Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About dhrechkosy
dhrechkosy
Explorer
Member since:
02-09-2017
06-05-2020
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 2 |
| Member Since | 02-09-2017 |
Activity Feed
- Karma Re: How to search for logon/logoff activity of domain admins for starcher. 06-05-2020 12:48 AM
- Got Karma for Re: When trying to create a self-sign certificate, why am I receiving "unknown option -config" and "can't open config file" errors?. 06-05-2020 12:48 AM
- Got Karma for How to search for logon/logoff activity of domain admins. 06-05-2020 12:48 AM
- Posted Re: When trying to create a self-sign certificate, why am I receiving "unknown option -config" and "can't open config file" errors? on Getting Data In. 04-18-2017 07:20 AM
- Posted Re: For Active Directory events, how to remove "Subject Account_Name" when setting up a dashboard? on Dashboards & Visualizations. 02-17-2017 11:24 AM
- Posted Re: For Active Directory events, how to remove "Subject Account_Name" when setting up a dashboard? on Dashboards & Visualizations. 02-17-2017 10:04 AM
- Posted For Active Directory events, how to remove "Subject Account_Name" when setting up a dashboard? on Dashboards & Visualizations. 02-17-2017 09:35 AM
- Tagged For Active Directory events, how to remove "Subject Account_Name" when setting up a dashboard? on Dashboards & Visualizations. 02-17-2017 09:35 AM
- Tagged For Active Directory events, how to remove "Subject Account_Name" when setting up a dashboard? on Dashboards & Visualizations. 02-17-2017 09:35 AM
- Tagged For Active Directory events, how to remove "Subject Account_Name" when setting up a dashboard? on Dashboards & Visualizations. 02-17-2017 09:35 AM
- Tagged For Active Directory events, how to remove "Subject Account_Name" when setting up a dashboard? on Dashboards & Visualizations. 02-17-2017 09:35 AM
- Tagged For Active Directory events, how to remove "Subject Account_Name" when setting up a dashboard? on Dashboards & Visualizations. 02-17-2017 09:35 AM
- Posted Re: How to search for logon/logoff activity of domain admins on Splunk Enterprise. 02-13-2017 08:52 AM
- Posted Re: How to search for logon/logoff activity of domain admins on Splunk Enterprise. 02-13-2017 07:38 AM
- Posted Re: How to search for logon/logoff activity of domain admins on Splunk Enterprise. 02-13-2017 07:08 AM
- Posted Re: How to search for logon/logoff activity of domain admins on Splunk Enterprise. 02-13-2017 06:55 AM
- Posted How to search for logon/logoff activity of domain admins on Splunk Enterprise. 02-10-2017 08:26 AM
- Tagged How to search for logon/logoff activity of domain admins on Splunk Enterprise. 02-10-2017 08:26 AM
- Tagged How to search for logon/logoff activity of domain admins on Splunk Enterprise. 02-10-2017 08:26 AM
- Tagged How to search for logon/logoff activity of domain admins on Splunk Enterprise. 02-10-2017 08:26 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 |
04-18-2017
07:20 AM
1 Karma
Hi,
I'm having this exact issue (Same build and server os). Did you ever find a solution for this?
Thanks,
Devyn
... View more
02-17-2017
11:24 AM
The target account name and subject account name are part of the same event (if you look at the example above).
It logs which user performed the action and which user the action was being performed on.
I was hoping there was a way to filter out the "Subject Account Name" and have the chart sorted by "Target Account Name" only.
... View more
02-17-2017
10:04 AM
source="wineventlog:security" EventCode=4722 OR EventCode=4725 | stats count by Account_Name
... View more
02-17-2017
09:35 AM
I am setting up dashboards for certain Active Directory security events for Splunk Light. When I search, for example, all accounts enabled and disabled it shows x2 values for "Account_Name". One is Subject and the other is Target (obviously), is there a way to filter out the "Subject" when I try to sort this search into a visualized chart? I want the outcome graph/chart to display only the Target accounts that were enabled/disabled and not display the user account who did it.
E.g.,
"Date" "Time"
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4722
EventType=0
Type=Information
ComputerName=
TaskCategory=User Account Management
OpCode=Info
RecordNumber=118575896
Keywords=Audit Success
Message=A user account was enabled.
Subject:
Security ID: "SID"
Account Name: "account-name"
Account Domain: "domain"
Logon ID: "logon-id"
Target Account:
Security ID: "SID"
Account Name: "account-name"
Account Domain: "domain"
Thanks,
Devyn
... View more
02-13-2017
08:52 AM
Hi Nick,
Thanks looks like I have that all figured out now. As for the tags what field value pairs do you recommend?
authentication:
login:
... View more
02-13-2017
07:38 AM
Just a few more questions/clarifications needed:
For the two tags you mentioned "authentication" and "login" what field should those correspond to?
I set authentication to EventCode=4634 and EventCode=4672, not sure if thats right and not certain what login should be set as.
For the admin_users.csv file what is the format it should be in? Currently I just had an empty csv file with:
Username
Username
Username
Should there be any special formatting inside the .csv file to list the domain admin names properly?
... View more
02-13-2017
07:08 AM
Thank you!
... View more
02-13-2017
06:55 AM
Perfect I will try this suggestion. Do you know where the admin_users.csv file will need to be placed in order for splunk to recognize it when I run this sub search?
... View more
02-10-2017
08:26 AM
1 Karma
Trying to figure out how to search for all logon/logoff attempts by any users in the "Domain Admins" group in active directory. I am currently using Splunk Light 6.5.2 and forwarding the security log events from one single domain controller to Splunk.
What would be a proper search string to use to find account logon/logoff activity for domain admins? Will I need to do a general search for all logon and logoff activity and then filter it to the specific users I'm looking for?
There are 3 staff in the domain admins group as well as the built in domain-administrator account. Management wants me to find a way to track logs for every logon/logoff for these four accounts.
Any suggestions will be helpful as I'm still quite new to this software.
... View more
02-09-2017
12:48 PM
Having difficulties removing old, stale, servers that used to have splunk universal forwarder running. After you remove the forwarder service and delete the host from the index the forwarders still appear in the forwader monitoring section.
How can you remove the "missing" forwarders that are no longer active?
This is splunk light version so I don't have access to DMC (distributed management console) which all other articles i've seen about this issue pertain to.
... View more
Labels
- Labels:
-
other
