Solved: Re: Several user logon event for same host

a_n · ‎07-14-2021

Hi,

I have Splunk on Windows network, and using UF for windows events.

I am searching to detect users logon during specific hours:
index=main source="WinEventLog:Security"EventCode=528 OR EventCode=540 OR EventCode=4624
|where Logon_Type!=3 OR (Logon_Type=3 AND NOT LIKE(host,"DC%"))
| eval Signed_Account=mvindex (Account_Name,1)
|eval hour=strftime(_time,"%H")
| eval ShowTime=strftime(_time,"%D %H:%M")
| search Signed_Account=TThemistokleous (hour>23 OR hour<6)
| table host ShowTime Logon_Type

Issue is, in result, I have for Same HOST, on Same TIME, 2 users signed on. AND Each signed on 4 times!

Can someone please advise, what can be the issue?
Thank you

ITWhisperer · ‎07-14-2021

| dedup host,Signed_Account,EventCode,_time

View solution in original post

a_n · ‎07-14-2021

Dear @ITWhisperer
Thank you for your response.
As for the where clause, I agree.
date_hour does not hold the data, hour field is ok.
we need to now about working in forbidden hours, which is after 11 PM until 6 AM.

The result I have has same hostname, same event code 4624.
This is main search I have with results attached:
index=main source="WinEventLog:Security" EventCode="4624" OR EventCode="539" OR (EventCode="529" AND EventCode="537") OR (EventCode="547" AND EventCode="549")
|where (Logon_Type!=3 OR ( NOT LIKE(host,"DC%"))) AND Logon_Type!=9
| eval Signed_Account=mvindex (Account_Name,1)
|eval hour=strftime(_time,"%H")
|regex Signed_Account!="\$"
| search Signed_Account=* Signed_Account!="SYSTEM" Signed_Account!="ANONYMOUS LOGON" Signed_Account!="Administrator" (hour>23 OR hour<6)
| table host,Signed_Account,EventCode,_time

ITWhisperer · ‎07-14-2021

How does date_hour not hold the information, it is derived from _time automatically, is it not?

Can you give me an example of a time that is after 11pm where the hour is greater than 23?

You should examine the "duplicate" events to see is they really are duplicates e.g. the _raw is identical, which might point to a problem with the ingesting of the events. Do the duplicates come from different indexers (assuming you have them)?

a_n · ‎07-14-2021

Ah, yes. Now I got your point regarding the time.
I will handle it, thank you.

Back to main issue:
- I have one indexer only.
- I compared 2 problematic events. the only differences are:
Logon ID: (0x32E964BA , 0x32E964D4)
Source Port: (54833,54835)

What is the solution? How to ignore these?

Thank you again

ITWhisperer · ‎07-14-2021

| dedup host,Signed_Account,EventCode,_time

a_n · ‎07-15-2021

Thank you,
It works, however I am still worried that I may lose some events.

Thank you very much for your help.

ITWhisperer · ‎07-14-2021

Since the alternative to Logon_type!=3 is Logon_type=3, this part is redundant in the where clause i.e.

|where Logon_Type!=3 OR NOT LIKE(host,"DC%")

You may find date_hour already holds the hour so you might be able to use that rather than creating another field with the same information in.

When is hour ever going to be greater than 23? The hours are 0 - 23 inclusive.

Your table command does not include the EventCode, and your times are at the minute scale - is it possible that the "extra" events are for different EventCodes within the same minute?

Several user logon event for same host

other

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases