All Apps and Add-ons

Clarification on eventtypes when using the Splunk App for Windows Infrastructure

bayman
Path Finder

I have the Splunk Windows Infrastructure app installed and when I run this search below:

eventtype=msad-failed-user-logons host="*"

I get this returned below, but I'm not understanding how the search result is associated to eventtype=msad-failed-user-logons. The below shows EventType=0. What does msad-failed-user-logons mean and how come it doesn't show that in the search result?

09/19/2017 03:42:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4776
EventType=0
Type=Information
ComputerName=xxxxx.domain.local
TaskCategory=Credential Validation
OpCode=Info
RecordNumber=9555000
Keywords=Audit Failure
Message=The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:  someuser1
Source Workstation: WORKSTATION
Error Code: 0xC0000071
Collapse
host=somehost   source=WinEventLog:Security    sourcetype=WinEventLog:Security
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

The eventtype here is not the field EventType in your data but Splunk's eventtype which in simple word is an alias to a base search or search term. Often for ease of reading and maintenance, we save commonly used search terms as eventtype instead of full search terms. ( see more about eventtype here).

To see what's the actual search being run when you run eventtype=msad-failed-user-logons, you can
1. In the Job dropdown below the search bar, click on Inspect job. On that Job inspector page, look for value in attribute "normalizedSearch". That would give you expanded eventtype.
2. Go to Settings->Event types and look for msad-failed-user-logons. You may have to change the app context or select All apps. The search string column will give you the underline search.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

The eventtype here is not the field EventType in your data but Splunk's eventtype which in simple word is an alias to a base search or search term. Often for ease of reading and maintenance, we save commonly used search terms as eventtype instead of full search terms. ( see more about eventtype here).

To see what's the actual search being run when you run eventtype=msad-failed-user-logons, you can
1. In the Job dropdown below the search bar, click on Inspect job. On that Job inspector page, look for value in attribute "normalizedSearch". That would give you expanded eventtype.
2. Go to Settings->Event types and look for msad-failed-user-logons. You may have to change the app context or select All apps. The search string column will give you the underline search.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...