Splunk Search

How to search Windows server logs if there are EventCodes 4634 and 4624 for the same Logon_ID within a 10 second time window?

robertschenk
New Member

Hello,

I'm quite new to Splunk and am trying the following:

In Windows Server Logs, I'm trying to evaluate if there are

EventCode=4634 AND EventCode=4624 Events for both the same Logon_ID within a time window of 10 seconds.

(this may indicate a logon attempt where authentication worked, but authorization did not ...)

How can this be done?

Thanks

RB

0 Karma

Richfez
SplunkTrust
SplunkTrust

This is fraught with perils. But, ...

index=* EventCode=4634 OR EventCode=4624 
| transaction maxspan=15s Logon_GUID startswith=EventCode=4624 endswith=EventCode=4634 
| table Logon_GUID EventCode

In my case, I use Logon_GUID (because of the extra-perilousness of Logon_ID, and Windows' duplicated IDs in each event) and I used 15s (because that's what I typed - feel free to use your own).

I get a ton of hits on this search, it looks like service account activity. A lot better filtering would need to be done up front to make sure only the right sets of each EventCode is grabbed - filtering out certain accounts, only finding Audit Failures for one of them, ... something.

But, there's your search!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...