Security

Search for Windows EventCode not caused by a Logon attempt

mitchmd1
New Member

We have to search for EventCode 4656 for Windows 7 and 2008 Server.

A lot of the 4656 are caused by logons (4624) and is there a way to search for 4656 and only show ones that are not caused by a logon.

Lets say, dont show any 4656 within 30 seconds of a 4624.

Thanks

0 Karma

JSapienza
Contributor

You might be able to filter your result set by looking at the "Process Name:" field. Or post a few of your offending events to get a better look as to what you need to filter out .

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...