: How to edit my search on Windows security event logs to find which user was last logged in on a PC? for DalJeanis. 06-05-2020 12:48 AM
- Karma Re: How to edit my search on Windows security event logs to find which user was last logged in on a PC? for zshainsky. 06-05-2020 12:48 AM
- Karma Re: How to configure an alert to email me results of failed authentications per user in an active day? for richgalloway. 06-05-2020 12:48 AM
- Karma Re: How to configure an alert to email me results of failed authentications per user in an active day? for hunters_splunk. 06-05-2020 12:48 AM
- Karma Re: How to configure an alert to email me results of failed authentications per user in an active day? for woodcock. 06-05-2020 12:48 AM
- Karma Re: How to edit my search to create a table for failed authentications? for skoelpin. 06-05-2020 12:48 AM
- Karma Re: How to edit my search to create a table for failed authentications? for gcusello. 06-05-2020 12:48 AM
- Karma Re: How to edit my search to create a table for failed authentications? for DalJeanis. 06-05-2020 12:48 AM
- Posted Re: How to edit my search to create a table for failed authentications? on Splunk Search. 01-24-2017 03:13 AM
- Posted Re: How to edit my search to create a table for failed authentications? on Splunk Search. 01-23-2017 07:06 AM
- Posted Re: How to edit my search to create a table for failed authentications? on Splunk Search. 01-23-2017 06:51 AM
- Posted Re: How to edit my search to create a table for failed authentications? on Splunk Search. 01-23-2017 06:43 AM
- Posted Re: How to edit my search to create a table for failed authentications? on Splunk Search. 01-23-2017 06:07 AM
- Posted How to edit my search to create a table for failed authentications? on Splunk Search. 01-23-2017 05:29 AM
- Tagged How to edit my search to create a table for failed authentications? on Splunk Search. 01-23-2017 05:29 AM
- Tagged How to edit my search to create a table for failed authentications? on Splunk Search. 01-23-2017 05:29 AM
- Tagged How to edit my search to create a table for failed authentications? on Splunk Search. 01-23-2017 05:29 AM
- Posted Re: How to configure an alert to email me results of failed authentications per user in an active day? on Alerting. 01-20-2017 06:54 AM
- Posted Re: How to configure an alert to email me results of failed authentications per user in an active day? on Alerting. 01-20-2017 01:48 AM
- Posted Re: How to configure an alert to email me results of failed authentications per user in an active day? on Alerting. 01-19-2017 07:08 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
01-24-2017
03:13 AM
This is my search and now it works..
index=windows_ad source="wineventlog:security" earliest=-24h@h latest=now ("EventCode=675" OR ("EventCode=672" AND Type="Failure Audit")) OR (EventCode=4771 AND "Audit Failure") NOT (User_Name="*$" OR Account_Name="*$") NOT Failure_Code=0x19 NOT "10.243.101.50" NOT "10.243.149.70" NOT "10.243.101.16" | eval "User Account"=coalesce(User_Name,Account_Name) | stats values(src_ip) AS src_ip values(Failure_Code) AS Failure_Code count by "User Account" | where count > 100 | table "User Account" src_ip Failure_Code count | rename src_ip AS "Client IP" | rename Failure_Code AS "Failure code" | rename count AS Count | sort - Count
... View more
01-23-2017
07:06 AM
Now it works 🙂
Thank you very much for the support.
Augustin
... View more
01-23-2017
06:51 AM
Hi Cusello, all field that i want to put in table have some values, some of fields have a multiple values.
Now im tryng with this querry but still nothing...
index=windows_ad source="wineventlog:security" earliest=-24h@h latest=now ("EventCode=675" OR ("EventCode=672" AND Type="Failure Audit")) OR (EventCode=4771 AND "Audit Failure") NOT (User_Name="*$" OR Account_Name="*$") NOT Failure_Code=0x19 | eval "User Account"=coalesce(User_Name,Account_Name) | stats count by "User Account" | where count > 100 | table "User Account" src_ip Client_Port Failure_Code count | sort - count
... View more
01-23-2017
06:43 AM
Yes, they are in selected fields. i correct name of field but still nothing.
... View more
01-23-2017
06:07 AM
Still does not working. It is maybe problem with that i have couple IP address for one account in event logs or maybe i must set eval for that three fields.
... View more
01-23-2017
05:29 AM
Hy,
i have problem with creating table for failed authentication. This is my search..
index=windows_ad source="wineventlog:security" earliest=-24h@h latest=now ("EventCode=675" OR ("EventCode=672" AND Type="Failure Audit")) OR (EventCode=4771 AND "Audit Failure") NOT (User_Name="*$" OR Account_Name="*$") NOT Failure_Code=0x19 | eval "User Account"=coalesce(User_Name,Account_Name) | stats count by "User Account" | where count > 100 | table "User Account" "Client IP" "Client Port" "Failure Code" count | sort - count
Field User Account and count gives me entry in table but fields Client Ip, Client port and Failure code does not.
I tried few times with eval command for those three fields but its all the same.
Can you please help me with that, here is some of fields that can be used for this table.
Thank you.
... View more
01-20-2017
06:54 AM
Now it works. I just clone that qouerry in new one and now it works well.
Thank you all for support!
Augustin
... View more
01-20-2017
01:48 AM
I set all that, but i didn't recive any mail.
Here is configuration of my alert. Can somebody send me photo with correct configuration i would be grateful.
Thx!
Augustin
... View more
01-19-2017
07:08 AM
I read that instructions, set email notificatin, schedule triger but it didnt works. Here is some of my attempts...
... View more
01-19-2017
06:35 AM
I want to recive mail notification whith every new line of resultat (name of account) of that querry . I was trying with few schedule methods but it didnt work fine. Can you please help me about this, i cant find correct configuration of "Alert type and Trigger condition" in Alert section.
... View more
01-19-2017
04:03 AM
Hi,
i'm trying to set an alert that will notify me through mail with the name of accounts which have failed authentications more than some number.
The result of search must be only for active day, not for 24 hour period. I think that the search is all right but i have problem with scheduling mail alert.
Search looks like this...
index=windows_ad source="wineventlog:security" earliest=@d latest=now ("EventCode=675" OR ("EventCode=672" AND Type="Failure Audit")) OR (EventCode=4771 AND "Audit Failure") NOT (User_Name="*$" OR Account_Name="*$") NOT Failure_Code=0x19 | eval "User Account"=coalesce(User_Name,Account_Name) | stats count by "User Account" | where count > 100 | sort - count
Can you please help me with scheduling mail step by step? I tried with real-time triggering, schedule triggering, throttle but i didn't receive any mail.
Thank you!
... View more
01-10-2017
02:07 AM
Hy,
I'm trying to find which user was last logged in on a PC, but my search doesn't show any results.
Can you pls help?
Thanx!
`windows_idx` sourcetype="wineventlog:security" (Account_Name="*NameofPC*") AND (EventCode=4768 OR EventCode=672)
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
