Splunk Search

How to edit my dashboard search to monitor logged in admins from Active Directory (Windows)?

nikkkc
Path Finder

I have to build a Dashboard to see all Logged in Admins. So i search for Eventcode 4624 and 4634 and Logon Type 2 and 10. But to get these Events only for a specific User group, I have to do a second search like "Give me all members of group....." right? And after that, I have to correlate these searches. If I've done something wrong, please tell me how it really works.

Anyway, I did the search with powershell and I tried several solutions to store all admin names. I tried to store it into a CSV file into an separate index, and I tried to correlate the searches with a subsearch to the second index, with inputlookup to the CSV and with automatic lookup, but in any way the performance is really bad. It is not usable!

What is the best way to do this? Thanks

sourcetype=WinEventLog:Security (EventCode=4624 OR EventCode=4634) (Logon_Type=2 OR Logon_Type=10) | rename Account_Name as SamAccountName | eval Date=strftime(_time, "%Y/%m/%d")| eval LogonType=case(Logon_Type="2", "Local Console Access", Logon_Type="10", "Remote Desktop via Terminal Services")| transaction host user startswith=EventCode=4624 | dedup user _time |  search [| inputlookup AD_Admins.csv | fields SamAccountName] | sort - _time | convert timeformat="%d/%m/%y %H:%M:%S" ctime(_time) AS "Datum Zeit" | table host, user, LogonType, Date, "Datum Zeit"

Or another one:

sourcetype=WinEventLog:Security (EventCode=4624 OR EventCode=4634) (Logon_Type=2 OR Logon_Type=10) | rename Account_Name as SamAccountName | search [| inputlookup AD_Admins.csv | fields SamAccountName] | eval Date=strftime(_time, "%Y/%m/%d")| eval LogonType=case(Logon_Type="2", "Local Console Access", Logon_Type="10", "Remote Desktop via Terminal Services")| transaction host user startswith=EventCode=4624 | dedup user _time | convert timeformat="%d/%m/%y %H:%M:%S" ctime(_time) AS "Datum Zeit"
| table host, user, LogonType, Date, "Datum Zeit" 
0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi,

Take a look at the following answer I provided on a similar topic:

https://answers.splunk.com/answers/337759/how-to-search-for-any-account-lockout-events-then.html

Hope that helps.

Thanks,
J

0 Karma

nikkkc
Path Finder

ok, thanks that much is clear, but what about the performance? is it similiar to do a lookup, a inputlookup or a subsearch to a different index?

i realised that i have approximately 300.000 4624 generally Events (LogonType 3), just 10 Events what i am interested in (LogonType 2, 10) and 45 Users in my csv file to corellate.
And at this time my search is very slow!!

Thanks

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi, just to give you an idea, we were translating 100M user SIDs to user names every day using a CSV lookup that we were generating several times a day. The lookup had around 5K entries and we were then performing searches against the user names in order to answer questions such as:

  • Who is reading file X on machine Y that it's classified as sensitive?
  • Did any user outside group ABC access file Z on machine W?
  • etc

You don't need an inputlookup, just a lookup after your search. Don't use subsearches if possible. They are not great from a performance point of view and there are limits associated to them. I would go for something like:

yoursearch | lookup GroupsFromUser MyUser as User OUTPUT MyGroup as Group

Hope that helps.

0 Karma

nikkkc
Path Finder

Thanks for that! I would like to know which hardware do you have in use. Anyway my search is still very slow!
Mayby i made some mistake, can someone look at my search and give me an answer if it is correct.

csv file AD_Admins with one column:
SamAccountName
adm1
adm2
adm3
...
...

the following search takes at least 10minutes:
index=wineventlog sourcetype=WinEventLog:Security EventCode=4624 (Logon_Type=2 OR Logon_Type=10) | lookup AD_Admins SamAccountName OUTPUT SamAccountName as user | eval Date=strftime(_time, "%Y/%m/%d")| eval LogonType=case(Logon_Type="2", "Local Console Access", Logon_Type="10", "Remote Desktop via Terminal Services")| transaction host user startswith=EventCode=4624 | dedup user _time | sort - _time | convert timeformat="%d/%m/%y %H:%M:%S" ctime(_time) AS "Date Time" | table host, user, LogonType, Date, "Date Time"

the same search but without the lookup takes at maximum 40 seconds:
sourcetype=WinEventLog:Security EventCode=4624 (Logon_Type=2 OR Logon_Type=10) (Account_Name=adm1 OR Account_Name=adm2 OR Account_Name=adm3 OR Account_Name=adm4 OR Account_Name=adm5 OR Account_Name=adm6 ) | sort - _time | eval Date=strftime(_time, "%Y/%m/%d")| eval LogonType=case(Logon_Type="2", "Local Console Access", Logon_Type="10", "Remote Desktop via Terminal Services")| transaction host user startswith=EventCode=4624 | dedup user _time | convert timeformat="%d/%m/%y %H:%M:%S" ctime(_time) AS "Date Time"
| table host, user, LogonType, Date, "Date Time"

Thank you so much, i havnt any more ideas

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi,

Try the following instead:

index=wineventlog sourcetype=WinEventLog:Security EventCode=4624 (Logon_Type=2 OR Logon_Type=10) SamAccountName=*
| fields _time, Logon_Type, host, EventCode, SamAccountName
| eval Date=strftime(_time, "%Y/%m/%d")
| eval LogonType=case(Logon_Type="2", "Local Console Access", Logon_Type="10", "Remote Desktop via Terminal Services")
| transaction host user startswith=EventCode=4624 
| dedup user _time
| convert timeformat="%d/%m/%y %H:%M:%S" ctime(_time) AS "Date Time"
| lookup AD_Admins SamAccountName OUTPUT SamAccountName as user 
| table host, user, LogonType, Date, "Date Time"

By the way, I don't understand your transaction here. If you just want to find out orphan and/or evicted events to make sure you are displaying only those hosts where the admin is still logged on then you probably want to specify the endswith=EventCode=4634 and the keeporphan and keepevicted flags and then filter to only display orphan events. See the transaction command page.

0 Karma

nikkkc
Path Finder

Hey,
on that matter that there is no SamAccountName in the Event 4624 i chanched the header in my AD_Admins.csv from SamAccountName to user. And you are right about the transaction, it was a relict from a recent search where a tried to find de correlate logoff Event.
Finally you brought me to the final version, thank you so much for that!

this is my final version:
index=wineventlog sourcetype=WinEventLog:Security EventCode=4624 (Logon_Type=2 OR Logon_Type=10 )
| fields _time, Logon_Type, host, EventCode, user
| eval Date=strftime(_time, "%Y/%m/%d")
| eval LogonType=case(Logon_Type="2", "Local Console Access", Logon_Type="10", "Remote Desktop via Terminal Services")
| dedup user host _time
| convert timeformat="%d/%m/%y %H:%M:%S" ctime(_time) AS "Date Time"
| lookup AD_Admins user OUTPUT user | where user not null
| table host, user, LogonType, Date, "Date Time"

What do you think about the where clause? Because without that, the lookup is useless. (the lookup just overwrite the user field but the Event is still in the result table, if a Event occures from a user which is not in the AD_Admins.csv)

Thank you so much

0 Karma

javiergn
SplunkTrust
SplunkTrust

Try OUTPUTNEW instead of OUTPUT with your lookup.
The difference between both is if the user field already exists in your event, OUTPUT will overwrite it and OUTPUTNEW won't.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!