Hello all, I need your help in analyzing my collected log data. I have all of our Windows servers connected in Splunk using the Universal Forwarder. This includes the domain controllers as well. Only the security event log is transmitted. I have installed the Splunk Add-on for Microsoft Windows on the Splunk servers (Indexer, Searchead,). I want to know about failed login attempts, account lockouts, as well as tampering with Local Administrator accounts. If I now start a search query for example on Event ID 4625, I get thousandfold messages with field "host" where my domain controllers are inside. At "host" I want to see the really affected system. For example my Splunk query looks like this: index=Wineventlog sourcetype=wineventlog source::WinEventLog:Security (EventCode=4625 OR EventCode=4740) | eval Benutzerkonto = coalesce(Kontoname, Account_Name) | eval Meldung = coalesce(Fehlerursache, Failure_Reason) | eval IP-Quelladresse = coalesce(Source_network_address, Quellnetzwerkadresse) | table _time, ComputerName, Benutzerkonto, Meldung, IP-Quelladresse (I merge german and english logentries). I only want to know when someone tries to log in to the domain controller, locks his account there or hijacks the local admin on the domain controller. I do not want to see log entries of affected systems via the domain controllers. Do you have a solution to the problem or even suggestions for improvement? Thanks in advance. Best regards Codyy_Fast
... View more