Solved: How to track domain logons from DC security logs?

johann2017 · ‎02-23-2017

I want to be able to track domain logons from our DC security logs. I am monitoring Event 4624, but the DC security logs only seem to provide domain member authentication for Type 3 logons. What are others using for this?

DalJeanis · ‎02-23-2017

Depends on how homogeneous your network and your user base are. Check for these and see what you find.

(EventID=528 OR EventID=540 OR EventID=552 OR EventID=4624 OR EventID=4648)

Whether the individual workstations are going to forward their logs of type 7 events, whether you have technical users that will be using runas and generating type 9s, logging on through VPN and generating type 10s, not to mention whether there is any KVM/IP going on and generating pseudo-Type 2s, and so on, is highly organization-specific.

View solution in original post

DalJeanis · ‎02-23-2017

Depends on how homogeneous your network and your user base are. Check for these and see what you find.

(EventID=528 OR EventID=540 OR EventID=552 OR EventID=4624 OR EventID=4648)

Whether the individual workstations are going to forward their logs of type 7 events, whether you have technical users that will be using runas and generating type 9s, logging on through VPN and generating type 10s, not to mention whether there is any KVM/IP going on and generating pseudo-Type 2s, and so on, is highly organization-specific.

johann2017 · ‎02-28-2017

Thanks I will experiment with your suggestion!

DalJeanis · ‎02-28-2017

Oh, and that's for windows; unix logons have a whole different set of criteria. As a place to start, look for stuff like this -

((pam_vas:* AND "<succeeded") OR "Accepted" OR "Auth_methods_completed")

How to track domain logons from DC security logs?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms