Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search and identify multiple logons to a Windows workstation?

taylormimission
New Member
‎01-28-2015 08:10 PM

Hi all,

We are looking for a way to identify when users share their passwords. For example, userA has elevated privileges within an application that uses Windows authentication. UserA gives her password to userB, who uses it to log on to Windows, accesses the application and performs a task that she wouldn't normally have access to.

We're thinking to search for multiple logons to a Windows workstation on any day. Any thoughts on how to do this, or otherwise get the required info?

0 Karma
Reply

mtranchita
Communicator
‎01-30-2015 06:11 AM

This isn't going to answer the precise question you asked but I think you can get what you are looking for.
Based on information in the NSA's Spotting the Adversary with Windows Event Log Monitoring document I came up with the search below to show all logon activity. If you have a lookup or some other way to associate the logon id with the computer name you could pipe it to where and identify when someone is using a logon on a computer that they "shouldn't".
Note that you'll need to modify it for your environment and I have the time range as part of the query. I'm sure the search could be improved too.
Hope this helps.

index=your.windows.event.log.index earliest=-d@d latest=@d  (EventCode=4624 OR EventCode=4648 OR EventCode=4625) (Logon_Type=3 OR Logon_Type=2 OR Logon_Type=7 OR Logon_Type=11)  Account_Name!="ANONYMOUS LOGON" | eval LogonAction=case(Logon_Type=2, "Interactive Logon", Logon_Type=3, "Network Logon", Logon_Type=7, "Unlock", Logon_Type=11, "CachedInteractive") | search Account_Name!=- | rex field=Account_Name "(?i)(?P(.*[^\$]$))" | table UserName Security_ID LogonAction Keywords ComputerName _time Logon_Process Process_Name Caller_Process_Name| mvexpand Security_ID | search Security_ID!="NT AUTHORITY\\SYSTEM"
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...