×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
ktaylor
Loves-to-Learn Lots
Member since: ‎01-17-2024
‎01-18-2024
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎01-17-2024
Activity Feed
Topics I've Started
View All

Re: Searching for windows logins

by in Splunk Search
‎01-18-2024 05:01 AM
‎01-18-2024 05:01 AM
I appreciate your time, thanks again!   I figured there wouldn't be an "easy" button, finding this community for ideas is as close as it gets.  I will check out some tutorials and hopefully it's one foot after another from there.     Have a great weekend to all! ... View more

Re: Searching for windows logins

by in Splunk Search
‎01-18-2024 04:55 AM
‎01-18-2024 04:55 AM
That makes a lot of sense, thanks for that.  And thank you for the link! ... View more

Re: Searching for windows logins

by in Splunk Search
‎01-17-2024 10:44 AM
‎01-17-2024 10:44 AM
Thanks for your reply.  Honestly, I wish I knew what I was talking about so that my question could be more clear.  Our company has different 6 digit asset numbers for each site, which there are multiple of.  So in the search, I am trying to figure out how to have Splunk only search our asset for overnight type 2 logins, as we do not need the data from all of the other assets.  Hopefully that painted a better picture.  Thanks again! ... View more

Searching for windows logins

by in Splunk Search
‎01-17-2024 08:26 AM
‎01-17-2024 08:26 AM
Hello to all, really hoping I can make sense while asking this....    I'm an entry level  IT Security Specialist and I have been tasked with re-writing our current query for overnight logins as our existing query does not put out the correct information we need.  Here is the current query: source=WinEventLog:Security EventCode=4624 OR (EventCode=4776 Keywords="Audit Success") | eval Account = mvindex(Account_Name, 1) | eval TimeHour = Strftime(_time, "%H") | eval Source = coalesce(Source_Network_Address, Sorce_Workstation) | eval Source=if(Source="127.0.0.1" or Source="::1" OR Source="-" OR Source="", hos, Source) | where (Time_Hour > 20 AND Time_Hour <24) OR (Time_Hour > 0 AND Time_Hour < 5) | bin _time span=12h aligntime=@d+20h | eval NightOf = strftime(_time "%m/%d/%Y) | lookup dnslookup clienttip as Source OUTPUT clienthost as SourceDevice | search NOT Account="*$" NOT Account=HealthMail*" NOT Account="System" | stats count as LoginEvents values(sourceDevice) as SourceDevices by Account NightOf | sort NightOfAccount SourceDevices | table NightOf Account Source Devices LoginEvents I need to somehow add an exclusion to the query for logon type 3, (meaning for splunk to omit them from its search), as well as add our asset to the query, that way splunk will only target searches from that particular asset.   I know nothing about coding, or scripts, and my boss just thought it would be super fun if the guy with the least experience try to figure it all out since the current query does not give us the data that we need for our audits.  In a nutshell, we need splunk to tell us who was logged in between 8pm-5am, that it was a logon type 2 , and what computer system they were on.  If anyone could help out an absolute noob here I would greatly appreciate it!   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎01-18-2024 03:36 PM