Hello,
I'm quite new to Splunk and am trying the following:
In Windows Server Logs, I'm trying to evaluate if there are
EventCode=4634 AND EventCode=4624 Events for both the same Logon_ID within a time window of 10 seconds.
(this may indicate a logon attempt where authentication worked, but authorization did not ...)
How can this be done?
Thanks
RB
This is fraught with perils. But, ...
index=* EventCode=4634 OR EventCode=4624
| transaction maxspan=15s Logon_GUID startswith=EventCode=4624 endswith=EventCode=4634
| table Logon_GUID EventCode
In my case, I use Logon_GUID (because of the extra-perilousness of Logon_ID, and Windows' duplicated IDs in each event) and I used 15s (because that's what I typed - feel free to use your own).
I get a ton of hits on this search, it looks like service account activity. A lot better filtering would need to be done up front to make sure only the right sets of each EventCode is grabbed - filtering out certain accounts, only finding Audit Failures for one of them, ... something.
But, there's your search!