Security

help with AD user search where user!="*$"

sdewar83
Path Finder

Hi,

I'm doing searches for account login failures using EventCode="4625".

The problem is the search returns a lot of results of user "$" trying to log onto itself or other hosts. I believe these logon event types are something to do with Remote Desktop Services or mapping drives from one host to another etc, but i'm trying to filter them out of my search.

So far my search looks like:

index=wineventlog sourcetype=WinEventLog:Security host=xxxx* | where EventCode="4625"
| where user!="*$" | stats count by user, ComputerName, Eventcode,
| sort user, - count
| rename Eventcode as "Windows Event ID", count as "Number of Events", user as "Active Directory Account"

I'm trying to use where user!"$" (i.e where user doesnt equal anything ending with a $) to filter it out but it's not working.
I've also tried where user!="xxxx
" and where user!="xxxx*$" and that hasn't worked either.

Any ideas? Thanks in advance!

Tags (2)
0 Karma
1 Solution

adonio
Ultra Champion

you can filter directly .. .no need for | where ....
like this;

index=wineventlog sourcetype=WinEventLog:Security host=xxxx* EventCode="4625" user!="*$" 
| stats count  as "Number of Events" by user, ComputerName, Eventcode,
| sort user, - count
| rename Eventcode as "Windows Event ID", user as "Active Directory Account"

highly recommend to go through splunk fundamentals 1
https://splunk.com/en_us/training/courses/splunk-fundamentals-1.html
and read the search manual / go through the search tutorial in deatil
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/WelcometotheSearchTutorial

good luck

View solution in original post

0 Karma

adonio
Ultra Champion

you can filter directly .. .no need for | where ....
like this;

index=wineventlog sourcetype=WinEventLog:Security host=xxxx* EventCode="4625" user!="*$" 
| stats count  as "Number of Events" by user, ComputerName, Eventcode,
| sort user, - count
| rename Eventcode as "Windows Event ID", user as "Active Directory Account"

highly recommend to go through splunk fundamentals 1
https://splunk.com/en_us/training/courses/splunk-fundamentals-1.html
and read the search manual / go through the search tutorial in deatil
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/WelcometotheSearchTutorial

good luck

0 Karma

sdewar83
Path Finder

That did the trick! Thanks so much.

Yeah fair call, i'd better go back and have another look.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...