Splunk Search

How to generate a search for non Public Key Infrastructure (PKI) logins in Active Directory over a 90 day period?

kennyja
Explorer

I am a complete newbie to Splunk.

I have an environment in which users are set "token mandatory" by default for PKI (Public Key Infrastructure) login in AD (Active Directory). We have noticed lately that there is an overly large number of users that have requested waivers so that they can logon using username / pwd combo.

I there a way to track instances of "non token" login attempts over a 90 day period? My suspicion is that many of these waivers are not really needed. If I can show a trend of how many users are actually logging on with username / pwd combo vs logging on with PKI tokens, it would help me prove my case.

0 Karma
1 Solution

kennyja
Explorer

I think I may have found an answer to my own question.

index-wineventlog sourcetype="WinEventLog:Security" kerberos Pre-Authentication_Type=2 |eval time=strftime(_time, "%m/%d/%y %I:%M %p") |rename AccountName AS NonTokenAuth_AccountName |stats latest(time) as last_NonTokenAuth-Timestamp by NonTokenAuth_AccountName |table last_NonTokenAuth-Timestamp,NonTokenAuth_AccountName

View solution in original post

0 Karma

kennyja
Explorer

I think I may have found an answer to my own question.

index-wineventlog sourcetype="WinEventLog:Security" kerberos Pre-Authentication_Type=2 |eval time=strftime(_time, "%m/%d/%y %I:%M %p") |rename AccountName AS NonTokenAuth_AccountName |stats latest(time) as last_NonTokenAuth-Timestamp by NonTokenAuth_AccountName |table last_NonTokenAuth-Timestamp,NonTokenAuth_AccountName
0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

woodcock
Esteemed Legend

Yes, this is exactly what the SecKit app does:

https://splunkbase.splunk.com/app/3059/

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...